Ridding myself of root passwords?
S. Dale Morrey
sdalemorrey at gmail.com
Thu Feb 6 11:18:22 MST 2014
Process was running as an unpriviledged user.
I'm guessing SELinux might have helped but in as we discussed before I make
it habit to shut that off because 99% of the time it's just in my way.
Many, many times the only solution to a daemon not launching is "setenforce
0" or some other "let's shut off selinux" type of answer, to the point that
disabling it is one of the first things I do. I can't have security
getting in the way of usability all the time like that.
If something is a high value target (for instance if I had kept bitcoins on
that server) I might have considered leaving it on and trying to make them
play nice. Fact is I was using it as a feeder node for a pool. The worst
possible thing that could have happened in that case is that someone could
turn it into a spam relay (which they did).
The daemon was bitcoind or actually a variant, but the important bits are
all bitcoind. Fortunately I'm not dumb enough to leave money sitting on a
box on the internet :)
On Thu, Feb 6, 2014 at 11:09 AM, Michael Torrie <torriem at gmail.com> wrote:
> On 02/06/2014 09:30 AM, S. Dale Morrey wrote:
> > Well oddly enough today I had a server hacked. There was a priviledge
> > escalation flaw in the only exposed daemon (probably a 0 day of somesort
> > I've reported it to the devs).
> Indeed we are only as secure as the weakest link in the chain. What
> daemon was hacked?
> > Someone managed to get root, remove the cert, set a password and login
> > ssh and then set the box up as a spam relay of all things.
> > I think from now on, I'm going to see if there is a way to just
> > remove the root user. (Box is fully patched and auto-updates and applies
> > patches daily).
> Think you're barking up the wrong tree. Disabling root as a login user
> would not help you not get hacked in this instance. In your case the
> problem is that the service either was running as root (which your
> disabling of root login will not change), or had a privilege escalation
> path available to it. So you need to a) not run the service as root and
> b) make sure selinux or similar system is locking down the process. to
> restrict what it can do, even if it does get hacked.
> > I would like to setup a central auth server (probably LDAP) that auths me
> > as an individual to these servers. Then remove root completely. Is that
> > even possible?
> > I guess in reality it would be no different than just renaming root to a
> > different name, but frankly cleaning up the damage from this script kiddy
> > is annoying me.
> Again, it wouldn't have helped you.
> > Having an auth server be authoritative for a box, and then have
> > and groups set by the box seems like a decent solution, but then I ask
> > myself, what happens when the authbox gets cracked?
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
More information about the PLUG