SOLVED [CPANEL-26566] Security Advisor's PermitRootLogin check is inaccurate

[SJR]

Just did cPanel upgrade to v80.0.9. Immediate issues I observed:

1) Security Advisor shows 'SSH direct root logins are permitted' and suggests 'Manually edit /etc/ssh/sshd_config and change PermitRootLogin to “without-password” or “no”, then restart SSH'.
Note: my sshd_config was set to 'no' prior and got changed to 'yes'. I just changed file to 'no' and restarted SSH and same warning in Security Advisor still shows.

2) SSH Password Authorization Tweak was set to 'disabled' prior and got changed to 'enabled'. I changed back to 'disabled'. Regardless of either setting, Security Advisor shows green check as 'disabled'.

I'm concerned that during upgrade, some security settings have been set to less secure settings.

I have rebooted server twice. No changes.

Advice anyone?

Thanks.

Mod Edit Note: The third-question was moved to a separate thread.

 

[thanasis]

Hello,
I did the upgrade to cPanel v80.0.9 and after that i saw this:

SSH direct root logins are permitted.
Manually edit /etc/ssh/sshd_config and change PermitRootLogin to “without-password” or “no”, then restart SSH in the “Restart SSH” area

I did it, i set it to "no".

After this i can't loging via SSH, i have the error "Access Denied".

How can i fix it ?

Im using PuTTY client.

 

[Infopro]

The autofixer shoud get you back in:
How to Secure SSH - cPanel Knowledge Base - cPanel Documentation
AutoFixer - cPanel Knowledge Base - cPanel Documentation

If you accidentally misconfigure your SSH configuration file, navigate to the following link in your web browser (where example.com represents the server's hostname or main IP address):

https://example.com:2087/scripts2/doautofixer?autofix=safesshrestart

This script attempt to will temporarily configure an additional SSH configuration file for port 22, which will allow you to access, edit, and fix the original SSH configuration file. If another service or daemon uses port 22, the script will configure an additional SSH configuration file for port 23.

 

[thanasis]

The autofixer shoud get you back in:
How to Secure SSH - cPanel Knowledge Base - cPanel Documentation
AutoFixer - cPanel Knowledge Base - cPanel Documentation

Yes, the autofixer solved my problem!
I have again access with SSH

 

[Infopro]

Great news then. Don't forget to lock it back down:
Tutorial - Interested in increasing the security of your server? Read this. (sshd hardening)

 

[thanasis]

PermitRootLogin to “without-password” or “no”
What is the different?

 

[Infopro]

I'm not sure what you're asking here.

 

[thanasis]

As i checked the "without-password" allows root login only with public key authentication.
And the "no" “ root is not allowed to log in.
Am i right?

Also, i did a manually edit /etc/ssh/sshd_config and changed PermitRootLogin to “without-password” and i did a “Restart SSH” ....
but at cPanel Security Advisor i see again "SSH direct root logins are permitted"

What is my mistake ?

 

[Dougrun]

I am also getting the security advisor error that root logins are permitted but my config file already has PermitRootLogin no. I even tried rebooting and the notice still appears. v80.0.9

 

[Infopro]

Also, i did a manually edit /etc/ssh/sshd_config and changed PermitRootLogin to “without-password”

I am also getting the security advisor error that root logins are permitted but my config file already has PermitRootLogin no.

These are conflicting comments if I'm understanding you correctly.

 

[thanasis]

I had this error "
Manually edit /etc/ssh/sshd_config and change PermitRootLogin to “without-password” or “no”, then restart SSH in the “Restart SSH” area" at at cPanel Security Advisor.
Now at v80.0.10 is OK.

 

[Dougrun]

my issue seems to have resolved itself. The error changed to "SSH password authentication is enabled." which was easily fixed.

 

[cPanelMichael]

Hello Everyone,

1) Security Advisor shows 'SSH direct root logins are permitted' and suggests 'Manually edit /etc/ssh/sshd_config and change PermitRootLogin to “without-password” or “no”, then restart SSH'.
Note: my sshd_config was set to 'no' prior and got changed to 'yes'. I just changed file to 'no' and restarted SSH and same warning in Security Advisor still shows.

Case CPANEL-26566 was published as part of a Security Advisor update with version 80.0.10 to address the issue issue where Security Advisor did not accurately determine how 'PermitRootLogin' was configured in the system's /etc/ssh/sshd_config file.

2) SSH Password Authorization Tweak was set to 'disabled' prior and got changed to 'enabled'. I changed back to 'disabled'. Regardless of either setting, Security Advisor shows green check as 'disabled'.

Case CPANEL-25755 was published as part of a Security Advisor update with version 80.0.10 to address the issue issue where Security Advisor did not accurately determine the status of WHM >> SSH Password Authorization Tweak.

Thank you.

Note: The "filesystem quotas are currently disabled" question was moved to this thread.