Results 1 to 19 of 19
  1. #1

    Logging in as root

    Security question. I logged in as root to my machine. Tried to but before doing so it said it did not recognise the connection.

    So I disconnected. Because i have logged in at this machine before. So i figure possible hack attempt.

    Is there a way to know for sure, or take extra preventative measures before logging in again?

  2. #2
    Join Date
    Sep 2002
    Posts
    900
    First of all, you should never directly log in as root. You should be using SSH to log in, if not, install it!

    You should also first login as a regular user and then su to root. In your /etc/ssh/sshd_config, there is a line that says

    Allow Root Access: Yes

    Change Yes to No. Logging in through root increases security risks despite the fact an SSH connection is encrypted.

    If you think, your server has been compromised, get a copy of chkrootkit and scan your system for rootkits. Most advanced attackers will be able to evade such tools so this is DEFINITELY NOT the final test to see if you've been compromised. Rootkits like Adore can evade such scans as seen on the creator's website: stealth.7350.org (That's teso if you couldn't guess )

    www.team-teso.net is their actual homepage, they write a numerious amount of security advisories as well as tools.

  3. #3

    I have been using SSH

    But i will do as you suggested. I will take the long way in. User first and su to root.

    I will download the rootkit checker. (Better to be safe)

    And disallow root access as well.

    Thanks for the guidelines. I am sure they will help solve some of these issues.

  4. #4
    Join Date
    Feb 2002
    Location
    Philadelphia, PA
    Posts
    96

    Also....

    I don't know how your server is s4etup, but you would want to limit which users are able to su to root. Either create a group where only the users from that group can su or where only your user can su to root, but do not allow the world to be able to su to root.

    You want the root assword to change on a regular basis. I script called autopasswd can be setup in cron which will change the password automatically. In addition, you might want to remove ftp access from root.

    Also, make sure you setup your userid like you would any user, where you password changes and is alphanumeric, etc.

  5. #5

    I will try to implement the changes

    I will try to get my hands on the auto password configuration script, and I will have root blocked for ftp access.

    Also I will assign a user group for root. There will be 2 maybe 3 people with accesss at the most.

    Thanks for the advice.

  6. #6
    How does logging in as root via ssh increase a security risk? I can speculate as to various possibilities but it seems to me anyone who can get your root pw is just as easly going to be able to get your regular user pw as well. Isnt the risk of logging in as root via ssh negligable?

    Thanks

  7. #7
    Join Date
    Jul 2001
    Posts
    889
    Originally posted by gromit
    How does logging in as root via ssh increase a security risk? I can speculate as to various possibilities but it seems to me anyone who can get your root pw is just as easly going to be able to get your regular user pw as well. Isnt the risk of logging in as root via ssh negligable?

    Thanks
    I don't know for sure, but I gather one reason is this:

    Every linux/unix server has root. Any cracker can just run a password utility to hack into it.

    If you disable root logins from outside, you are protected from this. You can log in from an unpublicized account - and even if they find out this username, they have to not only crack the password for root, but the one you login with as well.

    Like I said, i'm not sure if this is the real reason, but it works for me

  8. #8
    Join Date
    Apr 2001
    Location
    Depok, Indonesia
    Posts
    988
    Originally posted by gromit
    How does logging in as root via ssh increase a security risk? I can speculate as to various possibilities but it seems to me anyone who can get your root pw is just as easly going to be able to get your regular user pw as well. Isnt the risk of logging in as root via ssh negligable?

    Thanks
    A malicious user can use brute force program to guess the password. A better compromise would be disabling root SSH login using password, but still allow login using RSA/DSA authentication. This way the system is more secure, but you still able to do administrative tasks that require root login (backups, etc).

  9. #9
    Join Date
    Sep 2002
    Posts
    256
    Why not simply create a NEW superuser (root) account (user ID 0 I think if I remember right) under a different username than root and turn the actual account CALLED "root" into a chopped down no-permissions standard user account ?

    So if someone DOES login as "root" its not Really the true root acount, which could just as easily be called "bob"

  10. #10
    Join Date
    Aug 2002
    Location
    London, UK
    Posts
    9,037
    Ir just manage the box properly and disallow root logins
    Matt Wallis
    United Communications Limited
    High Performance Shared & Reseller | Managed VPS Cloud | Managed Dedicated
    UK www.unitedhosting.co.uk | US www.unitedhosting.com | Since 1998.

  11. #11
    Join Date
    Jul 2001
    Posts
    889
    Originally posted by greatbeast
    Why not simply create a NEW superuser (root) account (user ID 0 I think if I remember right) under a different username than root and turn the actual account CALLED "root" into a chopped down no-permissions standard user account ?

    So if someone DOES login as "root" its not Really the true root acount, which could just as easily be called "bob"
    Because you can't have your cake and eat it too.

    If you created a "NEW" user, then you'd have a "root" account with UID that is #1 --> not equal to 0 and #2 --> greater than 500.

    Thats not good...

  12. #12

    * Info over load.

    Is there a final what works best what does not work best analysis? (Group consensis?)

    Something that could let's say eaisly be executed from a Cpanel account?

    With step by step play by play details?

    Also I've seen a few offers for Admin/Managment. I've seen

    1. http://www.boxadmin.com

    2. http://www.wolfstream.net

    3. http://www.ikiwi.net

    All for around the same price. $75.00 anyone have any recommendations?

    Please leave feedback. Or email me.

    Thanks.

  13. #13
    Join Date
    Sep 2002
    Posts
    256
    Originally posted by aragon


    Because you can't have your cake and eat it too.

    If you created a "NEW" user, then you'd have a "root" account with UID that is #1 --> not equal to 0 and #2 --> greater than 500.

    Thats not good...
    Sorry, I was unspecific...

    What I meant was the equivalent of RENAMING "root" to something else, and keeping the superuser account with ID 1,
    and creating a USER account called "root", that would be a simple stripped down user account.

    So anyone trying to hack root would get nowhere even if they succeeded

  14. #14
    Join Date
    Feb 2002
    Location
    Philadelphia, PA
    Posts
    96

    SSH

    A reason for using SSH is not necessarily to combat a password checker, but rather prevent someone from sniffing the line and seeing your password go by unencrypted. SSH provides the necessary encryption that regular telnet does not.

    Also, you can change the root username, but then you have to change everything on the system that was owned by root. It could get messy when you start installing patches and it might not be worth the headache, because the you would need to do this in a maintenace mode so that the kernel is free and clear.

    If root is setup the way a lot of us have been talking, then you can't "crack" the root password, unless you crack on of the passwords in the group that can su to root, and you have to know what those IDs. Make sure you have stringent security policies for these users, and always change the root password at least once a month.

    Also, make sure you shutdown unnecessary inet services like date, echo, chargen, NFS (possibly), auomount, etc. Also, make your login screen as plain as possible. I just have "login:".

    Happy securing.

  15. #15
    Join Date
    Sep 2002
    Posts
    900
    greatbeast, you can't "strip down" the root user unless you edit your kernel which would be a great deal of work to accomplish something insignificant because if an attacker has the "stripped down root" account it will be just as easy to gain access to the other root account. Having two root accounts just hightens security risks. Security through obscurity is no no.

  16. #16
    Okay why is it that everybody talks about Linux being stabile and powerful and everybdoy is talking about it being hacked.

    Simply Set the Password Retry Attempts to 5 or 10. Create a Password that is 31 characters long and a username that is equally as long.

    Might be a Bit Tedious to Logon but it should solve almost any Brute Force Attack

  17. #17

    More memory work

    But sounds really simple.

    Long password, long user name. Few attempts to login.

    Sounds like an easier work around for the security issues.

  18. #18
    Join Date
    Feb 2002
    Location
    Philadelphia, PA
    Posts
    96

    31 Characters?

    I hate typing in Administrator in an NT environment. Anyway, all you need to do is add two numbers into any password and it is virtually unbreakable.

    I have login attempts set to 3 for all users, and since you can't login directly as root the only account that should have a problem is your personal account.

    Also, failed attempts at root are logged and e-mailed, just in case.


    Keep in mind the servers I support are for major companies with very sensitive data and so may be overkill for other applications.

  19. #19

    Passwords are set with..

    the numbers and letters.

    I have heard that should make it harder to crack into.

    I think it's just a matter of being aware and with more time
    comes more awareness.

    Till then this forum has once again been a great source of information.

    Thanks.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •