check WHO create X user in CentOs (maybe root, sys, admin, etc) - malicious ISP

Support for security such as Firewalls and securing linux
User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: check WHO create X user in CentOs (maybe root, sys, admin, etc) - malicious ISP

Post by jlehtone » 2021/10/03 06:18:08

There is more than one way to install a VM. If one runs the (Anaconda) installer, interactive or automated, then it writes the anaconda-ks.cfg.
However, it is also possible to assemble an "image" that is deployed without installer.

A VM on cloud platform can have package "cloud-init" start configures system on start, partly by config that is in image, partly by data that the platform supplies, and with customizations that the user supplies while creating the instance. The cloud-init can create accounts too.

Furthermore, one can execute command remotely, via ssh, and those do not register in shell history. Not to mention that you can on shell give commands that are also ignored, not saved in command history.


Did you mention cPanel? I have no idea what that is, but assume clickety clack GUI crap. I would not be surprised, if it defines some accounts too.

Windows
Posts: 59
Joined: 2021/06/16 13:20:01

Re: check WHO create X user in CentOs (maybe root, sys, admin, etc) - malicious ISP

Post by Windows » 2021/10/03 13:52:14

jlehtone wrote:
2021/10/03 06:18:08
...Furthermore, one can execute command remotely, via ssh, and those do not register in shell history. Not to mention that you can on shell give commands that are also ignored, not saved in command history.
thanks

in this cases,
how we can "audit/check" this remote commands?

The answer from ISP about this is:

Code: Select all

...you have ROOT PASSWORD and you could do any changes from your end itself.
then I delete the file authorized_keys:

Code: Select all

[root@pepsi ~]# cat /root/.ssh/authorized_keys
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"centos\" rather than the user \"root\".';echo;sleep 10" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCamIU4G7K3ghtcdoaROT39WBnmguM86Me9GlEXpl9B5/OGjSX79BQCgd5FCjMI4xEEEQqm5gDK3aXOMGlqf2Ajygcy++8uciN99ASJgYHp75f7E4Pj/R6oXGq2Uz06rpigep5mVRf5TBaZY2kyvIPh1Blbuw+SrIRmX5S+eAuB1rgZJodarJqu2g3dxcCJL1t6DVO6sTls4y9b7NrxzeSuTv3oFf6xvkUv6v3QFrRi2yTn+Zm5YOBvDISAoDmlSL82H1KKEKEbUK412HwUb9uLHZv6E1acocn6ZKQOjjGfSi+YjqT5hiXXOG4tvvWXjhhLU1oXbPYpj8rRIfPljR4d Generated-by-Nova
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"centos\" rather than the user \"root\".';echo;sleep 10" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDyRMW7vRVFrcfFx3wsOWt+zimrJGqT358oDnzcN3ldVsaSpqyitDe1R6C12upH39JNwPl495swdt/N2Cw8CixP4nlcDfvjaRpRHasWEymp6+Tv4EMvOmI5QI5iPPChwyBex69OncAxzjsS+d8TO5L0AIHhrYWA9pHROC1vkn6hKjyewmnGmUA+4Jc0ZwrK2HUvQGJujg88i8M4/474F/J31rVbA3ETJF3w+1/6x+Mj5cjdi6HIuznz9PMYn27Yb+VoM/rpl5xa2FS4+NH6Lr3HCQKJRbwKnx+oqEQ+XbKa5bgaj/nu2wCxThxa/J5ZEUP8eI0wrv3e/jEBi4ZFOSQv Generated-by-Nova
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"centos\" rather than the user \"root\".';echo;sleep 10" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPIQTEKDTIJp9IoX9FQM6FPE6e1bPC+LEvStSuVQ0SOPHhuXpNh9J8+7qZNsaujd8fO5Xa9q0XmulQMX1UesTieJ/SW6rWJzNO2o0QpFfpW/6/3x7hVad+BIfnpmqO5RZhD2PdnPHmx3geR0XUo8K8dMPM1Q5pB/rhXiaQVv5OSfF6Tbggkl7vKc7QA0Q9lOKM7CKXWMRFOcHFjLA+45MkQqce3dy9GgE0pjGPnUwSfjw7Cy6kWPN4G7F8+4ai5OLx8/DR96kCSiXEiOEaRRkH7r9S53xWzzpwG5Knz8ulcIQ597oQsPMW9QhwIEvCyAoYZQzSbi0/2vI2MxZYK9X1 Generated-by-Nova
[root@pepsi ~]#
also I delete the users, (first I stop process):

Code: Select all

killall avahi-autoipd
killall centos
killall systemd-bus-proxy
killall tss
killall whbadmin
killall whbhelper

pkill -u avahi-autoipd
pkill -u centos
pkill -u systemd-bus-proxy
pkill -u tss
pkill -u whbadmin
pkill -u whbhelper

### BORRAR USUARIOS:
userdel -r avahi-autoipd
userdel -r centos
userdel -r systemd-bus-proxy
userdel -r tss
userdel -r whbadmin
userdel -r whbhelper
then we get users not strangers:

Code: Select all

[root@pepsi ~]# cat /etc/passwd | wc -l
18
[root@pepsi ~]#
finally I see this:

Code: Select all

[root@pepsi ~]# yum history
Loaded plugins: fastestmirror
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
ID     | Login user               | Date and time    | Action(s)      | Altered
-------------------------------------------------------------------------------
    20 | Cloud User <centos>      | 2020-08-31 14:50 | Update         |    2
    19 | Cloud User <centos>      | 2020-08-31 14:50 | I, U           |    5
    18 | Cloud User <centos>      | 2020-08-31 14:50 | Update         |    1
    17 | Cloud User <centos>      | 2020-08-31 14:50 | I, U           |   11 EE
    16 | Cloud User <centos>      | 2020-08-31 14:49 | Install        |    1
    15 | Cloud User <centos>      | 2020-08-31 14:49 | Install        |    1
    14 | Cloud User <centos>      | 2020-08-31 14:49 | Install        |    1
    13 | Cloud User <centos>      | 2018-06-15 16:22 | Erase          |    1
    12 | Cloud User <centos>      | 2018-06-15 16:20 | I, O, U        |  281 EE
    11 | Cloud User <centos>      | 2018-06-15 16:19 | I, U           |   22
    10 | Cloud User <centos>      | 2016-11-10 08:41 | I, U           |    3
     9 | root <root>              | 2016-01-21 06:39 | Install        |   31
     8 | root <root>              | 2016-01-21 06:37 | Install        |    1
     7 | root <root>              | 2016-01-21 06:19 | Install        |    1
     6 | root <root>              | 2016-01-21 06:09 | Install        |   12
     5 | root <root>              | 2016-01-21 06:09 | Install        |    1
     4 | root <root>              | 2016-01-21 05:58 | Install        |   34
     3 | root <root>              | 2016-01-21 05:56 | Update         |   25
     2 | root <root>              | 2016-01-21 05:54 | Install        |    1
     1 | System <unset>           | 2016-01-21 05:45 | Install        |  279
history list
[root@pepsi ~]#
master @TrevorH have reason: "go out from this ISP", but by now we can't.

Some other recomendation for we "clean VPS" ?


regards

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: check WHO create X user in CentOs (maybe root, sys, admin, etc) - malicious ISP

Post by jlehtone » 2021/10/03 14:28:26

The command="echo 'Please login as the user \"centos\" rather than the user \"root\".';echo;sleep 10" is exactly what cloud-init does; creates a regular account (here "centos") and prevents anyone from connecting directly as root via ssh. The account created by cloud-init has same ssh public keys as the root, with difference that login is allowed.
It is a best practice to not log in as root, particularly with a password.
It is a best practice to not allow ssh with password logins at all.
The config for cloud-init is probably under /etc/cloud-init/.

If you did remove the only account you could ssh into, then you can't ssh in any more (unless you opened other options). Sounds to me that your search for "security" opens or breaks more than it closes.

You seem to have posted to linuxquestions.org too. Do you get any better answers there?

Windows
Posts: 59
Joined: 2021/06/16 13:20:01

Re: check WHO create X user in CentOs (maybe root, sys, admin, etc) - malicious ISP

Post by Windows » 2021/10/03 15:28:50

jlehtone wrote:
2021/10/03 14:28:26
You seem to have posted to linuxquestions.org too. Do you get any better answers there?
any place where I can improve my security is fine.

By example:
https://www.linuxquestions.org/question ... 175616422/

I unknow the option "DenyUsers"...

Windows
Posts: 59
Joined: 2021/06/16 13:20:01

Re: check WHO create X user in CentOs (maybe root, sys, admin, etc) - malicious ISP

Post by Windows » 2021/10/03 15:55:48

* I did not know


Post Reply