Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Big thing I noticed was how I was able to login remotely as root. ( su root ). I just "plugged it in" to the isp a few hours ago and I was able to login as root as...
my root password = MRP@345xyz
also was able to login as root as ...
MRP
How is this possible? How can you log in as root with 2 different passwords? Other then my system has been compromised? How can you login successfully with 2 root passwords? I think I'm going to have to go back to the ISP and reinstall my system and disable root( only sudo, and use encryption ).
I thought If I just installed it with the redhat basic firewall I would be okay until I could do more... I guess not.
Having never used an '@' symbol in a password, my educated guess would be that it has a special meaning of some sort and that it (and everything after) is getting ignored in your password. I could be wrong however, and if I am I welcome anyone to correct me!
Anyway, It doesn't sound to me like your box has been hacked, though you should really check the logfiles to see if there's any suspicious behavior and should always have some sort of system integrity tool such as AIDE installed so that if an attacker modifies the logfiles, you can still check your system for integrity and possibly find out what files or binaries have been modified. You might want to do a search on what legal characters are allowed in passwords and if the '@' symbol has special significance in a Linux login password.
Since you posted your root password, you need to change it anyway. The password looks more like a login name instead. I'm guessing that your username is MRP and the server is named 345xyz. Choose a better password. Or maybe you are using too simple of a "system" for coming up with a password. I don't think that the problem is that you were hacked.
Your post says that you logged in as root as ... instead of I logged in as root with the password of ...
It sounds like you may have that confused.
In any event how are you logging in remotely. If you are logging in remotely via ssh then you should disable root logins. (Set "PermitRootLogin no" in /etc/ssh/sshd_config.) Instead log in using your username and su to root. Also, if you are the only person who logs in via ssh, then add the line "AllowUsers <your-user-name>" to the /etc/ssh/sshd_config file. This will disallow all other ssh logins, including system users. Script Kiddies will attack the ssh port using root, and the system users.
From the sshd_config manpage:
Code:
AllowUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. If specified, login is allowed only for
user names that match one of the patterns. ‘*’ and ‘?’ can be
used as wildcards in the patterns. Only user names are valid; a
numerical user ID is not recognized. By default, login is
allowed for all users. If the pattern takes the form USER@HOST
then USER and HOST are separately checked, restricting logins to
particular users from particular hosts.
.
.
.
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument
must be “yes”, “without-password”, “forced-commands-only” or
“no”. The default is “yes”.
If this option is set to “without-password” password authentica‐
tion is disabled for root.
If this option is set to “forced-commands-only” root login with
public key authentication will be allowed, but only if the
command option has been specified (which may be useful for taking
remote backups even if root login is normally not allowed). All
other authentication methods are disabled for root.
If this option is set to “no” root is not allowed to log in.
Some people will also change the port that sshd listens to. This is configured in /etc/ssh/ssh_config:
Code:
Port Specifies the port number to connect on the remote host. Default
is 22.
For the protocol, only use ssh v2. Again from ssh_config:
Code:
Protocol
Specifies the protocol versions ssh should support in order of
preference. The possible values are “1” and “2”. Multiple ver‐
sions must be comma-separated. The default is “2,1”. This means
that ssh tries version 2 and falls back to version 1 if version 2
is not available.
Distribution: Servers: Scientific Linux 5.x // Desktops: Fedora Core (latest)
Posts: 110
Rep:
below is my example conf file... ( /etc/ssh/sshd_config in FC5 )
this has allowed me to run only SPECIFIED usernames over SSH login. anyone not specified gets kicked / denied after being allowed to enter a password. this keeps it so that a hacker attempting random usernames won't think that he's gotten lucky if he gets to the password prompt -- everyone gets there... doesn't mean you're getting in though.
this also disallows root logins... however, a user can "su" into root capability if they have the root password (but they must have already logged in with a non-root account that is listed under the allow portion of this config file.
#Login controls
# .. how long allowed to enter uname/pw
LoginGraceTime 1m
# .. allow the root user ??
PermitRootLogin no
# .. max number of times a guy can try to login and fail before the server kicks him and he has to start over
MaxAuthTries 2
# permit blank password entries (this would be used as 'yes' for a guest account where account name = guest / password = 'blank'
PermitEmptyPasswords no
# Check password against that on file?
PasswordAuthentication yes
# Not sure what this option envokes, however, I had an issue logging in and a 'fix' I found online was to change this option to 'no'
ChallengeResponseAuthentication no
# USERS TO ALLOW (This is a 'deny first, allow second' type of list... everyone is denied unless you list them here).
AllowUsers username1 username2 yourotherusername yourbuddysusername yourmomsusername
# override default of no subsystems
# this will allow sftp logins through sftp clients like gFTP
# remove it and I --believe-- sftp will not work.
Subsystem sftp /usr/libexec/openssh/sftp-server
< I "su root" and entered half my password and got logged in. That basically sums up what happened without going into anything else. >
Wouldn't you find it odd if you were able to do that on your box? Needless to say I haven't been able to duplicate this. I was also using putty, maybe it was something in that? At any rate it's weird. I think I was hacked, I'd rather think I was not but...
Since you just installed the server, you could reinstall it without having to backup much data. I'm thinking that the interface you used to set the root password may have dropped everything after the @ symbol.
Make sure that you harden the server before connecting to the internet. If you are running MySQL for instance, there is a pdf or ps file (manual.ps) in the /usr/share/doc/packages/mysql/ directory. One of the first sections of the manual deals with securing mysql. Otherwise, there are two passwordless root accounts open.
"Make sure that you harden the server before connecting to the internet."
Any tips on how to go about this when you're getting a dedicated server from a provider?
i've read the password length in login.defs could cause this. if set to 5, it matches only the first 5 characters of the pass, so if your pass is 8 in length, only the 1st 5 count. maybe that is a legacy problem that has since been solved.
"Make sure that you harden the server before connecting to the internet."
Any tips on how to go about this when you're getting a dedicated server from a provider?
Check out the LQ FAQ: Security references, post #1 "Checklists" and "Securing" and since you're probably running LAMP check out post #6 "Securing networked services" as well.
unSpawn, i was pointing out that the dedicated companies give you the server already connected to the internet. i don't know if they build it without the machine on the public net, but before i log in and get to do any hardening, the machine has been out there. It's not like a colo where i can harden my box and then plug it in.
before I log in and get to do any hardening, the machine has been out there.
If they're not willing to work with you on that then uncontrolled public exposure can lower the initial level of trust, depending on how post-install configuration is done. That does not change the fact you have to do a full scale audit of the system. It means the outcome of the audit can not be seen as definitive which means you can not trust the system onehundred percent. With all due respect, but what you pay for is what you get.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
I think my box has been hacked ? --help
