Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
First, thanks for taking the time to read this post.
I would like your opinions on why I cannot log into this machine as root.
I recently set up this linux box (Redhat 9) for FTP usage (VSFTPD). On the router, I have opened ports 20,21, and 22. Running nmap on the linux box shows that ftp, ssh, http, snet-sensor-mgmt (Webmin) and netbios-ssn (Samba)are open and can be access internally.
This machine has only been up for an aggregate of 7 hours. As of yesterday I cannot log into this machine with the root account as it complains that the password is incorrect. I have written all of the passwords, configurations, etc in a notebook during the installation so I know it isn't a question that I forgot the password.
Do I justification to suspect that this machine has been compromised albiet very quickly, or am I jumping the gun here?
I think your jumpin' the gun.
It isn't a good idea to log into a machine remotley using the root account, so this is turned off by default. This is true of SSH and ftp probably.
Log in using a 'normal' account then use 'su' to gain root privileges.
I would like your opinions on why I cannot log into this machine as root.
Determining if a compromise happened is no matter of opinions: you should be looking for facts and deal with those. besides that, a box (suspected) being compromised is different from not being able to log in as root. If you have "evidence" a box is rooted take it off the 'net and then audit it, if you suspect a box to be compromised you should audit the box (auth, logs, integrity, processes), and if you can't log in as root you should review your configuration. That's the way to deal with suspicions about abox integrity.
Like Glj said you should use sudo and not log in as root directly. If you argue for making exceptions "just cuz it's on the LAN" you'll be making exceptions all the time. Bad habit.
BTW you didn't specify logging in as root how: local, SSH etc etc.
This machine has only been up for an aggregate of 7 hours.
Time is no mitigating argument. What state was it in?
Where there more/other/to-be-upgraded services running?
Was access denied by it's firewall and the router all of the time?
What hardening/configuration modifications did you make?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.