LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-08-2006, 04:25 PM   #1
tonykn
LQ Newbie
 
Registered: Jul 2003
Posts: 10

Rep: Reputation: 0
Restore root access, ip lockout


Hi,
This is my first post here. Hopefully it is in the right part of this forum.

The problem.
I have a remote server FC3 protected with APF firewall and bastille.
Firewall set to block IP addresses after 20 failed access attempts and allow access from my fixed IP address.
Remote root login disallowed, su to root required.
Bastille set up to prevent console root access.

All worked well until I changed broadband provider and hence had a new fixed IP address,this combined with me getting muddled with passwords APF jumped and I am now locked out.

Went away, did some reading, sent following mail to the hosting company.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++
Please boot system from FC3 disc 1
Enter "linux rescue" as command
Choose 'english' for language
Choose UK for keyboard
Do not setup network

at prompt type chroot /mnt/sysimage

Then:

type nano /etc/shadow. (I am presuming the pw is in the shadow file)

In the /etc/shadow file please enter the password string below as the encrypted password (between the two colons to replace existing entry) for root.

root:this is the password:13181:0:99999:7:::
('this is the password' was in fact a copy of password obtained from my FC3 local test machine, changed for posting to this board)

Type ctrl-x to exit, Y to agree to changes and enter to save.

If encryption is machine dependent then

Copy the password element of the entry for admin in the shadow file into the root entry.

Finally with reference to the APF firewall:

Type nano /etc/apf/allow_hosts.rules

please place my home IP address 12.234.45.57 (changed for posting)

in the file, remove existing contents and save as above.

Please empty /etc/apf/deny_hosts.rules

Then reboot and hopefully this will get me back in.

+++++++++++++++++++++++++++++++++

The response I have had is :-

I tackled this last night/this morning. I managed to clear the root password, then get access to single-user mode to change it. That all went well, however as soon as I boot into normal mode, the password appears to be changed - I can't then get back in to single user mode again. I'm wondering if either the firewall or DA is doing some sort of password sync that's designed to stop other people from changing the password. Have you got any ideas?

++++++++++++++++++++++++++++++++++

I have no ideas of my own! From research I wonder if it could be to do with PAM and how it handles passwords, I don't know if DirectAdmin or Bastille alter the way passwords are created/tested, it could be something to do with crypt vs. hash. I don't even know if the default install of FC3 uses PAM authentication.

I have come across the following instructions at linuxgazette . net/issue50/tag/4.html which may do the trick but would like advice on whether or not they are likely to work; are there known features of Bastille and DirectAdmin likely to defeat attempts from the console?

Quoting from the above link:
For Linux all you have to do is:
1. Reboot
(try [Ctrl]+[Alt]+[Delete])
2. During the LILO prompt type:
(kernel/image name) init=/bin/sh rw
... note that's usually going to be just:
linux init=/bin/sh rw
3. This should start the Linux kernel,
with the root filesystem mounted in read/write mode. The cool thing is that none of your normal init processes (like the gettys that ask for your name and call the login program) will be started.
4. (Maybe) mount your /usr filesystem with a command like:
mount /usr
5. Change your root password with a command like:
passwd
6. Flush the cache buffers:
sync; sync; sync
7. (Maybe) unmount /usr:
umount /usr
8. Remount the root fs in readonly mode:
mount -o remount,ro /
9. Let init clean up and reboot the system:
exec /sbin/init 6
... there is a "6" (six) at the end of that command.
+++++++++++++++++++++++++++++++

Any help would be gratefully received,
Many thanks,
Tony
 
Old 02-08-2006, 04:29 PM   #2
pljvaldez
LQ Guru
 
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Wheezy (x86)
Posts: 6,094

Rep: Reputation: 271Reputation: 271Reputation: 271
The only thing I have ever done is delete the password in /etc/passwd and then logout and reboot. Then the password is blank and you should be able to login as root without a password and set a new one.
 
Old 02-08-2006, 04:30 PM   #3
tonykn
LQ Newbie
 
Registered: Jul 2003
Posts: 10

Original Poster
Rep: Reputation: 0
Thanks but empty password is disallowed and verification fails
Tony
 
Old 02-08-2006, 04:34 PM   #4
pljvaldez
LQ Guru
 
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Wheezy (x86)
Posts: 6,094

Rep: Reputation: 271Reputation: 271Reputation: 271
Can you boot into "single user" mode and just passwd root?
 
Old 02-08-2006, 04:36 PM   #5
pljvaldez
LQ Guru
 
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Wheezy (x86)
Posts: 6,094

Rep: Reputation: 271Reputation: 271Reputation: 271
Is single user the same as rescue mode? I forget...

Anyway, from rescue mode can you do something like

#chroot /mnt/sysimage
#passwd
 
Old 02-08-2006, 04:37 PM   #6
tonykn
LQ Newbie
 
Registered: Jul 2003
Posts: 10

Original Poster
Rep: Reputation: 0
It looks like that does not work, something is causing the password to change back or change to something else, the hosting guys did not tell me which.
I will see how to enable a blank password and see if that helps but it wont if the system is somehow retaining a memory for the old password.
Tony
 
Old 02-08-2006, 04:42 PM   #7
tonykn
LQ Newbie
 
Registered: Jul 2003
Posts: 10

Original Poster
Rep: Reputation: 0
I will suggest they try the passwd root approach but I fear the system is locked down pretty well to defeat just such attempts; I locked the system up in response to a very destructive hack last year. Paranoia rules!!
Tony
 
Old 02-08-2006, 04:44 PM   #8
pljvaldez
LQ Guru
 
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Wheezy (x86)
Posts: 6,094

Rep: Reputation: 271Reputation: 271Reputation: 271
If you locked it down really well, not sure I'm much help... But this seems to be the general process on a normal system...

# mount /dev/hda3 /mnt/temp0
# chroot /mnt/temp0 /bin/bash
# passwd

where /dev/hda3 would be your root partition.
 
Old 02-08-2006, 04:49 PM   #9
tonykn
LQ Newbie
 
Registered: Jul 2003
Posts: 10

Original Poster
Rep: Reputation: 0
Thanks,
I will get them to try that and report back so people know.
If anyone has ideas as to why the current approach has not worked I would like to hear.
Many thanks,
Tony
 
Old 02-08-2006, 04:53 PM   #10
tonykn
LQ Newbie
 
Registered: Jul 2003
Posts: 10

Original Poster
Rep: Reputation: 0
In fact it looks like they have tried the 'passwd' approach
"I managed to clear the root password, then get access to single-user mode to change it. "
But the password changed when they went back to normal mode.
Very frustrating... I sense a reload coming on, thats hours of restoration
Tony
 
Old 02-08-2006, 04:59 PM   #11
pljvaldez
LQ Guru
 
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Wheezy (x86)
Posts: 6,094

Rep: Reputation: 271Reputation: 271Reputation: 271
One other thing to check is to see if there is a script that is rewriting the /etc/passwd file on boot (or if you know what security program might be doing it). Not sure how long it would take to grep the entire system for /etc/passwd, but you might be able to find if there's some script locking you out...
 
Old 02-08-2006, 05:02 PM   #12
tonykn
LQ Newbie
 
Registered: Jul 2003
Posts: 10

Original Poster
Rep: Reputation: 0
Good idea, not sure if the guy at the company would have the time / inclination but they really are truly helpful so they might do it. Worth a try, many thanks,
Tony
 
Old 02-08-2006, 06:19 PM   #13
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD
Posts: 2,116

Rep: Reputation: 330Reputation: 330Reputation: 330Reputation: 330
Quote:
The response I have had is :-

... I managed to clear the root password, then get access to single-user mode to change it. That all went well, however as soon as I boot into normal mode, the password appears to be changed ...
I would ask them exactly how they did this. Did they boot with Knoppix or some other LiveCD? If so, and they changed the root password without using chroot as has already been mentioned in previous replies, then the password would not have stuck past a reboot. They would have been changing the Knoppix root password (only stored in memory) and NOT the password stored on disk by the regular OS.

From Knoppix (or other LiveCD) the procedure is to mount your root partition rw, then use chroot to change the password.

e.g., assuming for illustration that /dev/hda3 is your root partition,
Code:
$ sudo mount -o rw /dev/hda3 /mnt/hda3
$ sudo chroot /mnt/hda3 passwd
If they didn't chroot, then changing the password was for naught. Another possibility is that if they booted into this single-user or rescue mode to change the password, was your root partitoin mounted read-write? It's possible that it was mounted read-only depending on what "rescue mode" means on your system. You'd think changing a password on a read-only root filesystem would generate an error message, but maybe it didn't, or they inadvertantly ignored/didn't_notice the error message.

I don't know if the above is the answer to your problem, or part of the answer, but it's worth investigating if you haven't already.
 
Old 02-08-2006, 06:26 PM   #14
tonykn
LQ Newbie
 
Registered: Jul 2003
Posts: 10

Original Poster
Rep: Reputation: 0
Thanks for a really helpful reply.
the techie has responded this evening as follows (I sense a degree of irritation... I'm not surprised poor guy.

+++++++++++++
Tony,

Here is exactly what has been done this time:

Reboot to rescue mode.
Change shadow entry to the hash in your e-mail below.
Change APF (I missed this before)
Reboot

I still cannot log in to the console as root....or admin for that matter. We've never had this much trouble resetting a password!
++++++++++++

I will test the result and if still no joy I will summon some courage and pass him a copy of your post. Its 23:27 and I expect he wants to go home.

Tony
 
Old 02-08-2006, 07:13 PM   #15
tonykn
LQ Newbie
 
Registered: Jul 2003
Posts: 10

Original Poster
Rep: Reputation: 0
Following the manual copying of the 'admin' encrypted password to the root location in the shadow file and the resetting of entries in the firewall files I now have full access again. We rebooted immediately after making the changes to the shadow file.
So success ... I need a drink
thanks for everyone's suggestions
Tony

case closed ... or so it appears ... but you never know for sure !
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
XDMCP Remote access session restore after disconnection soldonz Linux - Newbie 1 04-18-2005 04:20 PM
alsamixer settings won't stick, "alsactl restore" as root after song change apax Linux - Software 0 01-01-2005 11:07 AM
How to restore original root crontab vrillusions Slackware 1 04-21-2004 10:54 PM
grub use for root password lockout dponte Linux - Newbie 1 10-18-2003 06:13 AM
Lockout Problem! sanju2k Linux - General 1 12-01-2002 09:33 AM


All times are GMT -5. The time now is 10:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration