Hello all,
I've been trying to make my system more secure and have found some vulnerabilities with rkhunter.

- OpenSSL 0.9.7a [ Vulnerable ]
- Procmail MTA 3.22 [ OK ]
- OpenSSH 3.6.1p2 [ Vulnerable ]

Security advisories
* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
Hint: see logfile for more information
info:
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ Warning (SSH v1 allowed) ]

I guess the simple question is; how do I make these applications less vulnerable?

Any help would be greatly appreciated

Update your system. yum update openssh openssl will only update those.

Edit /etc/ssh/sshd_config and change PermitRootLogin to no and remove the # in front.

The versions I had we're already the most up-to-date for FC2 but I did edit /etc/ssh/sshd_config. Ran rkhunter again 'tho strangely, rkhunter still thinks that OpenSSH is still vulnerable.

Maybe the log file it says it generated will give more details.

Do you login remotely with ssh? If not just leave that port closed in the firewall and you won't have to worry about it much.

I've never logged in remotely. I've setup iptables (using system-config-securitylevel) to not provide any services. Will that have blocked the port also? I haven't set any rules apart from the default set.

If you have not allowed ports to be open they should default to closed if the firewall is on.

Ok, thanks very much Jman

saBrEwolf, automatic tools don't always recognize the way red hat backports security fixes. You may also want to do a 'service sshd stop' and then a 'chkconfig sshd off' as root to make sure ssh is off and won't restart when you reboot. This goes for any service you aren't using. 'netstat -tuapen | grep LISTEN' will show you services that are listening on ports. If you aren't using it, turn it off.

Ok lauterm, I've looked at netstat,

tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
0 2360 1481/portmap

This appears good.. It did say that it failed to stop sshd, but I guess thats 'cuz it wasn't running as I looked through my running processes and there doesn't seem to be anything related to it

lauterm and Jman, you've been a great help, I appreciate it.

Thanks :)

No problem, glad to ensure you have a secure system.

Glad to help. If you aren't using NFS, stop portmap too.

Update your system. yum update openssh openssl will only update those.


When I attempt this, I receive:


[root@www bin]# yum update openssh openssl
Gathering header information file(s) from server(s)
Server: Fedora Core 2 - x86_64 - Base
Server: Fedora Core 2 - x86_64 - Released Updates
Finding updated packages
Downloading needed headers
openssh is installed and the latest version.
openssl is installed and the latest version.
No actions to take


But:


[root@www bin]# openssl version
OpenSSL 0.9.7a Feb 19 2003


Forgive my ignorance, but are the servers I'm checking not up-to-date?

I feel comfortable with downloading and compiling the openssl source myself. However, I'm extremely uncomfortable with all the dependencies I might be screwing up in that attempt.

Any help is appreciated.

Lukas

Red Hat will generally backport security and bugfixes into the current version to keep from breaking applications midway through a release. It does tend to make it hard at times to tell if you are up to date.

http://download.fedora.redhat.com/pub/fedora/linux/core/2/x86_64/os/Fedora/RPMS/ lists all the RPMs in Fedora Core 2 as shipped.

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/x86_64/ lists all the updates that have been released.

From those two sources I find that the following are the most current Red Hat versions:
openssh-3.6.1p2-34
openssl-0.9.7a-35

To check if these are what you have installed do:
rpm -qa openssh
rpm -qa openssl

If these match you can be reasonably assured that you are up to date. If you don't trust Red Hat you can download the source and install yourself. Some skepticism is healthy. However, if it persists for a long time you should probably find another distribution that you can trust. Historically Red Hat has done a good job of keeping things up to date.