Starting sshd: Privilege separation user does not exist

April 5, 2010    |   Posted by admin   |    Category: Linux Administration

The error message “Starting sshd: Privilege separation user sshd does not exist FAILED” is received on restarting the SSHD service. It indicates that the user ‘sshd’ does not exist. To fix the add the ‘sshd’ user on the server.

If it’s a VPS, your hosting provider can login through the main server and fix it. If it’s a dedicated server, you have to add the user via single user mode unless you were already logged in before the problem occurred.

Add the following to the /etc/passwd file

sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

add the below line to /etc/group file

sshd:x:74:

Restart the sshd service.

# /etc/init.d/sshd restart
 Stopping sshd: [ OK ]
 Starting sshd: [ OK ]

An alternate solution is to disable UsePrivilegeSeparation in the SSHD configuration. Edit the file /etc/ssh/sshd_config and change

UsePrivilegeSeparation yes
to
UsePrivilegeSeparation no

It is less secure but just another option.

Comments Off on Starting sshd: Privilege separation user does not exist

lowest numbered MX record points to localhost

March 20, 2010    |   Posted by admin   |    Category: cPanel Management

Quite often you see the “lowest numbered MX record points to localhost: rejected RCPT error” error message in ‘exim_mainlog’ on a cPanel server. The error message appears while sending/receiving emails and it looks something like:

temporarily rejected RCPT <email@domainname.tld>: lowest numbered 
MX record points to local host

The problem occurs when the domain name is missing from the /etc/localdomains file on the cPanel server The difference between the /etc/localdomains and /etc/remotedomains  files is that, they decide whether the emails for the domain is hosted locally OR on a remote server respectively.

To fix the issue, edit the file:

# pico /etc/localdomains

and add the domain name in the file. There is no need to restart the ‘exim’ service.

Comments Off on lowest numbered MX record points to localhost

How to secure the SSHD service?

March 19, 2010    |   Posted by admin   |    Category: Linux Administration

SSH service can be secured in various ways like changing the SSH port, changing the ssh protocol,  ssh ListenAddress, disable root login with the PermitRootLogin parameter, allowing ssh access to specific users, restricting SSH access to specific IPs etc. These steps will make sure SSH service on your server is secure.

Edit the SSHD configuration and make the changes listed below:

vi /etc/ssh/sshd_config

1) Set the default SSH port 22 to a higher value, by changing the ‘Port’ directive

Port 2233

2) To make SSH work on a secure protocol, set the ‘Protocol’ directive as

Protocol 2

3) Bind SSHD service to a specific IP of the server, which you can achieve by replacing ‘#ListenAddress’ directive to

ListenAddress xx.xx.xx.xx

where, xx.xx.xx.xx is the additional IP of the server and the only one which will allow you to SSH into the server.

4) To disable root access, set ‘PermitRootLogin’ directive to ‘no’

PermitRootLogin no

Make sure you add an alternate SSH user on the server who have privileges to gain root access before disabling this option.

5) To allow SSH access to specific users, add the “AllowUsers” directive at the end of the configuration

AllowUsers user1 user2

This will allow SSH access to users user1 and user2. You need to allow SSH access to the user who is allowed to gain root access incase root access is disabled.

Save the file and restart the sshd service

service sshd restart

6) Using the TCP wrappers i.e. hosts.allow and hosts.deny, you can restrict SSH access to specific IPs i.e. edit /etc/hosts.allow and add the following

sshd : yourlocalip: allow
sshd : all : deny

“yourlocalip” is the one assigned by your ISP. It will restrict SSH access to your local IP only.

Comments Off on How to secure the SSHD service?

cPanel server: “hostname resolves to” alert email

March 14, 2010    |   Posted by admin   |    Category: cPanel Management

The “hostname resolves to. It should resolve to xx.xx.xx.xx” alert is received from a cPanel server if the hostname of your server is not resolving to your server IP. The message received from the server is:

IMPORTANT: Do not ignore this email. The hostname (server.domain.tld
resolves to. It should resolve to xx.xx.xx.xx. Please be sure to
correct /etc/hosts as well as the 'A' entry in zone file for domain.


Some are all of these problems can be caused by /etc/resolv.conf
being setup incorrectly.  Please check this file if you believe
everything else is correct.

You have to set an ‘A’ record for the hostname in your domains DNS zone file. The ‘A’ record will point the server hostname to your server IP and server will stop sending you the alert messages.

For example, if the hostname of your server is server.abc.com. You have to add an ‘A’ record for server in the DNS zone file of abc.com. The DNS zone file of abc.com resides on the server where the name servers of abc.com are pointing.

If the name servers for abc.com are resolving to your server, you need to edit the dns zone file of abc.com from

WHM >> DNS Functions >> Edit a DNS Zone"

and add an ‘A’ record for ‘server’ to point to your server IP.

If you are using your domain registrar’s name servers for abc.com, then you have to set an ‘A’ record in the domain registrar panel. But make sure it is set correctly on your server as well.

Next step is to see if the hostname is properly set in the /etc/hosts file of the server. SSH to your server as root and make sure the hostname is set as follows:

ServerIP  server.abc.com server

If you still continue to receive the alert message even if hostname is resolving to your server IP, disable the IP DNS check option in WHM.

WHM >> Server Contacts >> "IP Address DNS Check"

NOTE: If the hostname is resolving properly to your server, it is safe to ignore/disable these alerts. It is not going to effect the working of your server/websites in any ways.

Comments Off on cPanel server: “hostname resolves to” alert email

Mysql: Access denied for user ‘root’@’localhost’

March 14, 2010    |   Posted by admin   |    Category: Mysql & PostGres SQL

You may receive the “Access denied for user ‘root’@’localhost'” message while accessing mysql from the command prompt.

The error message states that the Mysql password for user ‘root’ is incorrect and need to reset the password using the skip-grant-tables method.

ERROR 1045 (28000): Access denied for user 'root'@'localhost' 
(using password: NO)

How to reset root Mysql password in Linux?

First stop the mysql service

# /etc/init.d/mysql stop

Make sure all the mysql processes are stopped by executing the killall command

# killall -9 mysqld

Next, start mysql is safe mode i.e. the privileges will be skipped while connecting to the mysql server

# /usr/bin/mysqld_safe --skip-grant-tables &

now, connect to your Mysql prompt using the ‘mysql’ command

# mysql
 Welcome to the MySQL monitor. Commands end with ; or \g.
 Your MySQL connection id is 23056
 mysql>

Goto the ‘mysql’ database

mysql> use mysql;

Now set a password for user ‘root’

mysql> update user set password=PASSWORD("passhere") where user='root';

OR you can also set a blank password for user ‘root’

mysql> update user set password=PASSWORD("") where user='root';

Once done, reload privileges and quit

mysql> flush privileges;
mysql> quit

Now, restart the mysql service

# /etc/init.d/mysql restart

and you should be able to connect to your mysql server:

# mysql
OR
# mysql -uroot -p