Help - Search - Members - Calendar
Full Version: Root , Other Users
Linuxhelp > Support > Technical Support
Robert83
Hi,

I know this might be a "stupid" question, but until I ask I don't know, so I'll ask...

As I've read in many books and webpages about how hackers always have one goal and that is to somehow to gain root access [DOS attacks not counted...is there a way to solve this problem by the way?].

And I've seen that with : w you can see who is looged in and everything ... so I was wondering,

is there a posibilty to write a srcipt that does userdel everything and leave root alive[or just delete any user, because I think root can't be deleted this is correct right? , I mean root can't delete itself, or can it?].And I would run these script every second...or every 2 ,3 second.

Or I've seen these runlevels... what If I use the firewall with a single user runlevel , and log in as root [so the one user quota is filled], what then ? would that keep a hacker from gaining access , I mean creating another user and logging in whit it?

Sorry for all these [maybe] "stupid" questions, but I think I needed to ask these , I'm concentrating my power on making hacking me harder...

Sincerely
Robert B
hughesjr
Most of the root acesses are caused by issue such as buffer overflow errors ... and are not normal logins. So things that would prevent someone from logging in wouldn't normally work to prevent them to get root level access via a vulnerability.

There are some things that can be done ... like only listening on ports and running services that are required.

One thing you can do to increase security is change the root user's Login ID .... this doesn't stop the exploits that gain access via buffer overflow, but it does prevent people from knowing that the root user's login ID.

Another thing you can do is to limit where users can connect from in ssh (ie, only allow connections from specific IPs).

The absolute most important thing is to tighten security on your outside ports of firewalls so that only the absolute minumum IPs and ports are visable on the outside of your firewall.
-----------
Here are a couple article that discuss Linux hardening:

http://www.boran.com/security/sp/applicati..._hardening.html

http://www.linux-sec.net/Harden/harden.gwif.html

http://thaicert.nectec.or.th/event/itsec20...lementation.pdf

http://www.brandonhutchinson.com/Hardening...3_(Taroon).html

http://www.giac.org/practical/GCFW/Roberto...o_GCFW.pdf&e=42
Robert83
Hi,

thank you for you're help ! smile.gif smile.gif

oh and by the way...emmm smile.gif can you please tell me how do I change that root ID?


Sincerely
Robert B
hughesjr
You need to edit the /etc/passwd file, change the first root in the root users line to the new name ... then do a chmod on the file /etc/shadow like this:

chmod 600 /etc/shadow

then change the first root in the root line to the same username you picked for the root user in /etc/passwd....then

chmod 400 /etc/shadow
------------------------------------------------
The group is still root, but the user is the new username.

Go to /etc/group and don't change the root group, but do change the group memberships (the last word) ... here is an example:

adm:x:4:root,adm,daemon

that is the adm group ... and the members are root, adm and daemon ... change the root to the the new user...

THIS is the root group line in /etc/group ... I usually leave it alone (except to change the last root to the new username).

root:x:0:root

------------------
This will cause problems on machines with X installed (they still work, but you have to re setup the desktop)... because all the desktop stuff will be different after the change ...

It can also require that you edit all the startup scripts and look for anything that sets the user to root and change it to the new name.

You also need to look at the /root/.bashrc and .bash_profile and change anything that says user=root.

I don't normally do this on anything except maybe my external firewall....
-------------------
Robert83
Hi, thank you again,

I don't know how to write this down...so for an example if you would be setting up a firewall computer , what tool would you "probably" use to monitor things...? [sorry that I ask you, I'm reading the pages right now, but I guess a little bit from you're experiences with firewalling wouldn't hurt]

Sincerely
Robert B


ps.: pm if...
Robert83
Hi,

I've changed everything with that root thing, everything works ok on the firewall...

but when booting up :

Enabling local file system quotas [OK]
getpwnam failed for 7^9-`,Enabling swap space [OK]

what is this, how can I fix it?

Sincerely
Robert B
hughesjr
I normally just look at the firewall logs ...

A while back I told you about an IDS tool called snort ... and it has a couple of available GUI front ends ...

It is an intrustion detection system .... that tells you when it sees specific things that are known exploits ... I am now using a different IDS that runs on a windows based machine (required by my company), but snort is very good.

Here is an IDS FAQ from SANS.

Read this 2 part article on IDS and snort (part 1, Part 2). Pay particular attention to the intrusion detection response information link.

Guardian is a product that will allow you to setup automatic rules adjustments to your firewall based on snort detections.

I personally don't do automatic rules changes ... I review the logs and make changes as necessary ... because it has been my observation that most scans are done by worms or viruses .. or script kiddies looking for an easy target.

If you have a secure firewall with only the absolutely required ports open ... and you maintain the latest security patches on all your servers (especially the services like web, smtp, ssh, etc. where you are allowing access) ... then most of the scans are not important... the script kiddies will move on to easier targets.
hughesjr
as to the quota problem ... and for some other things as well ... it is good to now create another user named root .... but he is not the superuser ... do this:

useradd -g users -s /bin/bash -p password root

(password is the password for the new root user ... substitute the one you want this user to have)

and you will have a normal user named root (that is only a member of the users group) ... and a superuser with the new name you added to /etc/passwd and /etc/shadow.
Robert83
Thanks Again smile.gif

Sincerely
Robert B
Termina
Hey, I was wondering if you could tell me if my comptuer is secure? XD

parasite.ath.cx (Has SSHD/apache/mysqld running)

Just hoping it's fairly secure, and if anyone has free time, if they could see if they can get in, or whatnot.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2017 Invision Power Services, Inc.