cPanel Security Advisor
Hi, I scanned my vps server with the advisor tool and it returned with some notifications, if someone have few minutes to explain.
1 - Apache vhosts are not segmented or chroot()ed.
But when i search for "jailapache" i found it greyed and cannot turn it on.
2 - No symlink protection detected
I was reading the documentation, but is there some easy instruction to do it ?
3 - The MySQL service is currently configured to listen on all interfaces: (bind-address=*)
I opened /etc/my.cnf but couldn't find bind-address=127.0.0.1
4 - SSH direct root logins are permitted.
I couldn't find PermitRootLogin in /etc/ssh/sshd_config, should I add it ? how ?
Thanks :)
-
Hello, 1 - Apache vhosts are not segmented or chroot()ed. But when i search for "jailapache" i found it greyed and cannot turn it on.
[LIST]- This option is only available if you compile Apache through EasyApache and installed mod_ruid2 version 0.9.4a or later. So you will need to install mod_ruid2 to be able to enable the option.
- You can use this option with CentOS or RHEL 5, 6, or 7, or Amazon Linux. The mod_ruid2 module is not compatible with CloudLinux".
- This option is unavailable on systems that run CentOS or RHEL 5 with 256 or more users. Warning: cPanel strongly recommends not to use the setting with CentOS or Red Hat" Enterprise Linux (RHEL) 5, because these operating systems distribute older kernels with limitations. The Linux kernel versions for these operating systems and the number of bind mounts that VirtFS requires make it difficult to ensure system stability. Refer : Tweak Settings - Security - Documentation - cPanel Documentation. 2 - No symlink protection detected I was reading the documentation, but is there some easy instruction to do it ?
Best option would be mod_ruid2 + jailshell . For that, you will need to compile Apache (through EasyApache) and install mod_ruid2 first (Also required for 1st one). Then enable "EXPERIMENTAL: Jailshell Virtual Hosts using mod_ruid2" and "cPanel jailshell" in WHM's Tweak Settings interface (Home >> Server Configuration >> Tweak Settings). Refer : Symlink Race Condition Protection - EasyApache - cPanel Documentation So 1 and 2 requires mod_ruid2 installed. Please note that enabling mod_ruid2 will automatically disable Cache, Disk Cache, Cache Disk, MemCache, Mod FastCGI v2.3.9, Mono, Tomcat, and UserDir. I won't recommend installing mod_ruid2 if you do not know how to administer it. You can find full documentation of mod_ruid2 at : Apache Module: ModRuid2 - EasyApache - cPanel Documentation 3 - The MySQL service is currently configured to listen on all interfaces: (bind-address=*) I opened /etc/my.cnf but couldn't find bind-address=127.0.0.1
Simply add it, if my.cnf already don't have bind-address defined. 4 - SSH direct root logins are permitted. I couldn't find PermitRootLogin in /etc/ssh/sshd_config, should I add it ? how ?
Yes, you can add it.PermitRootLogin no
If you are disabling root login, you can use wheel users to access the server via SSH. Once logged in, you can switch to root. Please refer : Manage Wheel Group Users - Documentation - cPanel Documentation0 -
Hello, Did you restart SSH service after modifying /etc/ssh/sshd_config ? 0 -
Yes I restarted the SSH service 0 -
Just from experience, I installed mod_ruid2 on a server and it broke several scripts and software and I had to uninstall it. I would recommend upgrading to Cloud Linux to resolve that issue. 0 -
Yes I restarted the SSH service
Were any of the instructions in the document helpful? You can post the contents of your /etc/ssh/sshd_config file in CODE tags here, but remember to hide any identifying server information, and to hide any custom ports you have configured. Thank you.0 -
Were any of the instructions in the document helpful? You can post the contents of your /etc/ssh/sshd_config file in CODE tags here, but remember to hide any identifying server information, and to hide any custom ports you have configured. Thank you.
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysCommand none #AuthorizedKeysCommandRunAs nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options #GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no UsePAM yes # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none # no default banner path #Banner none # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server UseDNS no Match User root PasswordAuthentication yes0 -
Hello, You can change the following line: #PermitRootLogin no
To:PermitRootLogin no
Then, restart SSH, and check "WHM >> Security Advisor" again to see if the warning persists. Keep in mind this disables authentication via SSH as "root". Thank you.0 -
same results # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysCommand none #AuthorizedKeysCommandRunAs nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options #GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no UsePAM yes # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none # no default banner path #Banner none # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server UseDNS no Match User root PasswordAuthentication yes0 -
The advisor status still exist, but now I cannot connect though Filezilla ! how can I undo the changes ? 0 -
Are you using FileZilla to access the server via SSH? You can revert the change you made to the SSH configuration file and then restart SSH. As mentioned, making that change disables authentication via SSH as the "root" user. Thank you. 0 -
Now I cannot connect to server via Filezilla. I can login to WHM as root. I cannot login as root using SSH Putyy I can use a tool from BlueHost "System Console", very similar to Putty but it run on the browser. I contacted Bluehost, they cannot reset sshd_config Please let me know to reverse things. Thanks 0 -
You may want to try running a temporary instance of SSH to see if it allows you to access your server to investigate: https://IP:2087/cpsess12345678/scripts2/doautofixer?autofix=safesshrestart
You would replace "IP" with the server's IP address and the session number with what's displayed in your address bar after logging in to WHM. Note that this is simply a temporary instance of SSH that will run on a different port, so you can login and determine what's wrong with the standard SSH service. Thank you.0 -
Solved, using "System Console" from BlueHost, and the command pico -w /etc/ssh/sshd_config Then I modified and saved the file 0
Please sign in to leave a comment.
Comments
15 comments