Knowledgebase

SSH Access when noshell is on?

Posted by wmowat, 12-20-2009, 10:00 PM
I got a notification from CFS that said: SSH login alert for user... I checked the account in WHM and it says noshell. How is this possible? Only 1 trusted user has shell access and this isn't that user...any ideas?
Posted by DiegoRBaquero, 12-20-2009, 10:02 PM
What hosting provider do you use? I remember that something similar happend today
Posted by activelobby4u, 12-21-2009, 01:24 AM
Did he actually login ..or was it a try ? Check your secure logs to find this out ..
Posted by fwaggle, 12-21-2009, 01:52 AM
I'm not sure, but I believe "noshell" type things simply return immediately on execution... therefore a user with a bad shell is actually able to "log in" via SSH if they enter the correct password, they just can't do anything because the shell immediately exits.
Posted by laswatech, 12-21-2009, 05:48 AM
I believe it should be a failed login alert. Kindly check and let us know.
Posted by madaboutlinux, 12-21-2009, 07:15 AM
That looks to me a successful login attempt notification. I would recommend editing the /etc/passwd file and setting instead of for the user OR using the 'usermod' command
Posted by BTCentral - Ben, 12-21-2009, 07:18 AM
A successful CSF login will have a subject something along the lines of this: lfd on : SSH login alert for user from However, if the login fails a number of times, the subject would be this: lfd on : blocked Therefore from the OP's post, it sounds like it was the former here. If I were you, first thing I would do is run chkrootkit or similar to try and determine if the server has been compromised or not. I would also recommend checking your /etc/passwd file to make sure that there are not users with shell access there that should not have. It may also be worthwhile checking what happens when /usr/local/cpanel/bin/noshell is executed, because there is always the possibility that it may have somehow been replaced with a working one. Hope this helps. Edit: madaboutlinux has posted some very useful suggestions above too, definitely check them out. Last edited by BTCentral - Ben; 12-21-2009 at 07:24 AM.
Posted by LDHosting, 12-21-2009, 07:36 AM
You will also get that message from CSF if the user logged into SFTP. Check your /var/log/secure and see if the login shows something similar to:
Posted by WebHostingNeeds, 12-23-2009, 03:30 PM
Run
Posted by Steven, 12-23-2009, 06:18 PM
Noshell allows a full login to the server, but it doesn't drop into a shell. It informs the user to ask their host for shell access. It will show up as a real login.
Posted by ZenMonk, 12-24-2009, 01:48 AM
Does the command `last` report the access?


Was this answer helpful?

Add to Favourites Add to Favourites

Print this Article Print this Article
Also Read
The Website Ahead Contains Malware! (Views: 582)
What is a Good Reseller? (Views: 568)
Windows server hacked (Views: 575)
Ratepoint.com Down (Views: 618)
CAn i use my own dns? (Views: 628)


Language:

Client Menu

 

Client Login

Email

Password

Remember Me

Search



  
 

Clients

Hosting

VPS Hosting

About Us

Contact Us

Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.