centos user can login, security issue?

Support for security such as Firewalls and securing linux
Post Reply
ges985938954
Posts: 2
Joined: 2019/01/31 12:12:27

centos user can login, security issue?

Post by ges985938954 » 2019/01/31 12:18:26

Hello, recently my server sent spam and spamhaus has blocked our IP.

We are looking for security issues and we found this:

Jan 27 05:37:13 mktpp sshd[80187]: Accepted password for centos from 79.XX.160.XX port 49581 ssh2
Jan 27 05:37:13 mktpp sshd[80187]: pam_unix(sshd:session): session opened for user centos by (uid=0)
Jan 27 05:37:32 mktpp sshd[80187]: pam_unix(sshd:session): session closed for user centos
Jan 27 15:42:45 mktpp sshd[117485]: Accepted password for centos from 5.XX6.76.XX port 42462 ssh2
Jan 27 15:42:45 mktpp sshd[117485]: pam_unix(sshd:session): session opened for user centos by (uid=0)
Jan 27 15:43:04 mktpp sshd[117485]: pam_unix(sshd:session): session closed for user centos
Jan 27 18:30:22 mktpp sshd[129421]: Accepted password for centos from 54.XX.195.XX port 58718 ssh2
Jan 27 18:30:22 mktpp sshd[129421]: pam_unix(sshd:session): session opened for user centos by (uid=0)
Jan 27 18:30:41 mktpp sshd[129421]: pam_unix(sshd:session): session closed for user centos
Jan 29 20:21:13 mktpp sshd[52719]: Accepted password for centos from 162.XX.81.XX port 47358 ssh2
Jan 29 20:21:13 mktpp sshd[52719]: pam_unix(sshd:session): session opened for user centos by (uid=0)
Jan 29 20:21:17 mktpp sshd[52724]: Accepted password for centos from 54.XX.16.XX port 55714 ssh2
Jan 29 20:21:17 mktpp sshd[52724]: pam_unix(sshd:session): session opened for user centos by (uid=0)
Jan 29 20:21:31 mktpp sshd[52719]: pam_unix(sshd:session): session closed for user centos
Jan 29 20:21:36 mktpp sshd[52724]: pam_unix(sshd:session): session closed for user centos
Jan 29 20:21:44 mktpp sshd[52735]: Accepted password for centos from 185.XX.56.XX port 56071 ssh2
Jan 29 20:21:44 mktpp sshd[52735]: pam_unix(sshd:session): session opened for user centos by (uid=0)
Jan 29 20:32:08 mktpp sshd[52735]: pam_unix(sshd:session): session closed for user centos

Well, we tried to login and we get this:

root@xxxxxhostname centos]
# su centos
This account is currently not available.



We see that in /etc/shadow there is a HASH. We don't know what to do, we have a lot of servers with this.

What can we do?

Greetings.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: centos user can login, security issue?

Post by TrevorH » 2019/01/31 13:47:16

The only things that CentOS supplies that have a 'centos' user baked in are the cloud images. I believe those are meant to be restricted to access via ssh-key only injected using cloud-init.

Are you using one of the cloud images? Or did you install from CentOS supplied media yourself?

The "This account is currently not available" just means the user is set up to use /sbin/nologin as a shell. From your logs it would appear that the centos user is set up with a password and that you have ssh password logins enabled (not recommended, you should secure it to use public/private keys only).

What's the output from uname -a ?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

ges985938954
Posts: 2
Joined: 2019/01/31 12:12:27

Re: centos user can login, security issue?

Post by ges985938954 » 2019/01/31 15:31:02

TrevorH wrote:
2019/01/31 13:47:16
The only things that CentOS supplies that have a 'centos' user baked in are the cloud images. I believe those are meant to be restricted to access via ssh-key only injected using cloud-init.

Are you using one of the cloud images? Or did you install from CentOS supplied media yourself?

The "This account is currently not available" just means the user is set up to use /sbin/nologin as a shell. From your logs it would appear that the centos user is set up with a password and that you have ssh password logins enabled (not recommended, you should secure it to use public/private keys only).

What's the output from uname -a ?


Linux [hostname] 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

We are going to change that password, but...

Jan 29 20:21:44 mktpp sshd[52735]: Accepted password for centos from 185.XX.56.XX port 56071 ssh2
Jan 29 20:21:44 mktpp sshd[52735]: pam_unix(sshd:session): session opened for user centos by (uid=0)
Jan 29 20:32:08 mktpp sshd[52735]: pam_unix(sshd:session): session closed for user centos

10 minutes later, it's closing the connection. wtf?

UPDATE:
Extracted from /etc/passwd
centos:x :1000:1000:Cloud User:/home/centos:/sbin/nologin

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: centos user can login, security issue?

Post by TrevorH » 2019/01/31 15:51:09

So your system is quite significantly back level then. The -693 kernels are from 7.4 and the current version is 7.6. You should yum update to get all the latest patches, many of them security related.

My advice about disabling password access still stands.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply