Unauthorised SSH Login on Demo Account ?

Harlequin

• April 22, 2017 16:14

A quick question with what I hope will be a quick answer. I've setup a cPanel account and set it as a demo account. When I look at "Manage Shell Access" for this account I see this: prntscr.com/ezn5xm However, I've received mails notifying me of an SSH login: "SSH login alert for user cPanelAccountNameHere from IP.Address.Here" And the following message: Time: Sat Apr 22 18:16:01 2017 +0100 IP: 62.183.127.86 (RU/Russian Federation/-) Account: cPanelAccountNameHere Method: password authentication Is this correct...? Even though SSH is disabled someone logged in or am I reading this wrong...?

• 

  cPanelMichael

  • April 24, 2017 14:57

  Hello, To clarify, those notifications are coming from CSF/LFD as opposed to cPanel. Are you sure the notification isn't suggesting a failed login attempt as opposed to a successful login? You can review the /var/log/secure log file to see if the user successfully logged in at that time. The following thread is useful for overall SSH security: [Tutorial] Interested in increasing the security of your server? Read this. (sshd hardening) Thank you.

  0
• 

  Harlequin

  • April 24, 2017 15:09

  It's identical to the notifications I receive when I login over SSH so yes, it's a login alright. Not a happy bunny guys. I had to shut the website down and now I have no idea if that login then uploaded anything without my knowledge. I hope it's a false positive report but think it's unlikely.

  0
• 

  Harlequin

  • April 24, 2017 15:17

  This gets interesting... I checked the log file as you suggested and saw this entry for the IP address: serv sshd[18020]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=37.78.111.37 user=cPanelAccountNameHere So either LFD is reporting a login falsely and cPanel is correct or cPanel is reporting a failure and LFD is correct if my maths is right. What do you think...?

  0
• 

  Infopro

  • April 24, 2017 15:26

  Changing your SSH port / Listening IP address might be helpful.

  0
• 

  Harlequin

  • April 24, 2017 15:30

  Change the port...? I have 2 available ports in the privileged list and there's a plethora of posts out there on why I shouldn't do that too. But before I get into that. Could you answer my question please. I'm trying to be as specific as I can and I'm a bit concerned that you just ignored my response and suggested I change the port number. I may be being a bit thick here but it seems to me that one of the reports is false, but which one...?

  0
• 

  cPanelMichael

  • April 24, 2017 16:06

  I checked the log file as you suggested and saw this entry for the IP address: serv sshd[18020]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=37.78.111.37 user=cPanelAccountNameHere

  
  That shows a login failure. CSF/LFD will report login attempts, but that doesn't mean the login was successful. As far as any cPanel notifications, could you post them to this thread as well? I'm only seeing the notification from CSF/LFD. Thank you.

  0
• 

  Harlequin

  • April 24, 2017 19:07

  I know that shows a login failure but LFD shows a login success: "SSH login alert for user..." So which is right is my question. You can understand my concern, no...?

  0
• 

  Harlequin

  • April 24, 2017 19:40

  That shows a login failure. CSF/LFD will report login attempts, but that doesn't mean the login was successful. As far as any cPanel notifications, could you post them to this thread as well? I'm only seeing the notification from CSF/LFD. Thank you.

  
  Here's the entry from the "secure" log: Apr 23 08:17:09 serv unix_chkpwd[18023]: password check failed for user (xxxcPanelUsernamexxx) Apr 23 08:17:09 serv sshd[18020]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=37.78.111.37 user=xxxcPanelUsernamexxx Apr 23 08:17:10 serv sshd[18020]: Failed password for xxxcPanelUsernamexxxfrom 37.78.111.37 port 50213 ssh2 Apr 23 08:17:16 serv sshd[18021]: Received disconnect from 37.78.111.37: 13: User request

  0
• 

  Infopro

  • April 24, 2017 20:26

  Change the port...? I have 2 available ports in the privileged list and there's a plethora of posts out there on why I shouldn't do that too.

  
  Changing the SSH port number and the IP address from the one your demo is on is a valid idea. This is explained in the link Michael posted above: [Tutorial] Interested in increasing the security of your server? Read this. (sshd hardening)

  But before I get into that. Could you answer my question please. I'm trying to be as specific as I can and I'm a bit concerned that you just ignored my response and suggested I change the port number. I may be being a bit thick here but it seems to me that one of the reports is false, but which one...?

  
  The secure log entry stating the login failed is the one to go with. You can set CSF to auto block after 3 failed SSH login attempts. In your demo account, have you restricted any features or just enabled a demo account? Is the SSH icon visible? Could it be that someone was properly logged in and was clicking around as an authenticated user? I'm just guessing here as I've never played around with a demo account. That is, other than the official cPanel demo site. IMHO, you might be more comfortable linking to that official cPanel demo instead of offering your own.

  0
• 

  Harlequin

  • April 25, 2017 06:49

  Using the official demo sounds like a plan as clearly this isn't going to get resolved. Could you provide that link please...?

  0
• 

  Infopro

  • April 25, 2017 09:16

  On top right of any page on these forums or cPanel.com, the link is titled Preview.

  0

Please sign in to leave a comment.