Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : SSH Access when noshell is on?

[wmowat]

I got a notification from CFS that said:

SSH login alert for user...

I checked the account in WHM and it says noshell.

How is this possible? Only 1 trusted user has shell access and this isn't that user...any ideas?

[Deroba]

What hosting provider do you use?

I remember that something similar happend today

[activelobby4u]

Quote:

Originally Posted by wmowat

I got a notification from CFS that said:

SSH login alert for user...

I checked the account in WHM and it says noshell.

How is this possible? Only 1 trusted user has shell access and this isn't that user...any ideas?

Did he actually login ..or was it a try ?

Check your secure logs to find this out ..

[fwaggle]

I'm not sure, but I believe "noshell" type things simply return immediately on execution... therefore a user with a bad shell is actually able to "log in" via SSH if they enter the correct password, they just can't do anything because the shell immediately exits.

[laswatech]

Quote:

I got a notification from CFS that said:

SSH login alert for user...

I believe it should be a failed login alert. Kindly check and let us know.

[madaboutlinux]

Quote:

Originally Posted by wmowat

SSH login alert for user...

That looks to me a successful login attempt notification. I would recommend editing the /etc/passwd file and setting

Quote:

/sbin/nologin

instead of

Quote:

/usr/local/cpanel/bin/noshell

for the user OR using the 'usermod' command

Quote:

usermod -s /sbin/nologin username

[BTCentral - Ben]

A successful CSF login will have a subject something along the lines of this:
lfd on <hostname>: SSH login alert for user <user> from <ip>

However, if the login fails a number of times, the subject would be this:
lfd on <hostname>: blocked <ip>

Therefore from the OP's post, it sounds like it was the former here.

If I were you, first thing I would do is run chkrootkit or similar to try and determine if the server has been compromised or not.
I would also recommend checking your /etc/passwd file to make sure that there are not users with shell access there that should not have.

It may also be worthwhile checking what happens when /usr/local/cpanel/bin/noshell is executed, because there is always the possibility that it may have somehow been replaced with a working one.

Hope this helps.

Edit: madaboutlinux has posted some very useful suggestions above too, definitely check them out.

[LDHosting]

You will also get that message from CSF if the user logged into SFTP. Check your /var/log/secure and see if the login shows something similar to:

Code:

Accepted password for USERNAME from xx.xxx.xxx.xxx port xxxx ssh2
pam_unix(sshd:session): session opened for user USERNAME by (uid=0)
subsystem request for sftp

[flashwebhost]

Run

Code:

cat /etc/passwd |grep USERNAME
cat /var/log/secure |grep USERNAME

[Steven]

Noshell allows a full login to the server, but it doesn't drop into a shell. It informs the user to ask their host for shell access.

Quote:

root@server [~]# /usr/local/cpanel/bin/noshell
Shell access is not enabled on your account!
If you need shell access please contact support.

It will show up as a real login.

[BarackObama]

Does the command `last` report the access?

Quote:

Originally Posted by wmowat

I got a notification from CFS that said:

SSH login alert for user...

I checked the account in WHM and it says noshell.

How is this possible? Only 1 trusted user has shell access and this isn't that user...any ideas?