Warning: The SSH and rkhunter configuration options should be the same:
SSH configuration option 'PermitRootLogin': yes
Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
There are two settings for PermitRootLogin in sshd_config:
$ grep PermitRootLogin /etc/ssh/sshd_config
# If the server is a VPS, it's expected that the owner of the
# server has access to a web console through which to log in.
Match Address 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,169.254.0.0/16,fe80::/10,fd00::/8
The idea is that private networks are safe(r). In general, this is questionable, and it is clearly not the case when SSH is behind a port forwarding, since the SSH port listening on a private IP address is still accessible publicly.
From my perspective, the default should be no for private networks as well, shouldn’t it?
Hi, standard port forwarding should not circumvent the “Match Address” block. We found this middle ground for easy self-hosting, with the combination of a strong password and Fail2ban, users should be relatively safe.
If you personally want to be safer:
There is a broad range of security parameters in your webadmin (domain.tld/yunohost/admin/#/tools/settings/security), from password strength, changing SSH port, to disabling password login (provided you create a SSH key for your user)
If you still want to disable the “Match Address” block allowing root login for local addresses, check out hooks on the forum. They are scripts that enable you to automatically alter the default configurations.
In any case, we do not plan to change this default behavior.
Thanks for the quick reply. With port forwarding, I meant from a different host. For instance, on a typical home network, the router has the public IP (v4) and is configured to forward the connections to the computer hosting the SSH server on an internal server.
In this case, the root login over SSH is possible from anywhere.