Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm struggling to understand what might have happened here. I have a Beaglebone on my network that I log into occasionally as a normal user. Every couple months I also log in as root and update the software.
When I tried to do so today, it kept failing to log in as root. I could ssh in as my normal user, but `su -` failed. I use a password manager, so I am 100% sure I'm using the right password. When I look at the modification time of my /etc/shadow file, it claims that the file changed a couple weeks ago. I didn't change any passwords, I didn't apply any updates, and in fact, I barely used the thing since then.
I'm concerned about a few things. One, I have no way to log in as root anymore (yeah, I know, I should've set up sudo). On a regular PC it'd be easy enough to fix, but on a Beaglebone it's going to be more annoying to get into single user mode. Second, if something locked out my root user or changed its password, then I've got a security breach (which seems unlikely, given that my passwords are strong and I'm behind a decent firewall).
Is there anything I might be missing? And more importantly, is there any way to recover aside from hooking up a serial console to the Beaglebone so I can get single-user access?
When I look at the modification time of my /etc/shadow file, it claims that the file changed a couple weeks ago. I didn't change any passwords, I didn't apply any updates, and in fact, I barely used the thing since then.
If YOU didn't change any passwords (or other info, stored in the shadow file), it is sure somebody did, because the only way /etc/shadow will be recently changed is by someone changing his/her passwd, age info or such OR when a new user has been added to the system (to store the shadow info for that account).
This can be a sign your Beaglebone system has been hacked and the hacker added his own account (to get in remotely) and then changed the root password too.
Look to see if there are new additions to /etc/passwd too.
Without root access you will not be able to look into that shadow file, so you may need that serial console to get back into the system.
the only way /etc/shadow will be recently changed is by someone changing his/her passwd, age info or such OR when a new user has been added to the system (to store the shadow info for that account).
This is what I was wondering about. I didn't know if maybe the system regularly did some maintenance that would modify this file.
I mounted the filesystem, chrooted, and fixed my root password so I can get in again. It doesn't look like there are any new users or any obvious unexpected changes... I'm not quite sure what to look for though. I'll do some googling to see what I should check, but it seems like there's no other explanation aside from some kind of breach.
Let me know if you have any other thoughts. Thanks!
Not really related to your issue but is the deice available on the Internet or otherwise publicly accessible? Who else has access to your network and are any inbound ports open on your firewall?
Not really related to your issue but is the deice available on the Internet or otherwise publicly accessible? Who else has access to your network and are any inbound ports open on your firewall?
Yes, the device was serving a web page (not for public consumption, just a personal project), so it was intentionally accessible from outside my network. However, both the SSH and HTTP ports were forwarded to non-standard port numbers, all passwords were strong, SSL was enabled, and no one outside of my home had access. Obviously having those two ports open is an opportunity for people to gain access, but it's still shocking when it happens. Fortunately there isn't anything sensitive on the device and I have backups.
This is what I was wondering about. I didn't know if maybe the system regularly did some maintenance that would modify this file.
No, normally not.
But installing some packages will add a special userID for it (like i.e. mysql, apache, sshd, etc) TO the passwd and shadow files. These additions will normally be located at the bottom OF those files.
But, for instance, on MY system both /etc/passwd and /etc/shadow are from 2009, so haven't been changed in the last 10 years.
Yes, the device was serving a web page (not for public consumption, just a personal project), so it was intentionally accessible from outside my network. However, both the SSH and HTTP ports were forwarded to non-standard port numbers, all passwords were strong, SSL was enabled, and no one outside of my home had access. Obviously having those two ports open is an opportunity for people to gain access, but it's still shocking when it happens. Fortunately there isn't anything sensitive on the device and I have backups.
Agree, no one thinks this will happen. FYI, non-standard ports is not a security measure really, it just deters automated scanners that check standard ports. It absolutely will not deter an experienced human attacker. If possible, you can add source and destination rules to your firewall so that only you can access from an external source. All other traffic will be dropped.
/etc/shadow contains password hashes which can be copied and attacker can start guessing the password and compare with the hashes on the file to get the password.
Well, if you changed all the password in the /etc/shadow files. Then even if the crack the hashes it will be render useless since the password has been updated.
If any user change his or her password, i believe /etc/shadow will be modified.
As long as your system is not accessible to the outside world, then I guess you don't need to worry too much but then you need to focus on the internal users who might have some malice intent.
/etc/shadow contains password hashes which can be copied and attacker can start guessing the password and compare with the hashes on the file to get the password.
But as the file is only readable BY root (or processes in the "shadow" group) that hacker already needs "more then a normal user" access to do so.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.