Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have an odd problem with a VPS I have at digitalocean. The root password keeps changing and forcing me to reset via digitaloceans control panel.
Im not sure exactly what time/date it changes, only when I get a message from WHM saying it cannot access the DNSOnly server anymore as the password was invalid.
The VPS is running Centos 5.10 and has WHM DNSOnly installed. I emailed Digital Oceans support and got this response:
Quote:
Thank you for contacting us regarding this issue. It's unclear what would cause the root password to change, however you may consider reviewing the system logs and the ssh related logs to identify what actions may be listed related to this.
You can check the `history` command, or check `last` to see if you see any odd details. If you have any further questions, concerns or additional information, please don't hesitate to provide them.
I do not see anything in the SSH logs or anything in messages to indicate what is changing it. The last command only shows my connections via tty or SSH (invariably due to me having to force a reset and logon to change the password)
I thought I could use auditd to monitor passwd, but changing a password doesn't modify this file.
Does anyone have any suggestions on what to look for?
I ran this search against /var/log/secure, but can only see my manual password changes. Between those dates, something is stopping root from being able to login via console/ssh - I think this shows that the password itself is not changing and something else is stopping roots access.
Its a brand new vps, fresh install of Centos and then DNSOnly installed on top. No other config or data on it. As per my 2nd post, given secure log doesn't mention a password change outside of me resetting it, so it must be something other than a password change...
Next time it happens I'll give it a reboot to see if its a crashed service or some such.
Part of the problem might lie in the fact that he's using CentOS 5. Although still technically supported, I wouldn't use it at all. As with Debian 6, they may be exploiting shellshock, and then just covering their tracks. Bottom line: reinstall with a newer distro.
If the root-password on a box is changing without you knowing it, why do you trust any of "the logs?"
Compromised computers are like enemy soldiers. You don't try to compromise with them. You don't look at pictures of their grandkids. You shoot 'em.
I made the assumption that the password is changing - however I am not sure of that. All I know is that one day I can login, the next day I cannot. Performing a password reset via the digitalocean control corrects it (it powers off the server and modifies it with some external process/script). I was going to wait till it happened again to see if just a reboot fixed it.
Quote:
Originally Posted by Ihatewindows522
Part of the problem might lie in the fact that he's using CentOS 5. Although still technically supported, I wouldn't use it at all. As with Debian 6, they may be exploiting shellshock, and then just covering their tracks. Bottom line: reinstall with a newer distro.
I would use a later OS, except of daft limitations WHMs DNSOnly app. There are apparently workarounds to get it to install on later versions, but then WHM/Cpanel won't support it.
I've deleted the VPS and will start from scratch again.
Please do not advise fellow LQ members to do that without proper investigation.
Quote:
Originally Posted by Ihatewindows522
Part of the problem might lie in the fact that he's using CentOS 5. Although still technically supported, I wouldn't use it at all. As with Debian 6, they may be exploiting shellshock, and then just covering their tracks. Bottom line: reinstall with a newer distro.
Pure, uncut male cow manure. CentOS 5 is not "technically" supported: it is officially supported, meaning it gets the security fixes it needs: http://wiki.centos.org/Security/Shellshock. If you don't know your stuff then feel free to keep yourself from posting.
Quote:
Originally Posted by Planky
I've deleted the VPS and will start from scratch again.
That is a shame as it would have been my pleasure to help you investigate. *Please note that while you are free to follow any advice given, and you are the only one responsible for gauging the quality of said advice, on LQ there really are about five people I trust to perform incident handling the way I want to see it done.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.