Results 1 to 3 of 3
I am perplexed...we have many machines, some are not available to the outside world (our test environment) and others on the production network. Lately, we have been noticing that the ...
- 08-29-2007 #1Just Joined!
- Join Date
- Aug 2007
- Posts
- 1
Help...A ghost is editing sshd_config!
I am perplexed...we have many machines, some are not available to the outside world (our test environment) and others on the production network. Lately, we have been noticing that the sshd_config file is being changed, and we are not sure how this could happen...there is no rhyme or reason to when this happens.
For example, PermitRootLogin is changed from yes to no (among other things)...could something in yum be doing this? I know for a fact that I am the ONLY person who can access this file...is there a log file that would track when this file is changed?
Thanks All!
- 08-29-2007 #2Linux Guru
- Join Date
- Mar 2005
- Location
- Texas
- Posts
- 1,692
What other things? Do you have a backup of the original sshd_config? I'd be curious to see a diff between the 'good' version and the modified version. (Interestingly, the ghost appears to be doing you a favor by hardening your sshd daemon a bit.)
Originally Posted by conjurer60
There's not a lot to go on here. You could make the file system immutable to (attempt to) prevent future changes. You could set up selinux policies to audit or prevent changes to sshd_config (fairly complex and way beyond the scope of this thread). Process accounting might (?) help with this.
Anyway, if you have that diff please post it.
- 08-30-2007 #3Linux Newbie
- Join Date
- Aug 2007
- Location
- Yakima, WA
- Posts
- 162
Do you have SELinux enabled? I thought I remembered hearing that SELinux would toggle a RootLogin option off in ssh if it was enabled, but I'm not 100% sure about that.
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts