Posts: 80
Rademes
Joined: 26 Dec 2016
#1
Good Day!
Today I have checked my system using rkhunter, and it found a vulnerability in SSH configuration: The ability to login as root without password.

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://s19.postimg.org/53fw7sb0j/rkhunter_log.png"
linktext was:"https://s19.postimg.org/53fw7sb0j/rkhunter_log.png"
====================================

How can I remove this ability to login as root without password?
Last edited by Rademes on 16 Feb 2017, 14:13, edited 2 times in total.
Posts: 1,028
SamK
Joined: 21 Aug 2011
#2
Rademes wrote:Good Day!
Today I have checked my system using rkhunter, and it found a vulnerability in SSL configuration: The ability to login as root without password.

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://s19.postimg.org/53fw7sb0j/rkhunter_log.png"
linktext was:"https://s19.postimg.org/53fw7sb0j/rkhunter_log.png"
====================================

How can I remove this ability to login as root without password?
Your post refers to SSL but your report refers to SSH.

The setting is not a vulnerability, but can be changed by reference to openssh

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://www.openssh.com/txt/release-7.0"
linktext was:"https://www.openssh.com/txt/release-7.0"
====================================

additional info

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://askubuntu.com/questions/449364/what-does-without-password-mean-in-sshd-config-file"
linktext was:"http://askubuntu.com/questions/449364/w ... onfig-file"
====================================
Posts: 80
Rademes
Joined: 26 Dec 2016
#3
Sorry, I made mistake, while writing first post. I will think about changing this setting.
Posts: 1,445
skidoo
Joined: 09 Feb 2012
#4
The linked doc covers openssh v7, but antiX16 (debian jessie) provides v6.7
so this bit is (misleadingly) inapplicable

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://www.openssh.com/txt/release-7.0"
linktext was:"https://www.openssh.com/txt/release-7.0"
====================================


* The default for the sshd_config(5) PermitRootLogin option has changed from"yes" to"prohibit-password".

* PermitRootLogin=without-password/prohibit-password now bans all interactive authentication methods, allowing only public-key,
hostbased and GSSAPI authentication (previously it permitted keyboard-interactive and password-less authentication if those were enabled).
Rademes, the antiX default reflects the rationale that a"yes" default for that awkwardly-named setting in the sshd configuration
is arguably more secure than the alternative of permitting password-based authentication... and that some users (or tools which they use)
will have a legitimate need for ability to"login as root, via ssh".
How can I remove this ability to login as root without password?
To entirely disable ssh"username:root" login, edit /etc/ssh/sshd_config and specify PermitRootLogin no
( ssh-connected non-root user can still gain elevated priviledges via use of su command )
Posts: 1,445
skidoo
Joined: 09 Feb 2012
#5
Further"hardening" steps are available; the specifics of your use case must guide your choices.
Not a comprehensive list, but here are some ideas:

" I have never 'interactively logged into my machine via ssh' and never plan to (not in the foreseeable future, at least).
Notwithstanding security, I don't want to have sshd service continually running & needlessly consuming resources.
"
----} you can sudo sysv-rc-conf and untick sshd, across all runlevels

" Yes, sometimes I log into my machine via ssh..."
----} visit
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://fail2ban.org"
linktext was:"http://fail2ban.org"
====================================
and
websearch additional references like
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04"
linktext was:"https://www.digitalocean.com/community/ ... untu-14-04"
====================================

sudo apt install fail2ban then man fail2ban

" Although I don't make it a habit to remotely login to this machine via ssh using root account...
some of my tools (e.g. various network enabled rsync-based backup utilities) do require login as root access.
"
----} (optionally, after consulting man sshd), sudo touch /etc/nologin
or
----} (optionally) tweak /etc/ssh/sshd_conf to enumerate AllowUsers / DenyUsers / AllowGroups / DenyGroups

" meow "
Ultimately, on a given machine, you could perhaps sudo apt remove openssh-server
Doing so will not cause removal of debian"rsync" package.
If your backup jobs are local only (non-network), any rsync-based backup utilities you're using may employ unix sockets anyhow (vs comparatively slow ssh).
Posts: 1,028
SamK
Joined: 21 Aug 2011
#6
@Rademes

Because you didn't mention which version of antiX+repos you are using, and to clear up any confusion...
One of the links in my previous post relates to Jessie (openssh v6.7) and one relates to Stretch (openssh v7).

Perhaps I should not have assumed you would recognise and appreciate the difference, particularly as someone has misunderstood and consequently taken a less charitable view of your ability.
Posts: 1,445
skidoo
Joined: 09 Feb 2012
#7
Someone?
As the only other participant in this topic, I'm wondering what you presume I've"misunderstood"
and am flat-out baffled by the statement proclaiming that something in my replies expressed"a less charitable view".

edit:
Naw. I'm not gonna let it stand. You're out of line and I'm calling ya on it.
Replying to scold the obvious typo in the OP was not"charitable".
Posting a terse 2-liner reply (and citing ambiguous/conflicting/misleading links) was not"charitable".
I reject your claim that my prior replies projected an"attitude" (unfavorable, or otherwise).

Rademes, FWIW, not only do I appreciate your attention to details, I too have questioned this exact detail
(the chosen default setting) in past topics -- probably repeatedly, across version-betatesting feedback topics.
Posts: 1,028
SamK
Joined: 21 Aug 2011
#8
Off topic
skidoo wrote:...I'm wondering what you presume I've"misunderstood"...
[...]
The linked doc covers openssh v7, but antiX16 (debian jessie) provides v6.7
so this bit is (misleadingly) inapplicable
You saw the two links referred to two different versions of SSH and went on to describe one as misleading and inapplicable, rather than considering they applied to both Jessie and Stretch as the OP had not indicated which was in use. This is a clear misunderstanding.
skidoo wrote:Replying to scold the obvious typo in the OP was not"charitable".
This is an incorrect opinion on your part.
skidoo wrote:Posting a terse 2-liner reply (and citing ambiguous/conflicting/misleading links) was not"charitable".
This is incorrect as it is based on your misundertanding of the post.
skidoo wrote:I reject your claim that my prior replies projected an"attitude" (unfavorable, or otherwise).
By making the post based on your misunderstanding, you suppose the OP, and others are unable to recognise what you did i.e. two versions of SSH were being referred to. If you had believed the OP was able to notice that, it would have been apparent at that juncture there was no point posting the comments you made.


I have no interest in batting this back-and-forth. This will be my only response on this off topic aspect.
Posts: 1,062
Dave
Joined: 20 Jan 2010
#9
__{{emoticon}}__ LA la LA, whistle whistle whistle, LA la la, whistle whistle whistle, LA la la, whistle whistle, slowly closes door to room....
Posts: 80
Rademes
Joined: 26 Dec 2016
#10
Thank you, skidoo.
I have disabled SSH root login by editing /etc/ssh/sshd_config and specifying PermitRootLogin no.
Because I have never logged using SSH, I also disabled ssh service: sudo sysv-rc-conf and untick ssh, across all runlevels.