Ssh – rkhunter warning about ssh root access when that access is not allowed on the system

rkhunterrootSecurityssh

I just ran rkhunter --check and all was good except this:

Checking if SSH root access is allowed                   [ Warning]

What does this warning mean? SSH root access is not allowed on this system.

EDIT #1

Here is how my /etc/ssh/sshd_config is set:

PermitRootLogin no

and rkhunter.conf

root ~ # cat /etc/rkhunter.conf | grep  ALLOW_SSH_ROOT_USER
#ALLOW_SSH_ROOT_USER=no
ALLOW_SSH_ROOT_USER=unset

Best Answer

The following values need to match:

In rkhunter configuration:

cat /etc/rkhunter.conf | grep ALLOW_SSH_ROOT_USER

ALLOW_SSH_ROOT_USER=no

In sshd configuration:

cat /etc/ssh/sshd_config | grep PermitRootLogin

PermitRootLogin no

Once they do match, you should not be warned by rkhunter any longer.

Related Solutions

SSH server listening on multiple ports with passwordless access not allowing connections to second port

First off, I usually create a second sshd process with its own configuration file. (sshd -f /etc/ssh/sshd-2222.conf for instance) or by overriding the configuration on the command-line (sshd -p 2222 -o PasswordAuthentication=no,AllowRoot=no). This way they share the same keys, etc, but you can override any of the parameters.

Any ideas why this happen?

I have some ideas:

selinux is enabled and is preventing you from using the port to login. This isn't likely, because if the problem were selinux, it wouldn't get that far. Run selinuxenabled && echo "SELinux enabled" && getenforce and if it is enabled and enforced, grep sshd /var/log/audit/audit.log to identify failures. Disable to see if it goes away.
PAM is getting in the way. Again, this doesn't seem likely, since PAM doesn't care about what port you use in conjunction with SSH.
/etc/hosts.allow or /etc/hosts.deny. Here you can associate port-service-user in any number of combinations. If these files are empty, we have to look elsewhere.
Did ssh add some mysterious port number to the key? It's possible. Your logs indicate it is and is not happening. See, for instance:

debug1: Authentication succeeded (publickey). Authenticated to localhost ([127.0.0.1]:5984).

From the changelog in CentOS7:

* Fri Oct 26 2012 Petr Lautrbach <plautrba@redhat.com> 6.1p1-2
  - add SELinux comment to /etc/ssh/sshd_config about SELinux command to modify port (#861400)

OK, so maybe it is selinux.

Debian – rkhunter gives me a warning for “/usr/bin/lwp-request” – what should I do? [Debian 9]

rkhunter needs to know what package manager you are using.

Create or edit /etc/rkhunter.conf.local and add the following line:

PKGMGR=DPKG

If you are not on Debian or Ubuntu, then change DPKG for your actual package manager.

This way, rkhunter will know to expect those executables to be scripts, and not flag the false positive.

It will ensure that if the files are tampered with, then a new positive result will show.

Best Answer

Related Solutions

SSH server listening on multiple ports with passwordless access not allowing connections to second port

Debian – rkhunter gives me a warning for “/usr/bin/lwp-request” – what should I do? [Debian 9]

Related Question