[WBEL-users] Password changing overnight.

King, John (Greg) (LMIT-HOU) Greg.King@lmit.com
Tue, 17 Aug 2004 09:13:37 -0500 

Besides disableing roots ability to ssh you should look at limiting access
to the ssh port in general if possible. An example entry using iptables:

-A tcp_inbound -s src_ip -p tcp -m tcp --dport 22 -m state --state NEW -j
ACCEPT

Then theres a good thread these last few weeks on configuring sshd for key
auth.

One thing I may have missed in your post is if other users besides admins
have access to the system shell. If so, you should also restrict su to root
only and then setup any users that need to issue root commands with sudo
(add them to wheel group and then run visudo to grant privs). Also look at
bastille-linux for some extra hardening.

Next you may want to go get Knoppix-STD http://www.knoppix-std.org/

This is a nice bootable system with plenty of security tools on it. First
run it on remote system and run Nessus against a system to see what is
reported. If that is clean try booting a server whose password changed with
the Knoppix-STD disk and run some of the local analysis tools such as
chkrootkit, sleuthkit and autopsy etc.

Actually now that i think about it, where are the servers located? If anyone
can get to the servers they could simply use a linux recovery cd (or knoppix
like disc), mount the disk and change the root password and/or install a
rootkit.

Anyhow just some ideas,

Greg

> -----Original Message-----
> From: whitebox-users-admin@beau.org
> [mailto:whitebox-users-admin@beau.org]On Behalf Of Graham Waring
> Sent: Monday, August 16, 2004 9:24 PM
> To: kbohling@birddog.com; denis@just-servers.co.uk
> Cc: whitebox-users@beau.org
> Subject: Re: [WBEL-users] Password changing overnight.
> 
> 
> G'day all,
> 
> I agree here, in my 8 years experience in linux I have not had a root 
> password change itself.....not yet anyway...but never 
> discount anything!  My 
> money is on some smart-arse changing it for you.  To identify 
> the smart-arse 
> check the usuall output of last and history and also have a look at 
> /var/log/wtmp.  (You probably do this anyway but) cd to 
> /var/log and run 
> tmpdump wtmp and check its useful output.  Your issue could 
> be a major pain 
> if you are remote and going into single user to change the 
> root password 
> involves a 2 hour drive and grub is password protected too!  
> If you have 
> remote access, firstly disable root login via ssh so you have 
> to go in as a 
> normal user and then su to root, then ensure the logs for su 
> are just you 
> and not someone else.  Another suggestion (which is not 
> really advisable but 
> may help on an occaision or two) create a special user 
> account and change 
> its user id and group id to 0 in the /etc/passwd.  Then if 
> you try to su to 
> root and the password has changed, just su to your special 
> user account and 
> then change the root password.  You then run into the 
> posibility of the 
> smart-arse changing this accounts password too :(
> 
> Good luck
> Graham
> 
> 
> 
> >From: Kirby Bohling <kbohling@birddog.com>
> >To: Denis Croombs <denis@just-servers.co.uk>
> >CC: whitebox-users@beau.org
> >Subject: Re: [WBEL-users] Password changing overnight.
> >Date: Mon, 16 Aug 2004 05:06:10 -0500
> >
> >On Mon, Aug 16, 2004 at 10:38:50AM +0100, Denis Croombs wrote:
> > > I have a VERY strange problem some whitebox & Redhat 9.0 
> system change 
> >their
> > > ROOT passwords overnight, (not very often) this is a real 
> pain, any 
> >clues as
> > > to why it should happen ? It also has happened for a 
> normal user as well 
> >but
> > > that is easier to cope with.
> > > I am currently helping 1 school with 8+ whitebox systems 
> and 1 Redhat 
> >9.0.
> > > This has happened 3 times in 3 weeks on the Redhat 9.0 
> and 4 times on
> > > Whitebox system over the last 4 weeks.
> >
> >Denis,
> >
> >	Uhhh, in 9 years of running Linux, the only time my root
> >password has every changed is when I did it, or someone broke into
> >my machine and had some fun at my expense.
> >
> >	If there is no remote access, it's still relatively easy to just
> >reboot into single user mode and change the password.  Unless you
> >have some odd password expiration setup, someone is changing your
> >root password.  Have you tried putting it thru an MD5 password
> >cracker?  I know one was posted to slashdot in the past month or so.
> >
> >	Are you just using straight up /etc/shadow passwords with
> >standard file based authentication?  What are the symptoms that lead
> >you to believe the password has been changed (I've had several times
> >where LDAP problems that timed out acted like a password change).
> >
> >	Thanks,
> >		Kirby
> >_______________________________________________
> >Whitebox-users mailing list
> >Whitebox-users@beau.org
> >http://beau.org/mailman/listinfo/whitebox-users
> 
> _________________________________________________________________
> Play Love Hunt to win a $9000 holiday and find love!  
> http://mobilecentral.ninemsn.com.au/mclovehunt/lovehunt.aspx
> 
> _______________________________________________
> Whitebox-users mailing list
> Whitebox-users@beau.org
> http://beau.org/mailman/listinfo/whitebox-users
>