how do i change PermitRootLogin option to no?

[GFED]

[03:00:08] ------------------------- Security advisories -------------------------
[03:00:09] Info: Found no explicit values, but a default value of 'yes'
[03:00:09] Warning: root login possible. Change for your safety the 'PermitRootLogin'
[03:00:09] (into 'no') and use 'su -' to become root.
[03:00:09] Found default option Protocol 2,1
[03:00:09] Warning: SSH version 1 possible allowed!
[03:00:09] Hint: Change the 'Protocol xxx' line into 'Protocol 2'
[03:00:13] Scanned for: 55808 Trojan - Variant A, AjaKit, aPa Kit, Apache Worm, Ambient (ark) Rootkit, Balaur Rootkit, BeastKit, beX2, BOBKit, CiNIK Worm (Slapper.B variant), Danny-Boy's Abuse Kit, Devil RootKit, Dica, Dreams Rootkit, Duarawkz, Flea Linux Rootkit, FreeBSD Rootkit, Fuck`it Rootkit, GasKit, Heroin LKM, HjC Kit, ignoKit, ImperalsS-FBRK, Irix Rootkit, Kitko, Knark, Li0n Worm, Lockit / LJK2, MRK, Ni0 Rootkit, RootKit for SunOS / NSDAP, Optic Kit (Tux), Oz Rootkit, Portacelo, R3dstorm Toolkit, RH-Sharpe's rootkit, RSHA's rootkit, Scalper Worm, Shutdown, SHV4, SHV5, Sin Rootkit, Slapper, Sneakin Rootkit, Suckit Rootkit, SunOS Rootkit, Superkit, TBD (Telnet BackDoor), TeLeKiT, T0rn Rootkit, Trojanit Kit, Tuxtendo, URK, VcKit, Volc Rootkit, X-Org SunOS Rootkit, zaRwT.KiT Rootkit
[03:00:13] 2 vulnerable applications found

[GFED]

i ran chkrootkit and rkhunter but neither seems to remove anything... :/

[GFED]

i'm probably gonna be forced to back everything up and put it back on a freshly imaged server... but i'm taking this opportunity to learn a little bit about server admining which i know nothing about... i'd like to know how the hacker got in and how to prevent it from happening again...

links i've been reading are http://www.webhostingtalk.com/archiv.../404840-1.html and http://www.cert.org/tech_tips/win-UN...ompromise.html

and other useful links, and input is appreciated...

[studiocritic]

it's an sshd configuration option.. depending on which sshd and what os you're using.. that file might live in several places

[bbe]

change "PermitRootLogin yes" to no in /etc/ssh/sshd_config

[studiocritic]

try doing
locate sshd2_config

[studiocritic]

Quote:

Originally Posted by bbe

change "PermitRootLogin yes" to no in /etc/ssh/sshd_config

his paste showed ssh v2.. i'm assuming he's got sshd2

[GFED]

ty... the option has a # in front... that means it's a comment right? i should change it to no and take the # out?

[GFED]

Quote:

Originally Posted by studiocritic

his paste showed ssh v2.. i'm assuming he's got sshd2

nothing found for that filename...

[GFED]

i'll rerun rkhunter and see what it says...

[GFED]

oki, it worked with the # intact... i also changed from protocol 2,1 to protocol 2

[vantage]

and; killall -HUP sshd

[GFED]

oki this is what i have now...

MD5
MD5 compared: 0
Incorrect MD5 checksums: 0

File scan
Scanned files: 342
Possible infected files: 2
Possible rootkits: SHV4 SHV5

Application scan
Vulnerable applications: 2

Scanning took 1315 seconds
Scan results written to logfile (/var/log/rkhunter.log)

[prime]

dude, the only fix there is to back up your files
and
reinstall

[fris]

i use openssh rather than the default ssh

[GFED]

i'm really in a bind... i dont remember how i setup the dns and everything on it... and i dont want my sites to be down too long... its so much work.. and theyll just hack it again... :/

[drjones]

Once a rootkit has comprimised your system, theres no choice but to reinstall. You can remove the rootkit, but someone has had root access to your machine.. they could literally do anything once inside, and theres no way to know, if they're smart.

Consider virtualization or chroot jails for all your services if your running more than one on the same machine (DNS, Apache etc). Lock everything down as tight as possible (firewalls, /etc/hosts.deny, /etc/hosts.allow, SELinux if you have it etc).

Most importantly back up all those configuration files!!! Back them up! Then if you do get compromised, you can easily be back up and running again in no time.

[marketsmart]

^
|
what he said -----

[GFED]

is there any server admins here that can help me get everything set back up? and how much would it cost? :/

[mrkris]

gfeds, hit me up on icq.