Security on a webserver.

mikz · 01-23-2006, 03:55 PM

I'm trying to secure my slackware webserver. How do I disable shutdown and reboot to all except root.
From my logs it appears that somebody has been able to remotely 'reboot' my machine. Possibly using syslogd 1.4.1: restart.
I need to disable halt, poweroff, reboot, shutdown.

MS3FGX · 01-23-2006, 04:01 PM

By default, a normal level user should not be able to do any of those things in Slackware.

cwwilson721 · 01-23-2006, 04:02 PM

Do not be logged in at console as root. Log in as another user.

irpstrcr · 01-23-2006, 04:07 PM

you could just change the perms on shutdown and halt. that would prevent
anyone not the owner to run em.

but odds are the server is not really being remotely rebooted.

I've noticed funky syslogd behavior since somewhere around slackware 10
where syslog restarts every hour just about on the hour. it hasn't really
affected anything and it still listens for the remote logs so i haven't
been bothered to looked for the reason.

mikz · 01-23-2006, 04:09 PM

Somebody has been able to reboot my machine via remote. I run SSH where I restrict hosts via hosts.deny and hosts.allow
They have apparently found a way of rebooting the machine through some exploit.
As I have understood they have to have root or sudo access in order to do this.
How do 'disable' reboot and shutdown to all except root and user 'abc'.

mikz · 01-23-2006, 04:14 PM

Quote:

I've noticed funky syslogd behavior since somewhere around slackware 10 where syslog restarts every hour just about on the hour. it hasn't really affected anything and it still listens for the remote logs so i haven't been bothered to looked for the reason.

This may be the reason. The reboots in question to place over a short period of time.

Jan 19 01:29:31 syslogd 1.4.1: restart.
Jan 19 01:37:12 syslogd 1.4.1: restart.
Jan 19 02:02:27 syslogd 1.4.1: restart.
Jan 19 19:51:03 syslogd 1.4.1: restart.
Jan 19 19:56:44 syslogd 1.4.1: restart.
Jan 19 20:08:40 syslogd 1.4.1: restart.
Jan 19 20:13:41 syslogd 1.4.1: restart.
Jan 19 20:20:23 syslogd 1.4.1: restart.
Jan 19 20:28:32 syslogd 1.4.1: restart.
Jan 19 20:39:32 syslogd 1.4.1: restart.
Jan 19 20:46:35 syslogd 1.4.1: restart.
Jan 19 20:55:21 syslogd 1.4.1: restart.
Jan 20 08:42:21 syslogd 1.4.1: restart.
Jan 20 09:04:02 syslogd 1.4.1: restart.
Jan 20 09:14:11 syslogd 1.4.1: restart.
Jan 20 09:21:22 syslogd 1.4.1: restart.
Jan 20 09:28:25 syslogd 1.4.1: restart.

MS3FGX · 01-23-2006, 04:15 PM

Like irpstrcr said, buy changing the permissions.

Create a group, put in everyone you want to be able to shutdown the machine, then make the ownership of shutdown and halt to root:groupname.

Then give them the permissions 770.

But I would be more worried about if there is really an exploit in place on your server, and finding out if it is even secure enough to keep using.