0

This morning I found myself unable to log into the root account on one of my (CentOS 6) servers. I booted into single user mode and reset the root password. Everything seems to be working normally now.

I have a number of monitoring metrics that watch behavior on this server and have seen no evidence of nefarious activity. However, I am not sure I can trust the security of this server without doing a full OS reinstall.

  • What steps can I take to diagnose the cause of this?
  • In theory someone may have had root access to my machine. Is there any way I can rule this possibility out?
7yl4r
  • 403
  • 5
  • 9
  • Definitely a duplicate. As always; nuke it from orbit, reset your root passwords, don't let root login via SSH. – Spooler Mar 09 '18 at 21:36
  • Thanks guys. I am not sure how I missed that one while searching for similar questions. – 7yl4r Mar 10 '18 at 21:55

1 Answers1

1

You could just forget the password, it happened to me. :-)

If your server was compromised, then you can't trust data or code stored on it. Maybe you have some external logging facilities, like:

  • a remote syslog server,
  • a firewall appliance which logs connections,
  • or even just a managed switch which logs connections?

I would not hesitate to reinstall this machine. In the meanwhile try configuring a remote logging place; you can use one of your servers for that. I recommend some reading about configuration possibilities (like protocols available); this seems like a good compendium of knowledge:

https://www.loggly.com/ultimate-guide/managing-linux-logs/

tomasz
  • 131
  • 3