Topic: RKHunter and SME7pre1

[paul_NZ]

The daily run of rkhunter produces the following result

Line:
Watch out Root login possible. Possible risk!
Line: Watch out Root login possible. Possible risk!
  [ Warning ]
-----------------------------------------------------------------

Found warnings:
[04:04:19] Warning: root login possible. Change for your safety the 'PermitRootLogin'

-----------------------------------------------------------------

I know that this has been mentioned a couple of times here but there does not seem (or I can't find) any comment as to whether this is an expected result or a bug, not is there any comment as to what action is required to reduce this email without switching off rkhunter.

What is the best course of action to take with this.

Cheers

[Franco]

The propper way would be to disable secure access completelly, by going into the remote access panel and change SSH to no access. Then change it only when needed.

[paul_NZ]

Thanks Stuntshell for the comments and I agree the ssh access is best switched off, unfortunately the server is 'offsite' and there is no one on site that is able to switch on when needed so we leave ssh access always on.

I would interested to know if there was a way to suppress this message, provided of course that this message is not highlight a strong weakness rather than what could be said to an acceptable level of risk, having ssh access always on.

[JonB]

Paul,

If you need to leave SSH access enabled then you can limit it to certain IP addresses by doing

/sbin/e-smith/db configuration setprop sshd AllowHosts xxx.xxx.xxx.xxx

/sbin/e-smith/signal-event remoteaccess-update

You can add multiple IP's, just comma seperate the IP addresses.

You will still get the rkhunter message daily but you will know that SSH is secure and only accessable by IP's you choose.

The other way is as Stuntshell has already said. Disable SSH access in the server-manager and when you want to enable it, log into server-manager remotely and enable it.

I recently acquired a new customer who had his server (not SME) hacked by a hacker who installed a rootkit and an ebay phishing site. They got in by running a dictionary attack on SSH.

I trashed the server and installed SME  

All SME servers I look after are now are limited to a couple of IP addresses for SSH access.

If I am out on the road and on an unknown IP, I have a server that I use that has full SSH access enabled and I SSH into the other servers from that one. I only have one server to check the SSH logs on and it can easily be trashed and rebuilt if needs be.

The third option is to use certificates. That way you can install the certificate on any machine and access SSH that way. There is a good How To for this. You will need to search for it

Jon

[paul_NZ]

Jon

Thank you for your excellent explanation ... I'll go ahead now a restrict access to a couple of ip addresses.

Cheers

[gordonr]

Jon

Thank you for your excellent explanation ... I'll go ahead now a restrict access to a couple of ip addresses.

Cheers

Yep, limiting SSH to a known set of IPs is a good thing.

But also:

Disable root ssh login.
Disable ssh password authentication.
Create a user or users for remote admin.
Install SSH keys into those accounts.
Enable sudo for those accounts.
Lock their passwords.

See my recipe here:

http://bugs.contribs.org/show_bug.cgi?id=502

[riffai]

that emal scared the daylights out of me!!!

i usually VPN in to the SME box be able to SSH.

does it help if SSH access is only allowed from local networks, or does it still carry a risk?

cheers!

[tandum]

that emal scared the daylights out of me!!!

i usually VPN in to the SME box be able to SSH.

does it help if SSH access is only allowed from local networks, or does it still carry a risk?

cheers!

That root kit hunter email is a pain in the arse. Even if it finds nothing it sends you an empty email to tell you it found nothing. chmod -x /etc/cron.daily/01-rkhunter stops the stupid thing from running. However, if your exposing ports to the Internet I wouldn't turn it off.

[gordonr]

That root kit hunter email is a pain in the arse. Even if it finds nothing it sends you an empty email to tell you it found nothing.

rkhunter says nothing at all on my boxes, but will complain if you have root ssh login enabled, as it is designed to do. If you are getting false positives or empty mails, please raise them in the bug tracker.  You should not be getting empty mails and if you are, that would be a bug. We patched rkhunter to suppress unwanted mails.

chmod -x /etc/cron.daily/01-rkhunter stops the stupid thing from running. However, if your exposing ports to the Internet I wouldn't turn it off.

Don't change the permissions on the cron job - it will be undone on the next rkhunter upgrade. If you don't want rkhunter, you could remove it.

[riffai]

i guess rkhunter is a pain but its good to know its there. i've never been hacked and hope it remains so.

its not a bug because i do have ssh enabled, although only through local network access. so those warning emails are legit.

gordon your recipe looks like what i should be doing except i have no idea how to use ssh keys for authentication. a search on these forums will most likely provide the info i need.

thanks for all you help!!!!