1

I've checked my Linux server (Centos 6) with rkhunter. I found the following in rkhunter log

[14:38:54]   Checking if SSH protocol v1 is allowed          [ Warning ]
[14:38:54] Warning: The SSH configuration option 'Protocol' has not been set.
           The default value may be '2,1', to allow the use of protocol version 1.

When i checked with /etc/ssh/ I found 2 config files, sshd_config and ssh_config.

ssh_config last modified on 21-Sep-2013 (22:30).

rkhunter result of 21-Sep-2013 (04:20)

[04:10:40]   Checking if SSH root access is allowed          [ Not set ]
[04:10:40]   Checking if SSH protocol v1 is allowed          [ Not allowed ]

I'm worried that my server maybe compromised.

Update

After run clamav scan on server, I found /usr/sbin/sasluster (Stealth MultiFunctional IrcBot).

How do I remove it? What does it mean?

Adi
  • 43,808
  • 16
  • 135
  • 167
Kumar
  • 161
  • 1
  • 7
  • To disable `protocol v1` and enforce `protocol v2` only, you can follow this guide http://support.hoststore.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=229 – Adi Sep 25 '13 at 10:44
  • possible duplicate of [How do I deal with a compromised server?](http://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) – Lucas Kauffman Sep 26 '13 at 07:45
  • As a note, having both sshd_config and ssh_config is totally normal provided you have both the "server" and "client" installed. sshd_config is the config file for sshd (the daemon) and ssh_config is the config file for your ssh client. – skerp Sep 25 '13 at 11:29
  • 1
    @LucasKauffman No, [How do I deal with a compromised server?](http://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) is not a duplicate (but Kumar, this is what you need to do). This question is not about a compromised server. (Well, it turns out that the server is compromised, but that's not what the question is about.) – Gilles 'SO- stop being evil' Sep 26 '13 at 09:39

1 Answers1

6

Going by what you originally posted about SSH, there is no evidence there that your server is compromised. It would be quite a round-the-houses way of breaking SSH for an attacker to resort to a default configuration.

This is simply a warning message that your sshd or ssh might be misconfigured. RKHunter could not find a configuration value for the Protocol key, and is simply warning you that the default might not be great for security.

You should edit your sshd_config and ssh_config files and add a Protocol 2 line to avoid getting this warning in the future by explicitly disabling protocol 1.

So you have evidence that your SSH config file has altered. This is almost certainly the result of an update, if someone has run an apt-get upgrade and then said yes when asked about a config overwrite, this can happen.

You should check the rest of your sshd_config however just to make sure that everything is as it should be, particularly disallowing root login. Also check /etc/passwd to see if any new users have been created, and /etc/sudo for the same reasons.

If your server does turn out to be compromised, this is unlikely to be related to the warning about SSH.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
lynks
  • 10,636
  • 5
  • 29
  • 54
  • Please check added details about rkhunter log. Actually we not did anything in that mean time. That's why... – Kumar Sep 25 '13 at 10:58
  • @ This is additional thing I got in log, Warning: File '/usr/bin/chattr' has the immutable-bit set. Didn't have this in previous log in 21-Sep-2013 (04:20). – Kumar Sep 25 '13 at 11:02