It is currently Sat Jun 24, 2017 12:32 am



Welcome
Welcome to antiX-forum.

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. Registration is fast, simple, and absolutely free, so please, join our community today!


Post new topic Reply to topic  [ 10 posts ] 
Author Message
 Post subject: [Solved] SSH Root Login
PostPosted: Tue Feb 14, 2017 6:55 pm 
Offline
User avatar

Joined: Mon Dec 26, 2016 7:12 pm
Posts: 74
Location: Latvia
Good Day!
Today I have checked my system using rkhunter, and it found a vulnerability in SSH configuration: The ability to login as root without password.
https://s19.postimg.org/53fw7sb0j/rkhunter_log.png
How can I remove this ability to login as root without password?


Last edited by Rademes on Thu Feb 16, 2017 4:13 pm, edited 2 times in total.

Top
 Profile  
 
 Post subject: Re: SSL Root Login
PostPosted: Tue Feb 14, 2017 7:40 pm 
Offline

Joined: Sun Aug 21, 2011 10:59 am
Posts: 994
Rademes wrote:
Good Day!
Today I have checked my system using rkhunter, and it found a vulnerability in SSL configuration: The ability to login as root without password.
https://s19.postimg.org/53fw7sb0j/rkhunter_log.png
How can I remove this ability to login as root without password?
Your post refers to SSL but your report refers to SSH.

The setting is not a vulnerability, but can be changed by reference to openssh
https://www.openssh.com/txt/release-7.0
additional info
http://askubuntu.com/questions/449364/w ... onfig-file


Top
 Profile  
 
 Post subject: Re: SSL Root Login
PostPosted: Tue Feb 14, 2017 8:40 pm 
Offline
User avatar

Joined: Mon Dec 26, 2016 7:12 pm
Posts: 74
Location: Latvia
Sorry, I made mistake, while writing first post. I will think about changing this setting.


Top
 Profile  
 
 Post subject: Re: SSL Root Login
PostPosted: Tue Feb 14, 2017 8:54 pm 
Offline

Joined: Thu Feb 09, 2012 7:29 am
Posts: 1179
The linked doc covers openssh v7, but antiX16 (debian jessie) provides v6.7
so this bit is (misleadingly) inapplicable
Quote:
https://www.openssh.com/txt/release-7.0

* The default for the sshd_config(5) PermitRootLogin option has changed from "yes" to "prohibit-password".

* PermitRootLogin=without-password/prohibit-password now bans all interactive authentication methods, allowing only public-key,
hostbased and GSSAPI authentication (previously it permitted keyboard-interactive and password-less authentication if those were enabled).

Rademes, the antiX default reflects the rationale that a "yes" default for that awkwardly-named setting in the sshd configuration
is arguably more secure than the alternative of permitting password-based authentication... and that some users (or tools which they use)
will have a legitimate need for ability to "login as root, via ssh".
Quote:
How can I remove this ability to login as root without password?
To entirely disable ssh "username:root" login, edit /etc/ssh/sshd_config and specify PermitRootLogin no
( ssh-connected non-root user can still gain elevated priviledges via use of su command )


Top
 Profile  
 
 Post subject: Re: SSH Root Login
PostPosted: Tue Feb 14, 2017 10:49 pm 
Offline

Joined: Thu Feb 09, 2012 7:29 am
Posts: 1179
Further "hardening" steps are available; the specifics of your use case must guide your choices.
Not a comprehensive list, but here are some ideas:

" I have never 'interactively logged into my machine via ssh' and never plan to (not in the foreseeable future, at least).
Notwithstanding security, I don't want to have sshd service continually running & needlessly consuming resources.
"
----} you can sudo sysv-rc-conf and untick sshd, across all runlevels

" Yes, sometimes I log into my machine via ssh... "
----} visit http://fail2ban.org and
websearch additional references like https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04
sudo apt install fail2ban then man fail2ban

" Although I don't make it a habit to remotely login to this machine via ssh using root account...
some of my tools (e.g. various network enabled rsync-based backup utilities) do require login as root access.
"
----} (optionally, after consulting man sshd), sudo touch /etc/nologin
or
----} (optionally) tweak /etc/ssh/sshd_conf to enumerate AllowUsers / DenyUsers / AllowGroups / DenyGroups

" meow "
Ultimately, on a given machine, you could perhaps sudo apt remove openssh-server
Doing so will not cause removal of debian "rsync" package.
If your backup jobs are local only (non-network), any rsync-based backup utilities you're using may employ unix sockets anyhow (vs comparatively slow ssh).


Top
 Profile  
 
 Post subject: Re: SSH Root Login
PostPosted: Wed Feb 15, 2017 8:52 am 
Offline

Joined: Sun Aug 21, 2011 10:59 am
Posts: 994
@Rademes

Because you didn't mention which version of antiX+repos you are using, and to clear up any confusion...
One of the links in my previous post relates to Jessie (openssh v6.7) and one relates to Stretch (openssh v7).

Perhaps I should not have assumed you would recognise and appreciate the difference, particularly as someone has misunderstood and consequently taken a less charitable view of your ability.


Top
 Profile  
 
 Post subject: Re: SSH Root Login
PostPosted: Wed Feb 15, 2017 10:00 am 
Offline

Joined: Thu Feb 09, 2012 7:29 am
Posts: 1179
Someone?
As the only other participant in this topic, I'm wondering what you presume I've "misunderstood"
and am flat-out baffled by the statement proclaiming that something in my replies expressed "a less charitable view".

edit:
Naw. I'm not gonna let it stand. You're out of line and I'm calling ya on it.
Replying to scold the obvious typo in the OP was not "charitable".
Posting a terse 2-liner reply (and citing ambiguous/conflicting/misleading links) was not "charitable".
I reject your claim that my prior replies projected an "attitude" (unfavorable, or otherwise).

Rademes, FWIW, not only do I appreciate your attention to details, I too have questioned this exact detail
(the chosen default setting) in past topics -- probably repeatedly, across version-betatesting feedback topics.


Top
 Profile  
 
 Post subject: Re: SSH Root Login
PostPosted: Wed Feb 15, 2017 2:09 pm 
Offline

Joined: Sun Aug 21, 2011 10:59 am
Posts: 994
Off topic

skidoo wrote:
...I'm wondering what you presume I've "misunderstood"...
[...]
The linked doc covers openssh v7, but antiX16 (debian jessie) provides v6.7
so this bit is (misleadingly) inapplicable
You saw the two links referred to two different versions of SSH and went on to describe one as misleading and inapplicable, rather than considering they applied to both Jessie and Stretch as the OP had not indicated which was in use. This is a clear misunderstanding.

skidoo wrote:
Replying to scold the obvious typo in the OP was not "charitable".
This is an incorrect opinion on your part.

skidoo wrote:
Posting a terse 2-liner reply (and citing ambiguous/conflicting/misleading links) was not "charitable".
This is incorrect as it is based on your misundertanding of the post.

skidoo wrote:
I reject your claim that my prior replies projected an "attitude" (unfavorable, or otherwise).
By making the post based on your misunderstanding, you suppose the OP, and others are unable to recognise what you did i.e. two versions of SSH were being referred to. If you had believed the OP was able to notice that, it would have been apparent at that juncture there was no point posting the comments you made.


I have no interest in batting this back-and-forth. This will be my only response on this off topic aspect.


Top
 Profile  
 
 Post subject: Re: SSH Root Login
PostPosted: Wed Feb 15, 2017 9:47 pm 
Offline

Joined: Thu Jan 21, 2010 12:36 am
Posts: 1040
:shock: LA la LA, whistle whistle whistle, LA la la, whistle whistle whistle, LA la la, whistle whistle, slowly closes door to room....

_________________
Computers are like air conditioners. They work fine until you start opening Windows. ~Author Unknown


Top
 Profile  
 
 Post subject: Re: SSH Root Login
PostPosted: Thu Feb 16, 2017 4:12 pm 
Offline
User avatar

Joined: Mon Dec 26, 2016 7:12 pm
Posts: 74
Location: Latvia
Thank you, skidoo.
I have disabled SSH root login by editing /etc/ssh/sshd_config and specifying PermitRootLogin no.
Because I have never logged using SSH, I also disabled ssh service: sudo sysv-rc-conf and untick ssh, across all runlevels.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
suspicion-preferred