Ridding myself of root passwords?

S. Dale Morrey sdalemorrey at gmail.com
Thu Feb 6 11:18:22 MST 2014


Process was running as an unpriviledged user.
I'm guessing SELinux might have helped but in as we discussed before I make
it habit to shut that off because 99% of the time it's just in my way.
Many, many times the only solution to a daemon not launching is "setenforce
0" or some other "let's shut off selinux" type of answer, to the point that
disabling it is one of the first things I do.  I can't have security
getting in the way of usability all the time like that.

If something is a high value target (for instance if I had kept bitcoins on
that server) I might have considered leaving it on and trying to make them
play nice.  Fact is I was using it as a feeder node for a pool.  The worst
possible thing that could have happened in that case is that someone could
turn it into a spam relay (which they did).

The daemon was bitcoind or actually a variant, but the important bits are
all bitcoind.  Fortunately I'm not dumb enough to leave money sitting on a
box on the internet :)


On Thu, Feb 6, 2014 at 11:09 AM, Michael Torrie <torriem at gmail.com> wrote:

> On 02/06/2014 09:30 AM, S. Dale Morrey wrote:
> > Well oddly enough today I had a server hacked.  There was a priviledge
> > escalation flaw in the only exposed daemon (probably a 0 day of somesort
> > I've reported it to the devs).
>
> Indeed we are only as secure as the weakest link in the chain.  What
> daemon was hacked?
>
> > Someone managed to get root, remove the cert, set a password and login
> via
> > ssh and then set the box up as a spam relay of all things.
> > I think from now on, I'm going to see if there is a way to just
> completely
> > remove the root user.  (Box is fully patched and auto-updates and applies
> > patches daily).
>
> Think you're barking up the wrong tree. Disabling root as a login user
> would not help you not get hacked in this instance. In your case the
> problem is that the service either was running as root (which your
> disabling of root login will not change), or had a privilege escalation
> path available to it.  So you need to a) not run the service as root and
> b) make sure selinux or similar system is locking down the process. to
> restrict what it can do, even if it does get hacked.
>
>
> > I would like to setup a central auth server (probably LDAP) that auths me
> > as an individual to these servers.  Then remove root completely.  Is that
> > even possible?
> > I guess in reality it would be no different than just renaming root to a
> > different name, but frankly cleaning up the damage from this script kiddy
> > is annoying me.
>
> Again, it wouldn't have helped you.
>
> >
> > Having an auth server be authoritative for a box, and then have
> permissions
> > and groups set by the box seems like a decent solution, but then I ask
> > myself, what happens when the authbox gets cracked?
>
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>


More information about the PLUG mailing list