[CPANEL-26566] Security Advisor's PermitRootLogin check is inaccurate

SJR

• May 28, 2019 21:29

Just did cPanel upgrade to v80.0.9. Immediate issues I observed: 1) Security Advisor shows 'SSH direct root logins are permitted' and suggests 'Manually edit /etc/ssh/sshd_config and change PermitRootLogin to "without-password" or "no", then restart SSH'. Note: my sshd_config was set to 'no' prior and got changed to 'yes'. I just changed file to 'no' and restarted SSH and same warning in Security Advisor still shows. 2) SSH Password Authorization Tweak was set to 'disabled' prior and got changed to 'enabled'. I changed back to 'disabled'. Regardless of either setting, Security Advisor shows green check as 'disabled'. I'm concerned that during upgrade, some security settings have been set to less secure settings. I have rebooted server twice. No changes. Advice anyone? Thanks. Mod Edit Note: The third-question was moved to a

• 

  thanasis

  • May 29, 2019 04:27

  Hello, I did the upgrade to cPanel v80.0.9 and after that i saw this: SSH direct root logins are permitted. Manually edit /etc/ssh/sshd_config and change PermitRootLogin to "without-password" or "no", then restart SSH in the "Restart SSH" area I did it, i set it to "no". After this i can't loging via SSH, i have the error "Access Denied". How can i fix it ? Im using PuTTY client.

  0
• 

  Infopro

  • May 29, 2019 09:28

  The autofixer shoud get you back in: How to Secure SSH - cPanel Knowledge Base - cPanel Documentation AutoFixer - cPanel Knowledge Base - cPanel Documentation [QUOTE] If you accidentally misconfigure your SSH configuration file, navigate to the following link in your web browser (where example.com represents the server's hostname or main IP address): https://example.com:2087/scripts2/doautofixer?autofix=safesshrestart
  This script attempt to will temporarily configure an additional SSH configuration file for port 22, which will allow you to access, edit, and fix the original SSH configuration file. If another service or daemon uses port 22, the script will configure an additional SSH configuration file for port 23.
  

  0
• 

  thanasis

  • May 29, 2019 10:27

  The autofixer shoud get you back in: AutoFixer - cPanel Knowledge Base - cPanel Documentation

  
  Yes, the autofixer solved my problem! I have again access with SSH

  0
• 

  Infopro

  • May 29, 2019 10:34

  Great news then. Don't forget to lock it back down:

  0
• 

  thanasis

  • May 29, 2019 10:46

  PermitRootLogin to "without-password" or "no" What is the different?

  0
• 

  Infopro

  • May 29, 2019 11:05

  I'm not sure what you're asking here.

  0
• 

  thanasis

  • May 29, 2019 11:06

  As i checked the "without-password" allows root login only with public key authentication. And the "no" " root is not allowed to log in. Am i right? Also, i did a manually edit /etc/ssh/sshd_config and changed PermitRootLogin to "without-password" and i did a "Restart SSH" .... but at cPanel Security Advisor i see again "SSH direct root logins are permitted" What is my mistake ?

  0
• 

  Dougrun

  • May 29, 2019 20:47

  I am also getting the security advisor error that root logins are permitted but my config file already has PermitRootLogin no. I even tried rebooting and the notice still appears. v80.0.9

  0
• 

  Infopro

  • May 29, 2019 21:27

  Also, i did a manually edit /etc/ssh/sshd_config and changed PermitRootLogin to "without-password"

  
  

  I am also getting the security advisor error that root logins are permitted but my config file already has PermitRootLogin no.

  
  These are conflicting comments if I'm understanding you correctly.

  0
• 

  thanasis

  • May 30, 2019 04:29

  I had this error " Manually edit /etc/ssh/sshd_config and change PermitRootLogin to "without-password" or "no", then restart SSH in the "Restart SSH" area" at at cPanel Security Advisor. Now at v80.0.10 is OK.

  0
• 

  Dougrun

  • May 30, 2019 16:50

  my issue seems to have resolved itself. The error changed to "SSH password authentication is enabled." which was easily fixed.

  0
• 

  cPanelMichael

  • May 31, 2019 21:10

  Hello Everyone,

  ) Security Advisor shows 'SSH direct root logins are permitted' and suggests 'Manually edit /etc/ssh/sshd_config and change PermitRootLogin to "without-password" or "no", then restart SSH'. Note: my sshd_config was set to 'no' prior and got changed to 'yes'. I just changed file to 'no' and restarted SSH and same warning in Security Advisor still shows.

  
  Case CPANEL-26566 was published as part of a Security Advisor update with version 80.0.10 to address the issue issue where Security Advisor did not accurately determine how 'PermitRootLogin' was configured in the system's /etc/ssh/sshd_config file.

  ) SSH Password Authorization Tweak was set to 'disabled' prior and got changed to 'enabled'. I changed back to 'disabled'. Regardless of either setting, Security Advisor shows green check as 'disabled'.

  
  Case CPANEL-25755 was published as part of a Security Advisor update with version 80.0.10 to address the issue issue where Security Advisor did not accurately determine the status of WHM >> SSH Password Authorization Tweak. Thank you. Note: The "filesystem quotas are currently disabled" question was moved to

  0

Please sign in to leave a comment.