Server Security

SSH Root Logins, Privilege Escalation and Server Security in cPanel

by Bill Brooks  • 

As you dig deeper into server administration, you’ll eventually need to log into your server via SSH as root. Logging into your server as root allows you to easily accomplish many tasks, but it demands a certain level of security precaution.

SSH root logins offer a huge potential security vulnerability. The root user is the administrative user of a server and has full access to the server. If compromised, the root account provides the malicious user with complete control. Anyone logged into a server with root access can write, erase, edit, upload or download any file. It is an all-access pass to your server, and simply guarding your root password isn’t enough to protect yourself.

There are two ways to mitigate this security concern.

SSH Key Authentication

As discussed in a previous article, SSH key authentication limits root access to only those people on computers with the correct authentication key.

Escalating users to root

The second option is to disable direct root access and configure one or more regular SSH accounts such that users can escalate their privileges to the root level. This provides an extra layer of security, eliminating the possibility that a server can be compromised simply by stealing the password for user: root.

Disabling SSH root logins

Because of the security risks inherent in direct SSH root access, nearly all VPS packages, including ServInt Cloud VPS accounts, will be delivered with direct root access disabled by default. If, for some reason, this is not done by your host, you will need to do disable it from the command line in /etc/ssh/sshd_config. Ask your host for more details before editing this file.

Configuring SSH root escalation for cPanel users

Configuring SSH root escalation for a user in cPanel can be accomplished for any server with SSH access by simply adding that cPanel account to the Wheel Group. To do so:

  1. Log into WHM
  2. Navigate to Security Center » Manage Wheel Group Users
  3. Choose the cPanel user and then click Add to Group.
  4. Once done you will need to restart SSH from WHM via Restart Services » SSH Server (OpenSSH).

Configuring SSH root escalation for non-cPanel users

To configure SSH root escalation for a non cPanel user, you will need to add that user to the wheel group in WHM (above) and then complete one other step: editing the passwd file of your server.

  1. Log into the server with root access
  2. Open the passwd file (located in /etc/passwd)

Note: if you do not know how to open and edit a file directly on the command line, you can learn how to use an editor such as nano.

  1. Each line of the file is for one user. Locate the user you are granting access to and edit the text of that line changing /bin/false to /bin/bash.
  2. Restart SSH service either through WHM as outlined previously or using the command “sshd restart”.

Escalating to root as a superuser

With these steps complete, the user can now escalate to root when logged into the server via SSH with their standard credentials. Once logged into the server via SSH, the user simply types the command “su” (superuser) and hits Return. The user will be prompted for the root password and when entered correctly will become the root user.

As always, if you have any questions, or if you wish to configure a non cPanel server for SSH escalation to root privileges, please fill out a ticket in your customer portal.

Find out more about ServInt solutions

Starting at $69

Comments
  1. Need to log into your server as #root on the command line? Learn how to do it securely in this week's #TechBench. http://t.co/T8C7iaq5dH
  2. Increase your server security by disabling direct root access and creating superusers, in this week's #TechBench. http://t.co/T8C7iaq5dH
  3. [...] another techbench blog article for my company, which they have published.  You can find it here: http://blog.servint.net/2013/05/28/keeping-a-tight-ship-ssh-logins-root-vulnerabilities-and-user-pri... It covers how to set up an SSH user with root escalation privileges on a WHM/cPanel server.  This [...]
    How To: SSH Logins With Root Escalation | Etterack /
  4. SSH Root Logins, Privilege Escalation and Server Security in cPanel http://t.co/gBq900KuWp
  5. SSH Root Logins, Privilege Escalation and Server Security in cPanel http://t.co/Q3rjpvewcx
    servermanagedit /
  6. Configuring root SSH escalation privileges in #cPanel, in this week's #TechBench. http://t.co/T8C7iaq5dH
Start the conversation

Bill Brooks

Bill Brooks

Escalated Technician, ServInt

Bill Brooks is an Escalated Technician and the Continuing Education Facilitator for ServInt’s Managed Services Team. He is a life-long tech enthusiast and enjoys music, video games and hockey on the side.

  • The New York Times
  • The Hill
  • Bloomberg
  • The Seattle Times
  • Computer World
  • Ars Technica
  • MSNBC