Help - Search - Members - Calendar
Full Version: Securing Linux
Linuxhelp > Support > Technical Support
I am very new to this so if ive posted this in the wrong place or the wrong way then please forgive me.
I am a newtwork administrator in a small publicly funded IT college in east london UK, we have a couple of redhat 9 servers running sendmail and apache for our website. We are concerned that the sendmail sever which is our mailgateway and sits outside our firewall may have been hacked, when i search the internet for help on this issue one of the things i find is that i should 'know' who and what the users listed in the passwd file are and what function they perform. Although some are obvious such as root and mail i find i have a line in that file for a user called nobody!
is this normal?
nobody is a normal user ... it runs items like apache.

here is a standard RH9 passwd file with no extra users (except installed by programs):

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin

Most of those guys can't login (they have a shell of /sbin/nologin), however if you have been hacked, the cat, less, vi and other programs may have been changed so that they won't show the bad guy's logins.

See this thread for links to articles and advice on checking for root kits. Specifically, download chkrootkit and install it.

If you use apt for RH9 ... (i recommend apt) then you can use this (as /etc/apt/sources.list):

# You can use the file:/ entries for creating your local repository mirrors.

# Red Hat Linux 9
rpm redhat/9/i386 os updates
#rpm-src redhat/9/i386 os updates

# ATrpms for Red Hat Linux 9
# Possible sections: at-stable, at-good, at-testing, at-bleeding
rpm redhat/9/en/i386 at-testing
#rpm-src redhat/9/en/i386 at-testing

# FreshRPMS for Red Hat Linux 9
rpm redhat/9/i386 freshrpms
#rpm-src redhat/9/i386 freshrpms

# NewRPMS for Red Hat Linux 9
rpm redhat/en/i386/9.0 newrpms
#rpm-src redhat/en/i386/9.0 newrpms

# Dag Wieers' rpms for Red Hat Linux 9
rpm redhat/9/en/i386 dag
#rpm-src redhat/9/en/i386 dag

Then do:

apt-get update
apt-get install chkrootkit

To get chkrootkit ... or download and install it from the chkrootkit site.

Then run chkrootkit
If you are going to have the entire box outside your firewall, you need to develope a very strict iptables rule set for it ... like:

only allow port 22 from your internal networks (and any other things you may be doing for admin like vnc) ....

only allow tcp 25 (smtp) and tcp 110 (pop3) initiated from all addresses outside (and only 110 if you want POP3 available off site).

If you are allowing external web as well for viewing e-mails then maybe also ports 80 and 443 from outside.

I would block all other posts into the box via iptables...

The ruleset would look something like this:

:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -s -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 110 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:65535 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:65535 -j REJECT

Where is your IP network and zzz.zzz.zzz.zzz is the subnet mask. Remove the 80 and 443 entries if they are not required.
thanks for the speedy reply to this post and apologies for not picking this up earlier
the first thing i have to report is that non of the accounts in my passwd file have the sbin/nologin

ftp:*:14:50:FTP User:/var/ftp:

this is just a sample of the file to show u

the other worrying thing is that when i installed the root kit and tried to run it i got
permission denied... im hoping that this is 'normal' and it is also normal for me to have to give permissions to files like this after they have been installed on linux.
so i looked at chmod command but im afraid i couldn't work out how and what to give the right permissions to.

thanks for the help so far and looking forward to sorting this box out
The command that I use to make files executable is:

chmod 755 filename
What file are you trying to execute ... if you installed chkrootkit by use of apt-get then it should already be executeable ... if you downloaded the file named chkrootkit.tar.gz from the website, you have to untar the file with the command:

tar -xvzf chkrootkit.tar.gz

then go to the directory that was created (the version there right now is 0.43, so):

cd chkrootkit-0.43

After that, read the file named README with this command:


It tells you to install by issuing the command (from within the chkrootkit-0.43 directory):

make sense

then you can run the chkrootkit program by using the command (again from within the chkrootkit-0.43 directory):


The fact that you don't have /sbin/nologin as the login shell (your's is totally blank) is slightly less secure ... but shouldn't make any practical difference. (since the users don't have passwords).

The only person that can login as a user with no login shell is root ... and if you are already logged in as root, you can easily edit the passwd file and remove the shell (or change the shell and password) for a user that has a /sbin/nologin shell....although some script kiddie might not know that and fail in his attempt to do somrthing if following a howto posted from a chatroom.

However, using /sbin/nologin is more secure and Security Focus ( recommends that you use it for the nobody to secure your apache server setup.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2018 Invision Power Services, Inc.