Secure Shell (SSH) is a vital tool for server administrators to access and manage servers remotely. However, it's crucial to monitor and manage SSH access to ensure security and prevent unauthorized access. This knowledge base provides comprehensive information on monitoring and managing SSH access in WHM cPanel.

Understanding SSH Access

What is SSH?

SSH is a cryptographic network protocol that provides secure communication over an unsecured network. It allows users to securely connect to a remote server over the internet.

Importance of Monitoring SSH Access

Monitoring SSH access is essential to:

1. Prevent Unauthorized Access: Identify and block unauthorized attempts to access the server.

2. Detect Suspicious Activity: Monitor for any unusual or suspicious behavior related to SSH access.

3. Maintain Server Security: Ensure that only authorized users have access to the server.

Monitoring SSH Access

Access Logs

1. SSH Access Logs:

   • Access logs are stored in /var/log/secure or /var/log/auth.log on most Linux systems.

2. WHM SSH Logs:

   • In WHM, navigate to Home > Security Center > SSH Access.

Configuring SSH Logs in WHM

1. Log Configuration:

   • In WHM, go to Home > Service Configuration > cPanel Log Rotation Configuration.

   • Ensure that SSH logs are configured for rotation and retention.

2. WHM Log Browser:

   • Access WHM > Home > Server Configuration > cPanel Log Browser to view and search logs.

Managing SSH Access

Secure Passwords and Key Authentication

1. Strong Passwords:

   • Encourage users to use complex, unique passwords for SSH access.

2. SSH Key Authentication:

   • Promote the use of SSH keys for more secure authentication.

Configuring SSH Service

1. SSH Configuration File:

   • Modify the SSH configuration file (/etc/ssh/sshd_config) to specify access rules and preferences.

2. Port Changing:

   • Consider changing the default SSH port (22) to a non-standard port to deter automated attacks.

Implementing Fail2Ban

1. Install Fail2Ban:

   • In WHM, go to Home > Security Center > Manage Plugins.

2. Configuring Fail2Ban:

   • Adjust settings in WHM > Home > Plugins > Fail2Ban to ban IP addresses after repeated failed login attempts.

Restricting SSH Access by IP

1. IP Access Control:

   • Use firewall rules or SSH configuration to restrict SSH access to specific IP addresses or ranges.

2. WHM IP Access Control:

   • In WHM, navigate to Home > Security Center > Host Access Control to manage IP restrictions.

Monitoring User Activity

WHM's User Activity Logs

1. Access Logs:

   • View user activity logs in WHM > Home > Security Center > User Activity.

2. Monitor for Suspicious Activity:

   • Look for unusual patterns or repeated failed login attempts.

Using Security Plugins

1. Install Security Plugins:

   • Consider using security plugins like ConfigServer Security & Firewall (CSF) for additional protection.

2. Regular Auditing:

   • Perform regular audits of user accounts and access permissions.

Conclusion

Monitoring and managing SSH access in WHM cPanel is essential for maintaining server security and preventing unauthorized access. By following the guidelines provided in this knowledge base, you can effectively monitor SSH activity, implement security measures, and take proactive steps to ensure the integrity of your server. Regularly reviewing logs and user activity will help maintain a secure and reliable hosting environment.