Welcome to WebmasterWorld Guest from 50.17.16.177

Forum Moderators: bakedjake

Message Too Old, No Replies

The SSH and rkhunter configuration options should be the same

     
6:05 pm on Feb 14, 2012 (gmt 0)

Junior Member

10+ Year Member

joined:July 23, 2005
posts: 72
votes: 0


I'm getting the following warning in my daily rootkit report:

Warning: The SSH and rkhunter configuration options should be the same:
SSH configuration option 'PermitRootLogin': yes
Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no


As far as I know, this was the default when we installed this server (Debian Squeeze)

One source said the fix would be to change the /etc/ssh/sshd_config and set: PermitRootLogin no

So I'm confused now. If I set PermitRootLogin to no, wouldn't that prohibit my logging into our server (which is in a data farm)? Or does it do something else?

I so, is there a better alternative?

Thanks
5:48 am on Feb 15, 2012 (gmt 0)

Senior Member from LK 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2417
votes: 17


PermitRootLogin no will stop you directly logging in as root over ssh.

You will still be able to login as another user and use su to become root. You can create another user just for this purpose.

If you really want to allow root logins without warnings (not best practice) then change the rkhunter option.
6:10 am on Feb 15, 2012 (gmt 0)

Junior Member

10+ Year Member

joined:July 23, 2005
posts: 72
votes: 0


Thanks, that makes it more clear.

Sounds just like Ubuntu with all the su's. An inconvenience, and I've never had a problem with root, but that doesn't mean I won't have a problem some day.
7:23 am on Feb 15, 2012 (gmt 0)

Senior Member from LK 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2417
votes: 17


Have you ever logged failed ssh login attempts? There are large numbers of automated scans followed by attempts to login as root. Not allowing root login makes brute force attacks much less likely to succeed.

If you do decide to allow root logins, other precautions are a very good idea: consider using a non-standard ssh port and using fail2ban or denyhosts to block IPs that make repeated attempts. Allowing only key based logins is another option.
7:32 am on Feb 15, 2012 (gmt 0)

Junior Member

10+ Year Member

joined:July 23, 2005
posts: 72
votes: 0


Thanks. Where would the failed ssh login attempts be logged. Would it be syslog, messages, auth.log or something else? Obviously I'm not s security expert.

I know our provider installed fail2ban, although I haven't figured out yet what it does, or how to use it. And recently we've had a problem with Shorewall preventing pop3 and webmin access, so I've had to issue 'shorewall clear' commands to get mail.
9:50 am on Feb 15, 2012 (gmt 0)

Junior Member

10+ Year Member

joined:July 23, 2005
posts: 72
votes: 0


Giving it some thought, I'll investigate the other options, but for now I set PermitRootLogin to no and set up a non-root account.

Now, a side question... while I can login and su to root, how does that work in SFTP? Now I need to login to SFTP via the same non-root account, but I don't know any method to 'su' in the SFTP context.

Or am I missing something?
8:34 am on Feb 16, 2012 (gmt 0)

Senior Member from LK 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2417
votes: 17


Some sftp clients can apparently do it, otherwise use one of the other solutions.

Needing to use sftp as root probably means you are doing something wrong.
8:37 am on Feb 16, 2012 (gmt 0)

Senior Member from LK 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2417
votes: 17


My VPS (it runs purely private stuff, nothing to draw attention) gets about a thousand failed logins a day.
10:01 am on Feb 16, 2012 (gmt 0)

Junior Member

10+ Year Member

joined:July 23, 2005
posts: 72
votes: 0


Apparently it is possible. See [vandyke.com...] But if one uses this particular application, they also require the server is running VShell 3.5 for Windows server.

And needing or wanting root on FTP does not necessarily mean something is wrong, especially when administering a number of web sites. I keep term and FTP clients open all the time, each with several windows.
11:23 am on Feb 16, 2012 (gmt 0)

Senior Member from LK 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2417
votes: 17


I am pretty sure that is not the only way to su before sftp.

If you are constantly logged in, you should probably use ssh keys just for convenience. Then you can also only allow passwordless root logins. End of problem.

What remote admin do you do that requires sftp as root all that often? Are you constantly changing server configs?