?
Solved

Securing Linux from Resigned Engineer

Posted on 2011-05-01
12
Medium Priority
?
545 Views
Last Modified: 2012-05-11
hi it happened that one of our engineer resigned with very bad terms and worrying that he will sabotage through the linux servers maintained by him.  

The primary functions of Linux servers are squid proxy and internal routing (with static routes)  

1. How to get list of root level users from Linux
2. How to find out if there is any phantom users who can possibly have root level access
3. Considering we have the root level password for the linux boxes what else we need to secure in the Linux box.

Please note that we blocked in VPN access to the network so the attack surface is Linux Server only.

Many Thanks
SK
0
Comment
Question by:principiamanagement
  • 4
  • 4
  • 3
  • +1
12 Comments
 
LVL 40

Accepted Solution

by:
mrjoltcola earned 1400 total points
ID: 35502712
First, check for regular users:

Look in /etc/passwd

Then check for sudo privileges (commonly used for root access without root password).

Look in /etc/sudoers


You might also want to run nmap scans on your Linux servers, just to be aware of the services (ports) that are open. I advise that you have a Linux / security guru to verify your findings.
0
 

Author Comment

by:principiamanagement
ID: 35502718
hi, below is /etc/password

mntr:/home/jegan# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:103::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
privoxy:x:104:65534::/etc/privoxy:/bin/false
debian-tor:x:105:107::/var/lib/tor:/bin/bash
mysql:x:106:108:MySQL Server,,,:/var/lib/mysql:/bin/false
ntop:x:1001:1001:,,,:/home/ntop:/bin/bash
freerad:x:107:109::/etc/freeradius:/bin/false
ntp:x:108:110::/home/ntp:/bin/false
messagebus:x:109:111::/var/run/dbus:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
snort:x:111:112:Snort IDS:/var/log/snort:/bin/false
bind:x:112:113::/var/cache/bind:/bin/false
admin:x:1004:1004:Admin,Linux,,:/home/admin:/bin/bash
snnp:x:1005:100::/home/snnp:/bin/sh
jegan:x:1000:1005:Jeganathan Sethu,,,:/home/jegan:/bin/bash
ro0t:x:1006:100::/home/ro0t:/bin/sh


and /etc/sudoers


mntr:/home/jegan# more /etc/sudoers
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL) ALL
#keenan  ALL=(ALL) ALL
#yoso    ALL=(ALL) ALL
#rhiez   ALL=(ALL) ALL
#snnp    ALL=(ALL) ALL
# Uncomment to allow members of group sudo to not need a password
# (Note that later entries override this, so you might need to move
# it further down)
# %sudo ALL=NOPASSWD: ALL
0
 
LVL 3

Expert Comment

by:Abhishek_Chib
ID: 35502723
Nothing looking bad.

First of all Change the password all the uses on this servers and must be complicated.

And monitor user who is accessing the servers via "last" command.


0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 3

Assisted Solution

by:Abhishek_Chib
Abhishek_Chib earned 600 total points
ID: 35502728
especially :

admin:x:1004:1004:Admin,Linux,,:/home/admin:/bin/bash
snnp:x:1005:100::/home/snnp:/bin/sh
jegan:x:1000:1005:Jeganathan Sethu,,,:/home/jegan:/bin/bash
ro0t:x:1006:100::/home/ro0t:/bin/sh
0
 

Author Comment

by:principiamanagement
ID: 35502729
Ok we got the admin and root password changed to new one.

SK
0
 
LVL 40

Expert Comment

by:mrjoltcola
ID: 35502731
Your sudo looks ok, no sudoers beside root.

The last 4 users in the password file are not standard Linux users, and definitely ro0t looks like a backdoor for root. I would reset the passwords or disable it if you are unsure. You can comment the user line out or make the shell nologin like below.

admin:x:1004:1004:Admin,Linux,,:/home/admin:/bin/bash
snnp:x:1005:100::/home/snnp:/bin/sh
jegan:x:1000:1005:Jeganathan Sethu,,,:/home/jegan:/bin/bash
ro0t:x:1006:100::/home/ro0t:nologin

0
 

Author Comment

by:principiamanagement
ID: 35502760
Excellent, the put the nologin and is there any other thing that i need to do to prevent root access, again from the Linux box perspective.

Sakthis
0
 
LVL 3

Assisted Solution

by:Abhishek_Chib
Abhishek_Chib earned 600 total points
ID: 35502772
Follow :

http://www.dedicated-resources.com/guide/31/Disabling-Direct-Root-Login-(SSH).html

It will prevent direct root login.

If you want to access the root, first you need to enter by user like jegan then "su - " or "su - root"

0
 
LVL 40

Expert Comment

by:mrjoltcola
ID: 35502773
Just ensure there are no unknown services running. If you feel this admin is really savvy and would have need to put a true backdoor in (besides ro0t) than you should check all running services and/or run a port scan (nmap).
0
 
LVL 12

Expert Comment

by:Amick
ID: 35502801
Two more things to consider.
1. Consider wiping the machine and rebuilding it to establish an image you know you can trust.
2. If you recover anything from the period prior to that time you know you have a secure image, be careful that you don't restore a program that might act as a carrier for a threat and be careful that you don't restore security files that might contain dangerous accounts and privileges.
0
 

Author Comment

by:principiamanagement
ID: 35502806
Hi mrjoltcola -- please see below


Scanning 192.168.1.1 [65535 ports]
Discovered open port 21/tcp on 192.168.1.1
Discovered open port 111/tcp on 192.168.1.1
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 22/tcp on 192.168.1.1
Discovered open port 3306/tcp on 192.168.1.1
Discovered open port 53/tcp on 192.168.1.1
Discovered open port 10000/tcp on 192.168.1.1
Discovered open port 3128/tcp on 192.168.1.1
Discovered open port 902/tcp on 192.168.1.1
Discovered open port 8009/tcp on 192.168.1.1
Discovered open port 8222/tcp on 192.168.1.1
Discovered open port 8333/tcp on 192.168.1.1
Discovered open port 35976/tcp on 192.168.1.1
Discovered open port 8308/tcp on 192.168.1.1
Completed SYN Stealth Scan at 13:08, 14.45s elapsed (65535 total ports)
Initiating Service scan at 13:08
Scanning 14 services on 192.168.1.1
Completed Service scan at 13:08, 24.59s elapsed (14 services on 1 host)
Initiating RPCGrind Scan against 192.168.1.1 at 13:08
Completed RPCGrind Scan against 192.168.1.1 at 13:08, 0.01s elapsed (2 ports)
Initiating OS detection (try #1) against 192.168.1.1
NSE: Script scanning 192.168.1.1.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 13:08
Completed NSE at 13:08, 3.04s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Nmap scan report for 192.168.1.1
Host is up (0.00036s latency).
Not shown: 65521 closed ports
PORT      STATE SERVICE         VERSION
21/tcp    open  ftp             WU-FTPD wu-2.6.2
22/tcp    open  ssh             OpenSSH 5.1p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 1024 91:76:6c:91:df:27:08:ff:76:1e:55:c4:ec:88:fb:22 (DSA)
|_2048 29:df:27:fc:41:88:18:6b:ca:b0:58:f0:b1:3e:8f:f1 (RSA)
53/tcp    open  domain          ISC BIND 9.5.1-P3
80/tcp    open  http            Apache httpd 2.2.9 ((Debian) PHP/5.2.6-1+lenny8 with Suhosin-Patch)
| http-methods: GET HEAD POST OPTIONS TRACE
| Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Site doesn't have a title (text/html).
111/tcp   open  rpcbind         2 (rpc #100000)
902/tcp   open  ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
3128/tcp  open  squid-http?
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:  GET HEAD
3306/tcp  open  mysql           MySQL 5.0.51a-24+lenny3-log
| mysql-info: Protocol: 10
| Version: 5.0.51a-24+lenny3-log
| Thread ID: 1524
| Some Capabilities: Connect with DB, Compress, Transactions, Secure Connection
| Status: Autocommit
|_Salt: NMw1+"hgN1IYcfXdp%bA
8009/tcp  open  ajp13           Apache Jserv (Protocol v1.3)
8222/tcp  open  http            VMware Server http config
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_http-title: VMware Server 2
8308/tcp  open  http            Apache Tomcat/Coyote JSP engine 1.1
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
8333/tcp  open  ssl/http        VMware Server http config
|_http-title: VMware Server 2
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
10000/tcp open  http            MiniServ 0.01 (Webmin httpd)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html).
|_http-favicon: Unknown favicon MD5: CAD3EB4F30C4FB8D29EFB8D5BC622856
35976/tcp open  status          1 (rpc #100024)
MAC Address: 00:02:55:56:93:19 (IBM)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.13 - 2.6.31
Uptime guess: 0.743 days (since Sun May  1 19:19:18 2011)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=204 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OSs: Unix, Linux

TRACEROUTE
HOP RTT     ADDRESS
1   0.37 ms 192.168.1.1

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
NSE: Starting runlevel 2 (of 2) scan.
Read data files from: /usr/local/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.57 seconds
           Raw packets sent: 65555 (2.885MB) | Rcvd: 65553 (2.623MB)



Hi Amick - we will replace this with a switch in couple of weeks but until then we just need to be sure..


thanks
SK
0
 
LVL 40

Expert Comment

by:mrjoltcola
ID: 35502825
You are running webmin too. Do you use webmin? If so, ok, but if not, you might disable that service.
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question