What I know:
Yesterday I had problem with server's system time. It was changed to year 2008 (date and time was otherwise accurate). Also, there was restart of sshd (which helped me to spot change of year). I configured time and thought it's possible attack, or maybe some bug, whatever.
Anyway, today I received mail from rkhunter that in sshd_config root login isn't set (PermitRootLogin No was commented out). This is not my standard configuration and yesterday it wasn't commented out. So, someone obviously commented it out and after that restarted sshd. Everything else was unchanged on first look, but to be sure I overwrite that file with my backup version of sshd_config. Also I noticed that date of changes was in the future, October 6 of this year. It looks like that there was more than simple time tampering with server's time.
I have setup that when someone logs with ssh I receive mail about it. I didn't received any mails with warnings like this. Also, in logs I didn't found any login attempts, successful or unsuccessful. OK, I understand that someone could gain control over server and later delete logs about his access to server. But I'm not sure how he avoided mail being sent when he logged first time. Maybe he didn't gained access with SSH? And, just to mention, SSH isn't on standard port.
I didn't noticed other changes on server, and rkhunter didn't reported anything else different.
Does someone have any idea how it is possible and what should I do to prevent this in the future?
Security breach: Changed sshd_config and system time
-
- Retired Moderator
- Posts: 18276
- Joined: 2006/12/13 20:15:34
- Location: Tidewater, Virginia, North America
- Contact:
Re: Security breach: Changed sshd_config and system time
Welcome to the CentOS fora. Please see the recommended reading for new users linked in my signature.
In the US we did just have a change to Daylight Savings last weekend, but that would not explain the errors and anomalies in the absence of other problems. All I can suggest is trying other tools such as chkrootkit and running "rpm -Va".
In the US we did just have a change to Daylight Savings last weekend, but that would not explain the errors and anomalies in the absence of other problems. All I can suggest is trying other tools such as chkrootkit and running "rpm -Va".
Security breach: Changed sshd_config and system time
//FWIW the thread, leading to slightly more info, was also posted [url=https://www.linuxquestions.org/questions/linux-security-4/security-breach-changed-sshd_config-and-system-time-934430/]here[/url]. Apparently the OP fscked up file ownership and also didn't have SELinux running.
-
- Retired Moderator
- Posts: 18276
- Joined: 2006/12/13 20:15:34
- Location: Tidewater, Virginia, North America
- Contact:
Re: Security breach: Changed sshd_config and system time
Thanks for the link. Guess this thread is done, as the OP never bothered to return.