There is more than one way to install a VM. If one runs the (Anaconda) installer, interactive or automated, then it writes the anaconda-ks.cfg.
However, it is also possible to assemble an "image" that is deployed without installer.
A VM on cloud platform can have package "cloud-init" start configures system on start, partly by config that is in image, partly by data that the platform supplies, and with customizations that the user supplies while creating the instance. The cloud-init can create accounts too.
Furthermore, one can execute command remotely, via ssh, and those do not register in shell history. Not to mention that you can on shell give commands that are also ignored, not saved in command history.
Did you mention cPanel? I have no idea what that is, but assume clickety clack GUI crap. I would not be surprised, if it defines some accounts too.
check WHO create X user in CentOs (maybe root, sys, admin, etc) - malicious ISP
Re: check WHO create X user in CentOs (maybe root, sys, admin, etc) - malicious ISP
thanks
in this cases,
how we can "audit/check" this remote commands?
The answer from ISP about this is:
Code: Select all
...you have ROOT PASSWORD and you could do any changes from your end itself.
Code: Select all
[root@pepsi ~]# cat /root/.ssh/authorized_keys
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"centos\" rather than the user \"root\".';echo;sleep 10" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCamIU4G7K3ghtcdoaROT39WBnmguM86Me9GlEXpl9B5/OGjSX79BQCgd5FCjMI4xEEEQqm5gDK3aXOMGlqf2Ajygcy++8uciN99ASJgYHp75f7E4Pj/R6oXGq2Uz06rpigep5mVRf5TBaZY2kyvIPh1Blbuw+SrIRmX5S+eAuB1rgZJodarJqu2g3dxcCJL1t6DVO6sTls4y9b7NrxzeSuTv3oFf6xvkUv6v3QFrRi2yTn+Zm5YOBvDISAoDmlSL82H1KKEKEbUK412HwUb9uLHZv6E1acocn6ZKQOjjGfSi+YjqT5hiXXOG4tvvWXjhhLU1oXbPYpj8rRIfPljR4d Generated-by-Nova
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"centos\" rather than the user \"root\".';echo;sleep 10" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDyRMW7vRVFrcfFx3wsOWt+zimrJGqT358oDnzcN3ldVsaSpqyitDe1R6C12upH39JNwPl495swdt/N2Cw8CixP4nlcDfvjaRpRHasWEymp6+Tv4EMvOmI5QI5iPPChwyBex69OncAxzjsS+d8TO5L0AIHhrYWA9pHROC1vkn6hKjyewmnGmUA+4Jc0ZwrK2HUvQGJujg88i8M4/474F/J31rVbA3ETJF3w+1/6x+Mj5cjdi6HIuznz9PMYn27Yb+VoM/rpl5xa2FS4+NH6Lr3HCQKJRbwKnx+oqEQ+XbKa5bgaj/nu2wCxThxa/J5ZEUP8eI0wrv3e/jEBi4ZFOSQv Generated-by-Nova
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"centos\" rather than the user \"root\".';echo;sleep 10" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPIQTEKDTIJp9IoX9FQM6FPE6e1bPC+LEvStSuVQ0SOPHhuXpNh9J8+7qZNsaujd8fO5Xa9q0XmulQMX1UesTieJ/SW6rWJzNO2o0QpFfpW/6/3x7hVad+BIfnpmqO5RZhD2PdnPHmx3geR0XUo8K8dMPM1Q5pB/rhXiaQVv5OSfF6Tbggkl7vKc7QA0Q9lOKM7CKXWMRFOcHFjLA+45MkQqce3dy9GgE0pjGPnUwSfjw7Cy6kWPN4G7F8+4ai5OLx8/DR96kCSiXEiOEaRRkH7r9S53xWzzpwG5Knz8ulcIQ597oQsPMW9QhwIEvCyAoYZQzSbi0/2vI2MxZYK9X1 Generated-by-Nova
[root@pepsi ~]#
Code: Select all
killall avahi-autoipd
killall centos
killall systemd-bus-proxy
killall tss
killall whbadmin
killall whbhelper
pkill -u avahi-autoipd
pkill -u centos
pkill -u systemd-bus-proxy
pkill -u tss
pkill -u whbadmin
pkill -u whbhelper
### BORRAR USUARIOS:
userdel -r avahi-autoipd
userdel -r centos
userdel -r systemd-bus-proxy
userdel -r tss
userdel -r whbadmin
userdel -r whbhelper
Code: Select all
[root@pepsi ~]# cat /etc/passwd | wc -l
18
[root@pepsi ~]#
Code: Select all
[root@pepsi ~]# yum history
Loaded plugins: fastestmirror
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
ID | Login user | Date and time | Action(s) | Altered
-------------------------------------------------------------------------------
20 | Cloud User <centos> | 2020-08-31 14:50 | Update | 2
19 | Cloud User <centos> | 2020-08-31 14:50 | I, U | 5
18 | Cloud User <centos> | 2020-08-31 14:50 | Update | 1
17 | Cloud User <centos> | 2020-08-31 14:50 | I, U | 11 EE
16 | Cloud User <centos> | 2020-08-31 14:49 | Install | 1
15 | Cloud User <centos> | 2020-08-31 14:49 | Install | 1
14 | Cloud User <centos> | 2020-08-31 14:49 | Install | 1
13 | Cloud User <centos> | 2018-06-15 16:22 | Erase | 1
12 | Cloud User <centos> | 2018-06-15 16:20 | I, O, U | 281 EE
11 | Cloud User <centos> | 2018-06-15 16:19 | I, U | 22
10 | Cloud User <centos> | 2016-11-10 08:41 | I, U | 3
9 | root <root> | 2016-01-21 06:39 | Install | 31
8 | root <root> | 2016-01-21 06:37 | Install | 1
7 | root <root> | 2016-01-21 06:19 | Install | 1
6 | root <root> | 2016-01-21 06:09 | Install | 12
5 | root <root> | 2016-01-21 06:09 | Install | 1
4 | root <root> | 2016-01-21 05:58 | Install | 34
3 | root <root> | 2016-01-21 05:56 | Update | 25
2 | root <root> | 2016-01-21 05:54 | Install | 1
1 | System <unset> | 2016-01-21 05:45 | Install | 279
history list
[root@pepsi ~]#
Some other recomendation for we "clean VPS" ?
regards
Re: check WHO create X user in CentOs (maybe root, sys, admin, etc) - malicious ISP
The command="echo 'Please login as the user \"centos\" rather than the user \"root\".';echo;sleep 10" is exactly what cloud-init does; creates a regular account (here "centos") and prevents anyone from connecting directly as root via ssh. The account created by cloud-init has same ssh public keys as the root, with difference that login is allowed.
It is a best practice to not log in as root, particularly with a password.
It is a best practice to not allow ssh with password logins at all.
The config for cloud-init is probably under /etc/cloud-init/.
If you did remove the only account you could ssh into, then you can't ssh in any more (unless you opened other options). Sounds to me that your search for "security" opens or breaks more than it closes.
You seem to have posted to linuxquestions.org too. Do you get any better answers there?
It is a best practice to not log in as root, particularly with a password.
It is a best practice to not allow ssh with password logins at all.
The config for cloud-init is probably under /etc/cloud-init/.
If you did remove the only account you could ssh into, then you can't ssh in any more (unless you opened other options). Sounds to me that your search for "security" opens or breaks more than it closes.
You seem to have posted to linuxquestions.org too. Do you get any better answers there?
Re: check WHO create X user in CentOs (maybe root, sys, admin, etc) - malicious ISP
any place where I can improve my security is fine.
By example:
https://www.linuxquestions.org/question ... 175616422/
I unknow the option "DenyUsers"...