Hi Sam, Perhaps I wasn't clear about the no password set. This was done with passwd -d to remove; and passwd -l to lock it. It is not possible for anyone to escalate privilege to root.
But as seen in the log; this is an external SMTP message, not one sent as root via an internal network. If the auth=root really *is* root, how *can* this user have authenticated?? Alan From: [email protected] To: [email protected] Date: Tue, 16 Jun 2015 07:04:36 -0400 Subject: Re: [courier-users] spammer masquerading as root alan milligan writes: > « HTML content follows » > > Hi, > > I've got some nasty spammer managing to send spam via my mail server by > somehow authenticating as root (if I understand the logs correctly): > Jun 15 22:56:04 hostname courierd: > newmsg,id=000000000034D6E2.00000000557F9043.00005D5F, auth=root: dns; User > (x.x-x-x.rdns.scalabledns.com [::ffff:x.x.x.x]) > > My authdaemon (latest version: 0.66.2) is configured with pam and ldap (LOGIN > > auth only): but there is *no* password set for the root user (it's RSA > identity only). It would seem quite impossible that this user really can be > authenticated as root. There is a difference between having an empty password, or having password authentication blocked for a particular userid. If you simply have no password set for the root user, it is an empty password, and anyone can attempt to authenticate as root by supplying an empty password. Try to su to root, and hit enter when prompted for a password. If you succeed, congratulations, anyone on the box can get root without a password. The correct way to disable password-based authentication for root, or any other account, with the only way to get root being an ssh key, is to set root's password to some long gibberish password, that's quickly forgotten. Then, the only way to log in is with an ssh key. ------------------------------------------------------------------------------ _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
------------------------------------------------------------------------------
_______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
