Posted by wmowat, 12-20-2009, 10:00 PM | I got a notification from CFS that said:
SSH login alert for user...
I checked the account in WHM and it says noshell.
How is this possible? Only 1 trusted user has shell access and this isn't that user...any ideas?
|
Posted by DiegoRBaquero, 12-20-2009, 10:02 PM | What hosting provider do you use?
I remember that something similar happend today
|
Posted by activelobby4u, 12-21-2009, 01:24 AM | Did he actually login ..or was it a try ?
Check your secure logs to find this out ..
|
Posted by fwaggle, 12-21-2009, 01:52 AM | I'm not sure, but I believe "noshell" type things simply return immediately on execution... therefore a user with a bad shell is actually able to "log in" via SSH if they enter the correct password, they just can't do anything because the shell immediately exits.
|
Posted by laswatech, 12-21-2009, 05:48 AM | I believe it should be a failed login alert. Kindly check and let us know.
|
Posted by madaboutlinux, 12-21-2009, 07:15 AM | That looks to me a successful login attempt notification. I would recommend editing the /etc/passwd file and setting
instead of
for the user OR using the 'usermod' command
|
Posted by BTCentral - Ben, 12-21-2009, 07:18 AM | A successful CSF login will have a subject something along the lines of this:
lfd on : SSH login alert for user from
However, if the login fails a number of times, the subject would be this:
lfd on : blocked
Therefore from the OP's post, it sounds like it was the former here.
If I were you, first thing I would do is run chkrootkit or similar to try and determine if the server has been compromised or not.
I would also recommend checking your /etc/passwd file to make sure that there are not users with shell access there that should not have.
It may also be worthwhile checking what happens when /usr/local/cpanel/bin/noshell is executed, because there is always the possibility that it may have somehow been replaced with a working one.
Hope this helps.
Edit: madaboutlinux has posted some very useful suggestions above too, definitely check them out.
Last edited by BTCentral - Ben; 12-21-2009 at 07:24 AM.
|
Posted by LDHosting, 12-21-2009, 07:36 AM | You will also get that message from CSF if the user logged into SFTP. Check your /var/log/secure and see if the login shows something similar to:
|
Posted by WebHostingNeeds, 12-23-2009, 03:30 PM | Run
|
Posted by Steven, 12-23-2009, 06:18 PM | Noshell allows a full login to the server, but it doesn't drop into a shell. It informs the user to ask their host for shell access.
It will show up as a real login.
|
Posted by ZenMonk, 12-24-2009, 01:48 AM | Does the command `last` report the access?
|
|
Add to Favourites
Print this Article |