Securing CentOS/cPanel with Sudo

Posted: June 30th, 2009 | Author: Rob Searles | Filed under: Tutorials | Comments

I’m primarily a Ubuntu and Debian user, however just bought a new VPS server to hold my company’s clients’ website. For ease of use I chose a cPanel powered VPS which runs on CentOS 5.2

I wanted to secure the setup as much as I could, and one way is to disabled login via root and use the system I’m more familiar with: Sudo. This was slightly more tricky than I thought, but is still relatively painless once the problems have been worked out.

The steps below show how to add a new user (rob) remove any unneeded (for this user) directories, add them into the sudoers list, fix sudo if it is causing you problems, disable root from login in via SSH.

So, without any further delay these are the steps:

1. Create a new user:

$ useradd rob

You might get the following output or something similar

Creating mailbox file: File exists

If we now ls the home directory you will see that rob has his own directory:

$ ls /home -l

We now need to give this user a password, otherwise they won’t be able to log in.

$ passwd rob
Changing password for user rob.
New UNIX password:

Enter the password for the user, make sure it is a good, secure one. You’ll then be prompted to confirm the password:

Retype new UNIX password:

And finally a message that it was a success

passwd: all authentication tokens updated successfully.

You should now be able to ssh into the server as the new user. Open a new terminal and test.

2. Remove Unneeded directories

If we have a look in the rob directory, you might see that two unneeded directories have been created: public_html and public_ftp. I think this is a cPanel issue as it assumes users will have websites, but I’ll have to check on that.

As this user doesn’t need a website or public ftp space we can safely remove them:

$ rm /home/rob/public_* -Rfv

Please note: be VERY careful whenever using the rm function with the recursive (-R) and force (-f) flags. Please make sure the paths are correct.

3. Add the user into the sudoers list

So you can now ssh into the server as the new user, but you won’t be able to do anything administrative. You’ll need to add the user into the sudoers list.

In your root session enter the command:

$ visudo

This is the sudoers config file, but when you close it it checks to make sure that it is correctly formatted.

You will need to add the following line near the bottom of the file:

rob     ALL=(ALL)    ALL

I tend to add this directly below the line for root:

## Allow root to run any commands anywhere
root    ALL=(ALL)    ALL

Exit this, save and your sudoers list is now updated. So test out sudo as in the rob session. I normally run free to test this out as it.

$ sudo free -m

When I did this I was confronted with the following error message:

sudo: must be setuid root

After some Googling, this appears to be a problem with the permissions of the sudo binary. If you have a look at the permissions for this file with the root session:

$ ls -l /usr/bin/sudo

The output should be along the lines of:

-rwsr-xr-x 1 root root 154672 Jun 30 07:11 /usr/bin/sudo*

If it is not, you’ll have to make sure it is:

$ chown root:root /usr/bin/sudo
$ chmod 4755 /usr/bin/sudo

Try sudo again from rob’s session:

$ sudo free -m
audit_log_user_command(): Connection refused
total       used       free     shared    buffers     cached
Mem:          1024        237        786          0          0          0
-/+ buffers/cache:        237        786
Swap:            0          0          0
$

Looks like it’s all working fine. However, if you notice, before the free command is actually run you get a warning:

audit_log_user_command(): Connection refused

Again, after some Googling it turns out that this is OK and won’t break anything. According to this post on linuxblog.org, it is simply because this feature isn’t compiled into the CentOS kernel.

4. Disable SSH access for root

From a comment within a blog post about securing CentOS, I decided to increase security by disabling root access from SSH, not disabling the root account altogether, just in case it affected anything cPanel might do.

Edit the ssh config file, you can do this either in your new user’s session or within the root session:

$ sudo nano /etc/ssh/sshd_config

or

$ nano /etc/ssh/sshd_config

near the bottom of the file, add the following line:

PermitRootLogin no

Restart the SSH server

$ /etc/init.d/sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]

Now open a new ssh session for root (best keep the existing one open in case anything goes wrong)

$ ssh root@;
root@'s password:
Permission denied, please try again.

5. Final Thoughts

I haven’t fully tested the CentOS/cPanel combination with the root account disabled for SSH. I cannot guarantee that strange things will not happen. But for the time being it seems to be doing OK, and I feel that it is slightly more secure.

One this to note, is that if you ever move servers to another cPanel host and you want to copy accounts across from the old server to the new, you may have to re-enable the root account on the old server to allow cPanel to copy the account across.

Anyway, I hope someone finds this useful

If you liked this post, please share it:
  • Digg
  • Reddit
  • Sphinn
  • Facebook
  • del.icio.us
  • YahooMyWeb
  • Furl
  • Mixx
  • Google
  • Fark
  • Live
  • MisterWong
  • StumbleUpon
  • Technorati
  • TwitThis
  • BlogMemes
  • Blogsvine
  • Ma.gnolia
  • Pownce
  • Spurl

Popular Posts

  • T Walker
    Thanks for the help. Also enjoyed the permission tweak.
  • Douglas Haber
    The sudo binary permissions tip helped me out. Thanks!
  • No problem, glad you found it useful
blog comments powered by Disqus