0

I have server at OVH that suddenly went offline around 12:10 PM.

According to my logs the hacker came in with the root-user. Which means that he probably had my password. I already changed this password but I'm still wondering how he came in.

In the sshd_config says PermitRootLogin no so they normally couldn't get in via SSH. So the only way to get in as root directly is via KVM and I'm the only one who has access to that.

This is the log at the time he went down. I could resolve it by a simple restart. But as I see the logs before this someone went in several times a root. And I'm pretty sure it wasn't me. Also the same logs are saying it goes on that someone is going in as root.

Jun 11 12:10:01 vps115965 systemd: Starting Session c3450 of user root. Jun 11 12:10:01 vps115965 systemd: Started Session c3450 of user root. Jun 11 21:31:02 vps115965 xinetd[2703]: START: gopher pid=22775 from=::ffff:46.182.107.117 

My question. How can I disable root-login completely. For this I mean only a physically login. cronjobs running as root and sudo (as well as sudo -i) should still work.

My sever is running CentOS 7 (updates installed via cronjobs)

Thanks in advace

Jeroen

EDIT:

I discovered that the root-login is every 10 minutes from which I thought it should be scheduled. So I looked into the crontab an it appear that spamassassin is doing this. Since I don't use this anymore (I use my Norton IS for spamfiltering) I decided to remove it.

Since I don't have any evidence that I'm hacked anymore I'm thinking about just bad luck (Kernel Panic, maybe).

However I still want to know my question on how to disable the physic rootlogin.

3 Answers 3

2

you can use passwd -l root from man passwd you can see the description of this.

 -l This option is used to lock the specified account and it is available to root only. The locking is performed by rendering the encrypted pass- word into an invalid string (by prefixing the encrypted string with an !). 
1
  • This combined with the PermitRootLogin no option in sshd_config is how I would do it. Commented Jun 12, 2015 at 13:38
0

You have 2 options:

  1. Tackle with /etc/securetty file, as mentioned in previous answer.

  2. Delete root password from /etc/shadow - this way nobody will be able to login as root, while cron jobs and sudo will work.

The second option is used in Ubuntu default configuration, as it doesn't break compatibility with old software from KDE 1/2 age, that used helper dialogs to get root password and obtain root privileges.

0

The login on the physical console is controlled via the /etc/securetty file. To prevent the root user from logging in using any console use something like echo > /etc/securetty to empty the file (you might want to create a backup first).

If you only want to close specific paths like e.g. logins using the serial console simply remove these from the /etc/securetty file.

After you have done this you can still login using ssh and a regular user account and then use sudo to become root.

2
  • Hi, I might be wrong but isn't this going to disable all logins on the KVM. I still want to be able log in on KVM as a normal user. I just don't want a root user to be able to log in physically (not on KVM or whatever) Commented Jun 12, 2015 at 15:44
  • I still want to be able to log in on KVM as if ssh goes down for some reason I can only reach my VPS via KVM. Commented Jun 12, 2015 at 15:45

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.