Skip to main content

Receiving SSH login alert emails for user that has shell access disabled

postcd
Hello, i would like to ask if i can anyhow completelly disable shell access to user. As im receiving emails from config server firewall with subject "SSH login alert for user USERNAMEHERE from IPHERE" and in the content is "Method: keyboard-interactive/pam authentication" while i have disabled SSH access for that cpanel user account in WHM? (i go to account modiffy page and i see "Shell Access" unticked.. I did commands: # cat /etc/passwd | grep bfzagjtm bfzagjtm:x:849:858::/home/bfzagjtm:/usr/local/cpanel/bin/noshell then i did: # usermod -s /sbin/nologin bfzagjtm then again: # cat /etc/passwd | grep bfzagjtm bfzagjtm:x:849:858::/home/bfzagjtm:/sbin/nologin but im still receiving that SSH login emails here is SSH log:
# tail /var/log/secure Mar 10 10:43:28 hostname sshd[1633]: pam_unix(sshd:session): session closed for user bfzagjtm Mar 10 10:43:53 hostname sshd[6789]: Accepted keyboard-interactive/pam for bfzagjtm from IPHERE port 50383 ssh2 Mar 10 10:43:53 hostname sshd[6789]: pam_unix(sshd:session): session opened for user bfzagjtm by (uid=0) Mar 10 10:43:53 hostname sshd[6822]: subsystem request for sftp Mar 10 10:44:55 hostname sshd[6789]: pam_unix(sshd:session): session closed for user bfzagjtm Mar 10 10:46:00 hostname sshd[8189]: Accepted keyboard-interactive/pam for bfzagjtm from IPHERE port 46570 ssh2 Mar 10 10:46:00 hostname sshd[8189]: pam_unix(sshd:session): session opened for user bfzagjtm by (uid=0) Mar 10 10:46:01 hostname sshd[8210]: subsystem request for sftp Mar 10 10:47:03 hostname sshd[8189]: pam_unix(sshd:session): session closed for user bfzagjtm Mar 10 10:58:29 hostname usermod[16040]: change user 'bfzagjtm' shell from '/usr/local/cpanel/bin/noshell' to '/sbin/nologin'
should i block that IP or can i do anything else?

Comments

1 comment

Date Votes
  • cPanelMichael
    Hello, This is the expected behavior. Upon login, the user will receive a notification such as: Shell access is not enabled on your account! If you need shell access please contact support
    You can restrict SSH access to specific IP addresses via the "Host Access Control" option in Web Host Manager if you want to block the login completely. Thank you.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post