When you install WHM on a fresh server, you need to take care of most of the security aspects by yourself. The ConfigServer Firewall is a great starting point for this. One of the actions you must take early on is restricting root logins via SSH. This may seem like throwing the baby out with the bath water because there are many actions you need to take with root permissions via SSH. However, there are ways to accomplish this without resorting to a direct root login. So why is this important? What harm is there if you have a secure enough password?
The problem lies in the fact that the “root” user name is a constant across all boxes which means that attackers only need to guess one part of the equation. It’s kind of like having the “admin” user name enabled in WordPress. Attackers can constantly probe your application with different passwords while being confident that the username is accurate. Apart from the fact that someone might accidentally guess your password, it also creates a constant strain on your server having to repeatedly validate perhaps thousands of logins at a time. Here’s an example of an SSH window with root logins enabled:
If you’ve configured your security firewall correctly, you should start getting e-mails notifying you of brute force attacks on your server. In just a short span of time, you can suddenly receive hundreds of notifications as I found out soon enough. Here’s a screenshot of my Gmail inbox swamped with them:
The “lfd” that you see, is the “Login Failure Daemon” which scans the log file entries and warns you of brute force attacks. To minimize this dangerous attack vector, it’s beneficial to disable root logins via SSH entirely. Here’s how you go about it.
Modifying the Config File
One thing that WHM misses is a solid file explorer. Earlier, I had talked about using the ConfigServer Explorer written by the same guys who maintain the ConfigServer Firewall. But you can use any editor of your choice including the default SSH “vi”. The file that we’re looking for is called:
Note the “d” at the end of the first part of the filename. There’s another one called “ssh_config” without it. Using the file explorer/editor of your choice, open up this file after creating a backup just in case something happens. Once you have it in front of you, search for the following line:
Remove the “#” symbol in front of it so that it is no longer a comment as shown in the screenshot below. Once done, save and exit.
Even though the configuration for SSH has changed, this by itself does not make the changes effective immediately. We need to manually restart the service so that it reloads the updated configuration file. Fortunately, we can do this easily from within WHM itself. Search for the “Restart Services” section within WHM on the left-hand side and scroll down to the “SSH Server (OpenSSH)” option at the end.
Click it and confirm that you want to restart the service:
This will take a few seconds. Once you have the confirmation, power up your SSH program once again and try and login as root. If everything goes correctly, you should now get an “Access Denied” message when you try and login as the root user.
This takes care of the root SSH access vulnerability. But now how do you perform root level operations via SSH without being able to login as such? The answer is to allow other users to take over the root functionality and profile while bypassing WHM’s inherent restriction on such an action. We’ll take a look at how to do that in the next article.