The SSH and rkhunter configuration options should be the same

Forum Moderators: bakedjake

Message Too Old, No Replies

The SSH and rkhunter configuration options should be the same

lappert2001

6:05 pm on Feb 14, 2012 (gmt 0)

I'm getting the following warning in my daily rootkit report:

Warning: The SSH and rkhunter configuration options should be the same:
SSH configuration option 'PermitRootLogin': yes
Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no

As far as I know, this was the default when we installed this server (Debian Squeeze)

One source said the fix would be to change the /etc/ssh/sshd_config and set: PermitRootLogin no

So I'm confused now. If I set PermitRootLogin to no, wouldn't that prohibit my logging into our server (which is in a data farm)? Or does it do something else?

I so, is there a better alternative?

Thanks

graeme_p

5:48 am on Feb 15, 2012 (gmt 0)

PermitRootLogin no will stop you directly logging in as root over ssh.

You will still be able to login as another user and use su to become root. You can create another user just for this purpose.

If you really want to allow root logins without warnings (not best practice) then change the rkhunter option.

lappert2001

6:10 am on Feb 15, 2012 (gmt 0)

Thanks, that makes it more clear.

Sounds just like Ubuntu with all the su's. An inconvenience, and I've never had a problem with root, but that doesn't mean I won't have a problem some day.

graeme_p

7:23 am on Feb 15, 2012 (gmt 0)

Have you ever logged failed ssh login attempts? There are large numbers of automated scans followed by attempts to login as root. Not allowing root login makes brute force attacks much less likely to succeed.

If you do decide to allow root logins, other precautions are a very good idea: consider using a non-standard ssh port and using fail2ban or denyhosts to block IPs that make repeated attempts. Allowing only key based logins is another option.

lappert2001

7:32 am on Feb 15, 2012 (gmt 0)

Thanks. Where would the failed ssh login attempts be logged. Would it be syslog, messages, auth.log or something else? Obviously I'm not s security expert.

I know our provider installed fail2ban, although I haven't figured out yet what it does, or how to use it. And recently we've had a problem with Shorewall preventing pop3 and webmin access, so I've had to issue 'shorewall clear' commands to get mail.

lappert2001

9:50 am on Feb 15, 2012 (gmt 0)

Giving it some thought, I'll investigate the other options, but for now I set PermitRootLogin to no and set up a non-root account.

Now, a side question... while I can login and su to root, how does that work in SFTP? Now I need to login to SFTP via the same non-root account, but I don't know any method to 'su' in the SFTP context.

Or am I missing something?

graeme_p

8:34 am on Feb 16, 2012 (gmt 0)

Some sftp clients can apparently do it, otherwise use one of the other solutions.

Needing to use sftp as root probably means you are doing something wrong.

graeme_p

8:37 am on Feb 16, 2012 (gmt 0)

My VPS (it runs purely private stuff, nothing to draw attention) gets about a thousand failed logins a day.

lappert2001

10:01 am on Feb 16, 2012 (gmt 0)

Apparently it is possible. See [vandyke.com...] But if one uses this particular application, they also require the server is running VShell 3.5 for Windows server.

And needing or wanting root on FTP does not necessarily mean something is wrong, especially when administering a number of web sites. I keep term and FTP clients open all the time, each with several windows.

graeme_p

11:23 am on Feb 16, 2012 (gmt 0)

I am pretty sure that is not the only way to su before sftp.

If you are constantly logged in, you should probably use ssh keys just for convenience. Then you can also only allow passwordless root logins. End of problem.

What remote admin do you do that requires sftp as root all that often? Are you constantly changing server configs?