BTW, to assure this password (on my Linux it injects !! into/as password in
/etc/shadow - but I believe other variants may use other characters and/or do
other things to lock - ie placing a character in front of existing password):
# authtest root
Authentication succeeded.
Authenticated: root (system username: root)
Home Directory: /root
Maildir: (none)
Quota: (none)
Encrypted Password: !!
Cleartext Password: (none)
Options: (none)
But authdaemon uses PAM right? So we're *not* going to get someone using
something that validly crypts to !! ...
Alan
From: [email protected]
To: [email protected]; [email protected]
Date: Tue, 16 Jun 2015 12:26:36 +0000
Subject: Re: [courier-users] spammer masquerading as root
Hi Sam,
Perhaps I wasn't clear about the no password set. This was done with passwd -d
to remove; and passwd -l to lock it. It is not possible for anyone to escalate
privilege to root.
But as seen in the log; this is an external SMTP message, not one sent as root
via an internal network. If the auth=root really *is* root, how *can* this
user have authenticated??
Alan
From: [email protected]
To: [email protected]
Date: Tue, 16 Jun 2015 07:04:36 -0400
Subject: Re: [courier-users] spammer masquerading as root
alan milligan writes:
> « HTML content follows »
>
> Hi,
>
> I've got some nasty spammer managing to send spam via my mail server by
> somehow authenticating as root (if I understand the logs correctly):
> Jun 15 22:56:04 hostname courierd:
> newmsg,id=000000000034D6E2.00000000557F9043.00005D5F, auth=root: dns; User
> (x.x-x-x.rdns.scalabledns.com [::ffff:x.x.x.x])
>
> My authdaemon (latest version: 0.66.2) is configured with pam and ldap (LOGIN
>
> auth only): but there is *no* password set for the root user (it's RSA
> identity only). It would seem quite impossible that this user really can be
> authenticated as root.
There is a difference between having an empty password, or having password
authentication blocked for a particular userid.
If you simply have no password set for the root user, it is an empty
password, and anyone can attempt to authenticate as root by supplying an
empty password.
Try to su to root, and hit enter when prompted for a password. If you
succeed, congratulations, anyone on the box can get root without a password.
The correct way to disable password-based authentication for root, or any
other account, with the only way to get root being an ssh key, is to set
root's password to some long gibberish password, that's quickly forgotten.
Then, the only way to log in is with an ssh key.
------------------------------------------------------------------------------
_______________________________________________
courier-users mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
------------------------------------------------------------------------------
_______________________________________________
courier-users mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
------------------------------------------------------------------------------
_______________________________________________
courier-users mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
