Hello, recently my server sent spam and spamhaus has blocked our IP.
We are looking for security issues and we found this:
Jan 27 05:37:13 mktpp sshd[80187]: Accepted password for centos from 79.XX.160.XX port 49581 ssh2
Jan 27 05:37:13 mktpp sshd[80187]: pam_unix(sshd:session): session opened for user centos by (uid=0)
Jan 27 05:37:32 mktpp sshd[80187]: pam_unix(sshd:session): session closed for user centos
Jan 27 15:42:45 mktpp sshd[117485]: Accepted password for centos from 5.XX6.76.XX port 42462 ssh2
Jan 27 15:42:45 mktpp sshd[117485]: pam_unix(sshd:session): session opened for user centos by (uid=0)
Jan 27 15:43:04 mktpp sshd[117485]: pam_unix(sshd:session): session closed for user centos
Jan 27 18:30:22 mktpp sshd[129421]: Accepted password for centos from 54.XX.195.XX port 58718 ssh2
Jan 27 18:30:22 mktpp sshd[129421]: pam_unix(sshd:session): session opened for user centos by (uid=0)
Jan 27 18:30:41 mktpp sshd[129421]: pam_unix(sshd:session): session closed for user centos
Jan 29 20:21:13 mktpp sshd[52719]: Accepted password for centos from 162.XX.81.XX port 47358 ssh2
Jan 29 20:21:13 mktpp sshd[52719]: pam_unix(sshd:session): session opened for user centos by (uid=0)
Jan 29 20:21:17 mktpp sshd[52724]: Accepted password for centos from 54.XX.16.XX port 55714 ssh2
Jan 29 20:21:17 mktpp sshd[52724]: pam_unix(sshd:session): session opened for user centos by (uid=0)
Jan 29 20:21:31 mktpp sshd[52719]: pam_unix(sshd:session): session closed for user centos
Jan 29 20:21:36 mktpp sshd[52724]: pam_unix(sshd:session): session closed for user centos
Jan 29 20:21:44 mktpp sshd[52735]: Accepted password for centos from 185.XX.56.XX port 56071 ssh2
Jan 29 20:21:44 mktpp sshd[52735]: pam_unix(sshd:session): session opened for user centos by (uid=0)
Jan 29 20:32:08 mktpp sshd[52735]: pam_unix(sshd:session): session closed for user centos
Well, we tried to login and we get this:
root@xxxxxhostname centos]# su centos
This account is currently not available.
We see that in /etc/shadow there is a HASH. We don't know what to do, we have a lot of servers with this.
What can we do?
Greetings.
centos user can login, security issue?
Re: centos user can login, security issue?
The only things that CentOS supplies that have a 'centos' user baked in are the cloud images. I believe those are meant to be restricted to access via ssh-key only injected using cloud-init.
Are you using one of the cloud images? Or did you install from CentOS supplied media yourself?
The "This account is currently not available" just means the user is set up to use /sbin/nologin as a shell. From your logs it would appear that the centos user is set up with a password and that you have ssh password logins enabled (not recommended, you should secure it to use public/private keys only).
What's the output from uname -a ?
Are you using one of the cloud images? Or did you install from CentOS supplied media yourself?
The "This account is currently not available" just means the user is set up to use /sbin/nologin as a shell. From your logs it would appear that the centos user is set up with a password and that you have ssh password logins enabled (not recommended, you should secure it to use public/private keys only).
What's the output from uname -a ?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 2
- Joined: 2019/01/31 12:12:27
Re: centos user can login, security issue?
TrevorH wrote: ↑2019/01/31 13:47:16The only things that CentOS supplies that have a 'centos' user baked in are the cloud images. I believe those are meant to be restricted to access via ssh-key only injected using cloud-init.
Are you using one of the cloud images? Or did you install from CentOS supplied media yourself?
The "This account is currently not available" just means the user is set up to use /sbin/nologin as a shell. From your logs it would appear that the centos user is set up with a password and that you have ssh password logins enabled (not recommended, you should secure it to use public/private keys only).
What's the output from uname -a ?
Linux [hostname] 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
We are going to change that password, but...
Jan 29 20:21:44 mktpp sshd[52735]: Accepted password for centos from 185.XX.56.XX port 56071 ssh2
Jan 29 20:21:44 mktpp sshd[52735]: pam_unix(sshd:session): session opened for user centos by (uid=0)
Jan 29 20:32:08 mktpp sshd[52735]: pam_unix(sshd:session): session closed for user centos
10 minutes later, it's closing the connection. wtf?
UPDATE:
Extracted from /etc/passwd
centos:x :1000:1000:Cloud User:/home/centos:/sbin/nologin
Re: centos user can login, security issue?
So your system is quite significantly back level then. The -693 kernels are from 7.4 and the current version is 7.6. You should yum update to get all the latest patches, many of them security related.
My advice about disabling password access still stands.
My advice about disabling password access still stands.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke