- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Who is disabling root ?
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2006 05:29 AM
07-05-2006 05:29 AM
It was happening every 10 minutes, so I checked cron.log on this server, nothing there either. So I guess it's another server trying to connect to this guy.
I use getprpw and can see culogin steadily climb.
It could be any one of 100 unix servers using rsh or ssh to try connecting to this server. I'm going to hit up the network guys to check out traffic on the ssh port (hoping that's the issue), but what else can I try on the unix end to track it down ?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2006 05:32 AM
07-05-2006 05:32 AM
Solutionlastb
parses the file /var/adm/syslog/btmp
Bad logins.
There is a command line parameter -R (check the man brain is fuzzy) that will let you see the source of bad logins. It will display ip or hostname of the offending server.
lastb | grep root
If you are exposed to the internet, even via port forwarding you may be the victim of script kiddies. In that case, stop direct ssh login.
The network guys aren't really going to be of much use unless you need help tracing the ip address from lastb. You have all the tools on your system to figure this out.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2006 05:52 AM
07-05-2006 05:52 AM
Re: Who is disabling root ?
The information shown by "lastb -R" doesn't show anywhere near enough invalid-logins to match up with the unsucessfull-login-count increase shown by getprpw. For example, the count shown by getprpw got as high as 892 before I "sudo su -" to reset it, but lastb only showed 58 lines. (I have a script that displays getprpw info every 30 seconds so I can watch the unsucessfull login count increase. So I'm guessing the unsucessfull-login-count increase is NOT being cause by someone actually trying to login to the server, or by someone trying to su on that server.
I'm guessing it's someone on another server doing a "ssh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2006 06:05 AM
07-05-2006 06:05 AM
Re: Who is disabling root ?
58 bad logins is enough to disable your root account several times a day depending on what the settngs are.
Standard settings for a trusted system are three bad logins and the account is locked.
60 bad logins an hour is enough to lock the root password every 10 minutes.
a script that uses getprpw might be helpful if its providing more useful info.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2006 07:04 AM
07-05-2006 07:04 AM
Re: Who is disabling root ?
lastb shows the last entry at 13:15 today.
yet looking at the output of my script that shows getprpw every 30 seconds shows the culogin increasing by 1 every 10 minutes. So someting is causing the unsucessfull-login-count to increase, without showing up as an invalid login. I would have thought they would match.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2006 07:10 AM
07-05-2006 07:10 AM
Re: Who is disabling root ?
-denver
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2006 07:14 AM
07-05-2006 07:14 AM
Re: Who is disabling root ?
Have you looked at the syslog to determine which host the attempts might be from since lastb isn't returning what you'd expect?
-denver
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2006 07:14 AM
07-05-2006 07:14 AM
Re: Who is disabling root ?
'tcpdump' may be useful in determining the source of the login attempts.
PCS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2006 07:50 AM
07-05-2006 07:50 AM
Re: Who is disabling root ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2006 08:06 AM
07-05-2006 08:06 AM
Re: Who is disabling root ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2006 08:25 AM
07-05-2006 08:25 AM
Re: Who is disabling root ?
inetd -l
to temporarily implement A. Clay's suggestion.
inetd.conf can be modified to make it permanent.
I'd say your /var/adm/btmp file is being hammered. That could be a cron job, it could also be the work of a malicous attacker trying to cover his/her tracks.
I recommend taking the system of the network for a few moments.
remove the btmp and wtmp files and put them back with standard permissions as in root can only write to them.
Also check last and see if there are unexplained successful logins.
It is possible your system has already been hacked. I doubt it, but can not discount it. When I was new and did not know what btmp and wtmp were for I once wrote a cron job to reguarly remove them.
Later I changed that to copy, archive and then zero them out.
> /var/adm/syslog/wtmp
> /var/adm/syslog/btmp
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2006 08:34 AM
07-05-2006 08:34 AM
Re: Who is disabling root ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2006 10:33 AM
07-05-2006 10:33 AM
Re: Who is disabling root ?
/etc/pam.conf only authorize unix stuff in there.
sshd_config/SyslogFacility set to the default of AUTH
No errors n syslog.log - I can see "normal" ssh messages there and if I purposely do an invalid ssh, it shows up.
/etc/securetty exsists wth console
I can always get back into root thru the console to unlock it, so even easier (sudo su -) but the problem is "ssh to this server will NOT work when root is disabled". Unless someone knows of an option to permit ssh-to-root even if root-is-disabled.
I have to leave "PermitRootLogin" set in sshd_config. We have too many features ssh'ing between the servers.
We know we could get around the issue by doing a "sudo" or a "modprpw -k root" periodically but we want to fix the issue. Besides we want to know who's doing it.
I'm pretty sure the problem is related to some monitor or SIM job. I'll tackle the increased logging next but around here, "the pope has to approve stuff like that".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2006 11:23 AM
07-05-2006 11:23 AM