homepage Welcome to WebmasterWorld Guest from 54.227.67.175
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld

Visit PubCon.com
Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
Forum Library, Charter, Moderators: bakedjake

Linux, Unix, and *nix like Operating Systems Forum

    
The SSH and rkhunter configuration options should be the same
lappert2001




msg:4417537
 6:05 pm on Feb 14, 2012 (gmt 0)

I'm getting the following warning in my daily rootkit report:

Warning: The SSH and rkhunter configuration options should be the same:
SSH configuration option 'PermitRootLogin': yes
Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no


As far as I know, this was the default when we installed this server (Debian Squeeze)

One source said the fix would be to change the /etc/ssh/sshd_config and set: PermitRootLogin no

So I'm confused now. If I set PermitRootLogin to no, wouldn't that prohibit my logging into our server (which is in a data farm)? Or does it do something else?

I so, is there a better alternative?

Thanks

 

graeme_p




msg:4417759
 5:48 am on Feb 15, 2012 (gmt 0)

PermitRootLogin no will stop you directly logging in as root over ssh.

You will still be able to login as another user and use su to become root. You can create another user just for this purpose.

If you really want to allow root logins without warnings (not best practice) then change the rkhunter option.

lappert2001




msg:4417768
 6:10 am on Feb 15, 2012 (gmt 0)

Thanks, that makes it more clear.

Sounds just like Ubuntu with all the su's. An inconvenience, and I've never had a problem with root, but that doesn't mean I won't have a problem some day.

graeme_p




msg:4417798
 7:23 am on Feb 15, 2012 (gmt 0)

Have you ever logged failed ssh login attempts? There are large numbers of automated scans followed by attempts to login as root. Not allowing root login makes brute force attacks much less likely to succeed.

If you do decide to allow root logins, other precautions are a very good idea: consider using a non-standard ssh port and using fail2ban or denyhosts to block IPs that make repeated attempts. Allowing only key based logins is another option.

lappert2001




msg:4417802
 7:32 am on Feb 15, 2012 (gmt 0)

Thanks. Where would the failed ssh login attempts be logged. Would it be syslog, messages, auth.log or something else? Obviously I'm not s security expert.

I know our provider installed fail2ban, although I haven't figured out yet what it does, or how to use it. And recently we've had a problem with Shorewall preventing pop3 and webmin access, so I've had to issue 'shorewall clear' commands to get mail.

lappert2001




msg:4417977
 9:50 am on Feb 15, 2012 (gmt 0)

Giving it some thought, I'll investigate the other options, but for now I set PermitRootLogin to no and set up a non-root account.

Now, a side question... while I can login and su to root, how does that work in SFTP? Now I need to login to SFTP via the same non-root account, but I don't know any method to 'su' in the SFTP context.

Or am I missing something?

graeme_p




msg:4418278
 8:34 am on Feb 16, 2012 (gmt 0)

Some sftp clients can apparently do it, otherwise use one of the other solutions.

Needing to use sftp as root probably means you are doing something wrong.

graeme_p




msg:4418279
 8:37 am on Feb 16, 2012 (gmt 0)

My VPS (it runs purely private stuff, nothing to draw attention) gets about a thousand failed logins a day.

lappert2001




msg:4418291
 10:01 am on Feb 16, 2012 (gmt 0)

Apparently it is possible. See [vandyke.com...] But if one uses this particular application, they also require the server is running VShell 3.5 for Windows server.

And needing or wanting root on FTP does not necessarily mean something is wrong, especially when administering a number of web sites. I keep term and FTP clients open all the time, each with several windows.

graeme_p




msg:4418304
 11:23 am on Feb 16, 2012 (gmt 0)

I am pretty sure that is not the only way to su before sftp.

If you are constantly logged in, you should probably use ssh keys just for convenience. Then you can also only allow passwordless root logins. End of problem.

What remote admin do you do that requires sftp as root all that often? Are you constantly changing server configs?

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved