I'm getting an ssh warning from rkhunter, even though the sshd and rkhunter
options for root login are both set to "no". My server is running Centos
7.6.1810 with rkhunter 1.4.6.
The system started with sshd and rkhunter root login options set to "yes", and
I was not receiving any error message. But then when server setup was complete,
I switched both of the root login options to "no" and that is when the warnings
began.
Here are grep results which verify that the sshd and rkhunter config settings
are both set to "no":
$grep PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin no
$grep ALLOW_SSH_ROOT_USER /etc/rkhunter.conf
ALLOW_SSH_ROOT_USER=no
Just in case it is related, the protocol options are set as follows:
$grep Protocol /etc/ssh/sshd_config
Protocol 2
$grep ALLOW_SSH_PROT_V1 /etc/rkhunter.conf
ALLOW_SSH_PROT_V1=0
The following rkhunter log snippet clearly shows that sshd and rkhunter config
files are both set to indicate no root login, yet I get a warning about ssh
root access:
[13:43:33] Info: Using configuration file '/etc/rkhunter.conf'
[13:48:21] Info: Starting test name 'system_configs_ssh'
[13:48:21] Checking for an SSH configuration file [ Found ]
[13:48:21] Info: Found an SSH configuration file: /etc/ssh/sshd_config
[13:48:21] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[13:48:21] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[13:48:21] Checking if SSH root access is allowed [ Warning ]
[13:48:21] Warning: The SSH and rkhunter configuration options should be the
same:
[13:48:21] SSH configuration option 'PermitRootLogin': no
[13:48:21] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
[13:48:21] Checking if SSH protocol v1 is allowed [ Not allowed ]
[13:48:21] Checking for other suspicious configuration settings [ None found ]
Similarly, the email I receive from rkhunter gives me a warning, yet it also
confirms that the settings are already the same:
---------------------- Start Rootkit Hunter Scan ----------------------
Warning: The SSH and rkhunter configuration options should be the same:
SSH configuration option 'PermitRootLogin': no
Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
----------------------- End Rootkit Hunter Scan -----------------------
I have run rkhunter -C, and I have even rebooted the server, but still the same
issue.
Any ideas of what is causing this rkhunter warning and how to fix it??
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
