Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Just found this tip yesterday and thought it maybe useful to others wanting to know when someone logs in as root through ssh, GDM, console or when a normal user `su` to root. When they do this it will send an email straight away:
In /root/.bashrc file at the end put in this command, and edit the (HOSTNAME) with the name of the machine, and you@yourdomain with the email address you wish the mail to be sent to:
Thanks for sharing a tip. Not wanting to slag you off, but... when someone logs in as root through ssh, GDM, console or when a normal user `su` to root
...root login through ssh should be disallowed, period. If you want to achieve the same for GDM you could use pam_listfile in /etc/pam.d/gdm if your distro uses PAM (or use GRSecurity RBAC features or SELinux).
PAM IMHO is a slightly "better" way of signalling root logins:
- it's administered centrally (kinda efficient),
- it's covers the whole system (no files in user dir necessary),
- it's versatile (adaptable to any service that can be PAM-ified),
- alerting can happen almost in parallel with authentication (and before the user actually is logged in),
- it's syslogged (and so can be remote syslogged),
- doesn't necessitate wetware reading email,
# and for some additional (admittedly weak) reasons:
- doesn't allow for DoS'sing as much as the email solution (could DoS syslog as well),
- doesn't rely on mailx,
- isn't affected by "/bin/bash --norc",
- isn't affected by removing or chaning root .bash* files.
Of course using PAM isn't tamper-proof either because any file can be removed or changed (though that can be detected OTF as well, monitoring syscall or using Samhain).
Yes of course logging in as root is a bad idea, and it is always best to be proactive rather than reactive. There are other ways to restrict root login but I thought this my also help if you have already taken all the proactive measures.
If they still manage to get past those measures this will be a second line of defence, an alert to get your attention in real time that a privileged system account has been accessed.
The instant they do have a successful login the ./bashrc file is read and the mail has been sent out so it should be too late for them to do anything to stop the mail, if they even now a mail alert has been sent.
I agree with unSpawn. There are other, more reliable ways to accomplish this (PAM and tripwire stuff indeed come to mind)
The simple --norc trich will make sure that the .bashrc file is simply bypassed when logging in, making the trick mentioned here useless.
On the other hand, you can't be to careful these days. You can't have enough security around.
I agree with unSpawn. There are other, more reliable ways to accomplish this (PAM and tripwire stuff indeed come to mind)
The simple --norc trich will make sure that the .bashrc file is simply bypassed when logging in, making the trick mentioned here useless.
On the other hand, you can't be to careful these days. You can't have enough security around.
Yes there are better ways, definitely wouldn't solely rely on it, but if you have many things in place it may make it a little harder for anyone to gain access or atleast gain access unnoticed.
Just a last note: most login programs, like SSH, already log a security message in the system's logs when a "root" login occurs.
Maybe filtering/watching those logs can help you too.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.