Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have very weird problem on one of the RHE4-4 servers: /bin/su accept any password for authentication. I have compared md5 checksum of the binary with working machines, it was all right. Then I upgraded coreutils rpm package to newer one, but that didn't fix the issue. If I ssh to root, it requires real password. I guess the computer got cracked. Reinstallation is not an option now. Please advise.
Oh, I cracked the box by myself While migration from nis to openldap i changed pam configuration. Thank you for the hint.
That's not production server, but development one and it's connected to internal network only. However there're a lot of people have unix account on this box and they get connections from multiple offices. That's almost impossible to investigate all the connections, because we don't have any intrusion detection for internal boxes.
However my question was not related to investigation process. I was asking about preventing /bin/su to work with no password?
Thank you anyway.
Oh, I cracked the box by myself While migration from nis to openldap i changed pam configuration. Thank you for the hint. (...) However my question was not related to investigation process. I was asking about preventing /bin/su to work with no password?
No, but investigation *should* be a first reflex when encountering this type of anomalies. Since you explained you modded your PAM config the answer to your question is to mod it back ;-p
Moved: This thread is more suitable in the Linux Security forum and has been moved accordingly to help your thread/question get the exposure it deserves.
I have compared md5 checksum of the binary with working machines, it was all right.
FYI, you can validate a file against the source rpm on the CD/DVD installation source.
Use the -p option for package.
Example
rpm -qVp opensuse/suse/x86_64/coreutils-6.9-43.x86_64.rpm
I keep the installation dvd iso image in it's own partition so I don't have to grab the DVD. This is a bit of compromise but I don't think that would be as easy to hack given it's size, and because iso6990 is a read only filesystem.
Quote:
Originally Posted by artur4
it's connected to internal network only
If a hacker has compromised another computer on the local network, that could be used to launch an attack against the server. I think that hackers refer to this as cracking a nut. Hard on the outside, soft and meaty on the inside.
Just to clarify what's happening here, for the among us...
Like many operating systems, Linux offers you options for choosing how you want to handle authentication tasks ... such as determining whether a particular login should be accepted (and where and how to check it, and whether to require things like a badge, a fingerprint-reader, and so on).
The most common way that this is done, these days, is with a very clever system called Pluggable Authentication Modules, or simply "PAM."
As you can see from, say, man pam, this system allows you considerable control in setting-up authentication requests of all kinds .. not just for login, but for anything.
Even if your system uses ordinary passwords (and I sincerely hope that you're using "shadow" passwords), you'll find that the request-handling process is being routed through and controlled by PAM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.