Topic: Cron Daemon message: is there a problem?

[dany_it]

Hi to all!

I have installed a SME Server 7.0 in a pc HP Proliant ML310.

I receive in the admin mail this messagge from "Cron Daemon":


Data: 27 Sep 2006 02:02:44 -0000
    Da: Cron Daemon
Rispondi-A: Cron Daemon
Oggetto: Cron <root@sme7-hp> run-parts /etc/cron.daily
      A: root@mydomain.com

/etc/cron.daily/01-rkhunter:

Line:  [ Warning! ]
Line:   [ Warning! ]
Watch out Root login possible. Possible risk!
-----------------------------------------------------------------

Found warnings:
[04:02:43] WARNING, found:  /etc/.java (directory) [04:02:43] Warning:
root login possible. Change for your safety the 'PermitRootLogin'

-----------------------------------------------------------------

If you're unsure about the results above, please contact the author of
Rootkit Hunter. Fill in contact form: http://www.rootkit.nl/contact/
Some errors has been found while checking. Please perform a manual
check on this machine sme7-hp
/etc/cron.daily/conf-mod_ssl:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:State or Province Name (full name)
[Berkshire]:Locality Name (eg, city) [Newbury]:Organization Name (eg,
company) [My Company Ltd]:Organizational Unit Name (eg, section)
[]:Common Name (eg, your name or your server's hostname) []:Email
Address []:


I'm a newbie, so I can't if this is a really problem...
I specify that I have installed JRE on server.

Thanks a lot!
Bye,
Daniele.

[stephen]

There is no problem - this is the message you normally get from the Rootkit hunter.

Cheers

[mmccarn]

Please read through this thread to get an idea of the pros and cons of having ssh publicly accessible: http://forums.contribs.org/index.php?topic=27855.0.

rkhunter gives you this warning because having ssh configured for root login *is* a security hole - if any of the many systems on the internet that regularly hammer ssh with brute force attacks guesses the root password on your system, you're scr@#@d.

[edit]
I don't know if you get the same rkunter output with "Secure shell access" set to "Allow access only from local networks"...
[/edit]

[jfarschman]

Dany,

  Close the hole.  It can only cause you grief.  The best way to handle your SME server... if you are security conscious.... is to set the remote access so that only your IP can connect to the server.

  You can do this with access controls in a router/modem
  You can do this with the /server-manager/ in remote access
  You can use the VPN features of the server.

But don't give people the opportunity to brute force your root password.

 

By default the SME is pretty well locked down... but by using a combination of command line access (decreasing password strength) and server-manager Remote Access mistakes you can ruin all the good work put into making SME safe.

[dany_it]

Thank to all for replies!

I haven't ssh access to public as root... I have configured it only from "local", so I can connect with VPN and after SSH as root...

Is it a configuration rather security?
I think that now the only access to the server from outside is with VPN PPTP, beacuse the others are disabled as server-manager from a remote Ip and Ssh...

[mmccarn]

There is no problem - this is the message you normally get from the Rootkit hunter.

Cheers

Sounds like stephen had it right, then!  

To get rid of the message, you'd have to

- disable administrative login to ssh
- enable command shell login for some other user (there are discussions on how to do this somewhere),
- login using the other user, then use "su" to get a root shell

[dany_it]

Sounds like stephen had it right, then!  

To get rid of the message, you'd have to

- disable administrative login to ssh
- enable command shell login for some other user (there are discussions on how to do this somewhere),
- login using the other user, then use "su" to get a root shell

Ok.
The message itslef isn't a problem...
I tried to understad if ssh was open externally or no!

Thanks very much to all!

[william_syd]

If you find a solution to SSH access that your happy with that still results in an email message, you can disable it. Details at...
http://64.233.179.104/translate_c?hl=en&ie=iso-8859-15&oe=iso-8859-15&langpair=fr%7Cen&u=http://www.smeserver.fr/astuces.php%3Fastuce%3Dmail_rkhunter_root&prev=/language_tools

[raem]

dany_it

> ... ssh ... I have configured it only from "local"
> Is it a configuration rather security?

> ... ssh configured for root login *is* a security hole
> ...hammer ssh with brute force attacks guesses the root password on your system....

It' s not just related to external attacks on ssh access.
A badly written php web app can be hacked and the hacker can then get root access and do what they want. If root access via password is disabled then even if a php webb app with a security hole lets someone in, they are limited to what access thay can then get to the system.
Such things have happened, so don't be complacent.

The best method is to use public private keys, even for local access, and permanently disable root login using standard passwords. There is a very good howto written by Ian Wells, which is fairly easy to implement, just search for it eg search on public private keys.

[mickspice]

The daily message I get from my CRON is different, and on a new install slightly worrying ?

--------------------
/etc/cron.daily/01-rkhunter:

Determining OS... Warning: This operating system is not fully supported!
-----------------------------------------------------------------

Found warnings:
[04:02:01] Warning: This operating system is not fully supported!

-----------------------------------------------------------------

The install says it is 7.1.2 on a Dell Poweredge 1400sc and whilst it all seems to be working fine this "o/s not supported" is slightly worrying...
Can someone plaese point me in the right direction to fix it .

Thanks

[william_syd]

What does the warning "Determining OS... Warning: this operating system is not fully supported!" mean?
It simply means: not all functions and checks can be performed, because the system is 'unknown' to the script (things like which md5 utility is available, md5 hashes for this system etc.). If you want support for a newly distro, please mail me by filling in the contact form and tell me which distro you are using.

You could try..
 

Code: [Select]

/usr/bin/rkhunter --versioncheck
and

Code: [Select]

/usr/bin/rkhunter --update
and

Code: [Select]

/usr/bin/rkhunter -c

[byte]

Can someone plaese point me in the right direction to fix it .

Please report bugs and potential bugs in the bug tracker. Thanks

(Do a search you will see someone has already reported)

Also this message is only because we normally make our own rod (but seems it wasn't done)

[william_syd]

If you head over to http://sourceforge.net/project/showfiles.php?group_id=155034 you can d/l a hash update script that will add SMEserver to the known db.

Code: [Select]

[root@c3 ~]# ./hashupd.sh
[INFO] Found release: "SME Server release 7.1.2"
[INFO] "SME Server release 7.1.2" wasn't found in /var/rkhunter/db/os.dat.
[INFO] "SME Server release 7.1.2" has local number 807.
[INFO] Found md5sum at /usr/bin/md5sum
[INFO] Found sha1sum at /usr/bin/sha1sum
[INFO] Adding distribution/release "SME Server release 7.1.2" to "/var/rkhunter/db/os.dat"
[INFO] Looking for 65 hashes.
[WARN] Found 54 of 65 hashes, 0 errors found.
[INFO] added new hashes.

[mickspice]

Thanks for the replies. I think that maybe I should have added a 'Newbie' warning.

I did not appreciate that this would be regarded as a bug, so I never considered submitting to Bugvilla. However, since your posting, I tried to register on Bugvilla, but it never send me the password email (or any forgotten password email) so I am not able to log in to make a report.

I have been using the e-smith server for several years now, (not very well, but it worked) and I have never had to resort to SSH/terminal so I am not familiar with the use of the ROOT@myserver.com system. How do I get the hashupd.sh script to where ROOT can use it ?

Sorry to be such a pain, but this is a fine piece of software that I really would like to get my head around.

Thanks

[william_syd]

Thanks for the replies. I think that maybe I should have added a 'Newbie' warning.

What other computers/operating system are you running on the same lan as your SME?

ps. Maybe the mods may want to prune this part of the thread into the general section in a 'SSH for beginners by beginners" thread.