Archives

Connect to a non-default SFTP port

SFTP, the abbreviation for SSH (or Secure) File Transfer Protocol is using by default port 22. Many servers nowadays are using different port numbers, like 2222. We will show in this article how to connect to an explicit port number, using the sftp utility.

The sftp command information:

root@web [~]# sftp
usage: sftp [-1246aCfpqrv] [-B buffer_size] [-b batchfile] [-c cipher]
          [-D sftp_server_path] [-F ssh_config] [-i identity_file] [-l limit]
          [-o ssh_option] [-P port] [-R num_requests] [-S program]
          [-s subsystem | sftp_server] host
       sftp [user@]host[:file ...]
       sftp [user@]host[:dir[/]]
       sftp -b batchfile [user@]host

To connect with sftp to a specific port as root, use sftp -P port_number hostname

root@web [~]# sftp -P 2222 test.plothost.com
The authenticity of host '[test.plothost.com]:2222 ([192.168.165.1]:2200)' can'                                                                                        t be established.
ECDSA key fingerprint is SHA256:MqoUe1cJlbAqFidXZbV4cSMWfi1meCQ6ZtMiIzZ7yQE.
ECDSA key fingerprint is MD5:06:95:95:63:2f:ea:7a:4c:e7:36:62:73:f6:83:d2:04.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added '[test.plothost.com]:2222' (ECDSA) to the list of known hosts.
root@test.plothost.com's password:
Connected to test.plothost.com.
sftp> cd /
sftp> bye
root@web [~]#

To connect with a username, use sftp -P port_number user@hostname

Increase password prompt timeout for sshd

Do you want to control the login timeout for the SSH server? You can control it with the LoginGraceTime setting.

LoginGraceTime
The server disconnects after this time if the user has not successfully logged in. If the value is 0, there is no time limit. The default is 120 seconds.

sshd_config man page

Use your favorite text editor to edit the SSH server settings:

nano /etc/ssh/sshd_config

Look for the LoginGraceTime value – add it or adjust its value:

LoginGraceTime 10

We adjusted it here to 10 seconds. Users will have 10 seconds to log in to the SSH server. Don’t forget to restart the SSH server:

service sshd restart

Resources:
sshd_config man page

MOTD and Banner messages for SSH connections

There are two messages you can set in the sshd configuration. One is MOTD (message of the day) and the other one is the Banner.

Banner Message

The Banner message is displayed before the password login prompt.
To edit/set the Banner message:

1. Login to SSH.

2. We will use the system’s file /etc/issue.net for our message. Edit the file with vi /etc/issue.net . Edit the message as you wish.

3. Now we will edit the /etc/sshd_config file. Use vi /etc/ssh/sshd_config. Look for

# no default banner path
#Banner none

and modify to

# no default banner path
Banner /etc/issue.net

4. Exit the editor and restart the SSH server. In our case:

root@web [~]# service sshd restart
Redirecting to /bin/systemctl restart sshd.service
root@web [~]#

5. On next login prompt, you will see the Banner message

login as: root
This computer system is for authorized users only. Individuals using this
system without authority or in excess of their authority are subject to
having all their activities on this system monitored and recorded or
examined by any authorized person, including law enforcement, as system
personnel deem appropriate. In the course of monitoring individuals
improperly using the system or in the course of system maintenance, the
activities of authorized users may also be monitored and recorded. Any
material so recorded may be disclosed as appropriate. Anyone using this
system consents to these terms.


root@web.plothost.com's password:


MOTD Text

The MOTD is displayed after a successful login.
To edit/set MOTD follow the steps:

1. Login to SSH.

2. The MOTD text is in the file /etc/motd. So edit it with vi /etc/motd

3. Now we will enable motd in the ssh server configuration. Use vi /etc/ssh/sshd_config. Look for

#PrintMotd yes

and modify to

PrintMotd yes

4. Exit the editor and restart the SSH server. In our case:

root@web [~]# /bin/systemctl restart sshd.service
root@web [~]#

5. On the next successful login, you will see the MOTD text

login as: root
This computer system is for authorized users only. Individuals using this
system without authority or in excess of their authority are subject to
having all their activities on this system monitored and recorded or
examined by any authorized person, including law enforcement, as system
personnel deem appropriate. In the course of monitoring individuals
improperly using the system or in the course of system maintenance, the
activities of authorized users may also be monitored and recorded. Any
material so recorded may be disclosed as appropriate. Anyone using this
system consents to these terms.


root@web.plothost.com's password:
Last login: Thu Dec 12 06:57:43 2019 from 192.168.2.34
Welcome! This is the MOTD :) <------------------------
root@web [~]#


Notice that instead of the vi tool you can use the nano editor or any other editor.

Resources:
issue.net man page
How to install nano editor

How to run cPanel accounts backup from SSH

It’s always a good idea to make on-site/off-site backups of your cPanel accounts. WHM will automatically make backups as per settings from WHM->Backup->Backup Configuration. But you can also run the backup process from the command line.

To start the backup, run:

/usr/local/cpanel/bin/backup

and to force it, run:

/usr/local/cpanel/bin/backup --force

Notice that if backups are not enabled in WHM you can’t start the backup process with the first command:

root@web [~]# /usr/local/cpanel/bin/backup
[2017-05-30 13:13:11 -0400] info [backup] Started at Tue May 30 13:13:11 2017
[2017-05-30 13:13:11 -0400] info [backup] Backups are not scheduled to run today. This can be adjusted in WHM => Backup => Backup Configuration or by calling bin/backup with the --force argument.

You will need to use the –force argument:

root@web [~]# /usr/local/cpanel/bin/backup --force
[2017-05-30 13:15:21 -0400] info [backup] Started at Tue May 30 13:15:21 2017
[2017-05-30 13:15:22 -0400] info [backup] The backup is now running in the background in process 16608.
[2017-05-30 13:15:22 -0400] info [backup] The backup process’s log file is "/usr/local/cpanel/logs/cpbackup/1496164521.log".
Don’t forget to select the users for which you will run the backup. Select them in WHM->Backup->Backup User Selection

For some time you can also use the old backup (legacy) system. Notice that it will be removed in the next cPanel versions – probably in v66. To start the old backup process:

/scripts/cpbackup

and to force the legacy backup to start, use:

/usr/local/cpanel/scripts/cpbackup --force
You will use the –force parameter if the backup is up to date but you still want to run it for any reason.

Generate private and public key in cPanel for SSH access

The common way to connect to the server via SSH is to use a username and a password. But to increase security, you can use a pair of keys(a private one and a public one) to connect to the server.

The public key will be on the server. The private key will be on your computer. When you are trying to connect, the server compares the two keys. If they are the right ones, you will be able to access it.

We will show in this post how to generate the pair of keys and connect to your server with PuTTY.

To generate and use public and private keys in cPanel:

1.Log in to cPanel
2.Scroll down to the SECURITY section -> SSH Access

3.Click the Manage SSH Keys button

4.Click the +Generate a New Key button

5.You are now on a page with a title Generating a Public Key. Here, choose:
-Key Name – you can leave the default value
-Key Password – enter the password for the key and confirm it
-Key Type (RSA or DSA) – let the default value
-Key Size (2048 or 4096) – let the default value

cPanel mentions:

RSA vs DSA: RSA and DSA are encryption algorithms used to encrypt your key. DSA is faster for Key Generation and Signing and RSA is faster for Verification.

6.Click the Generate Key button. You will see a confirmation message: Key Generation Complete! with some details:

Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
The key fingerprint is:
b7:9a:55:59:c1:a7:6a:31:5c:9a:40:50:e9:73:24:a0

7.Click the Go Back link
8.Now you need to authorize the public key. (the Authorization Status is not authorized). Click the Manage link.

9.You will see a message The key with the name “id_rsa” is currently “not authorized” for use when connecting to this account.  Click the Authorize button. The success message is: The key “id_rsa.pub” has been authorized.

10.Click the Go Back link
11.Go to the Private Keys sections and click the View/Download link.

12.Here we will Convert the “id_rsa” key to PPK format. Enter the passphrase and click the Convert button.

13.You will see the key to be used in PuTTY. Click the Download key button and save the file to your computer (the filename is id_rsa.ppk) 

14.Now start PuTTY on your computer and go to Connection->SSH->Auth. Here, browse and select the file you saved at 13. (Private key file for authentication)

15. Click the Open button. PuTTY will connect to the server. Enter the Passphrase when asked.

16.You are now connected to the server 🙂

 
One of the most used SSH programs is PuTTY. Download it from chiark.greenend.org.uk/~sgtatham/putty/
Page 1 of 2
1 2