Root password changing by itself

[Tim]

Vijay Krishnan:
>      I have Fedora 5 and 6 installed on my machines. I strangely find
> that I am often unable to login to the machine with my regular
> password using ssh. Fortunately I have physical access to the machine,
> which allows me to change the password back.

Are you changing it back, or just setting the same password again?  The
first would indicate someone's changing it on you.  The latter a fault
(you're presuming it's changed, because you couldn't log in, but
something else might be preventing the log in).

If you keep changing it back to a password that a hacker has already
worked out, then you're not doing anything to protect yourself.  Set a
new password, a damn good one.

If you've been hacked, the simplest resolution is a fresh install, being
very careful about what you put back on the new system from your old
installation.  Don't re-install a trojan.

Otherwise, if you're going to try and keep on using your existing
installation, you're going to need to check, very thoroughly, for a
trojan.  Which may well be a "rootkit" (one designed to give root access
to a box, and to be quite well hidden from discovery).

Afterwards, install something like the fail2ban package.  Then, someone
trying to ssh in to your machine only gets a limited number of attempts
before their IP is locked out.  That makes it much harder for a hacker
to keep on trying to break it, the only way around for them to keep on
attempting is to come at you from numerous different IPs.

Where do you need to be able to ssh into the machine from?  If it's just
within your LAN, then firewall the ssh port off from the internet.  If
you do need to access it from the net, then still firewall it off, but
open through some holes from the locations you need to access it from.
That'll limit hacking possibilities, too.


-- 
[tim at bigblack ~]$ uname -ipr
2.6.23.15-80.fc7 i686 i386

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.