Root Logins (Sco Unix)

Bill Campbell bill at celestial.com
Fri Jun 1 10:50:04 PDT 2007 

On Fri, Jun 01, 2007, Del wrote:
>
>   We have a suspicion that an unauthorized person has been logging on to
>   one of our SCO Unix systems as root.  Is there any history in the
>   system of root logins that would also show the origin (ip number, term
>   id) of the login?
>
>   What is the best way to monitor root logins in the future?
>
>   We have changed the password, but it seems to be happening anyway.

I would strongly suggest using secure shell for all logins other than those
from the console, and configuring sshd_config so that it doesn't allow
password logins, only those using the authenticated public identities.

One can further tighten this by using secure shell with tcp wrappers
support (e.g. libwrap), restricting the IPs, networks, and/or domains that
are permitted to access the system.

The secure shell daemon will log all attempts to log in as well as
successful logins.

We also run the swatch log watcher so it sends e-mails to a security
address when suspicious activity appears in one or more log files.  As an
example I just had the following messages appear in my security mail folder
from two different systems (mailman and beta3).  I obfuscated the public IP
address on the first to protect the innocent, but left the private IP on
the second.  This type of activity on a private IP may indicate that
someone in-house is attempting to play silly-buggers with your system.

Jun 01 10:25:04 mailman <info> sshd[27867]: Accepted publickey for root from    
xx.xx.xx.xx port 46811 ssh2          

Jun 01 10:34:28 beta3 <info> sshd[16941]: Failed password for root from         
192.168.254.225 port 280

As a general rule, if a machine has been cracked, one should reinstall from
scratch.  If one is running good intrustion detection software that can
identify changes in critical files, detect new files, and deleted files, it
is possible to clean up a cracked system, but this requires creating the
database for comparison before exposing the system to the world, and
constantly monitoring for changes.

Bill
--
INTERNET:   bill at Celestial.COM  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
FAX:            (206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676

Government is actually the worst failure of civilized man. There has
never been a really good one, and even those that are most tolerable
are arbitrary, cruel, grasping and unintelligent.
        -- H. L. Mencken

More information about the Filepro-list mailing list