Results 1 to 4 of 4
I was going through a hardening procedure from the Center for Internet Security:
https://community.cisecurity.org/download/
The one for RHEL5, v.1.1.2 (benchmark version).
It contains this script:
Code:
ls -la /etc/pam.d/* > ...
- 07-02-2009 #1Just Joined!
- Join Date
- Jul 2006
- Location
- Northern BC, Canada
- Posts
- 54
uh-uh - broke my server
I was going through a hardening procedure from the Center for Internet Security:
https://community.cisecurity.org/download/
The one for RHEL5, v.1.1.2 (benchmark version).
It contains this script:
which is for removing rhosts support from PAM (*shrug?*), which upon running gave me so many '/proc' filesystem write errors that it scrolled right out of the PuTTY buffer. It also disabled the ability to run *ANY* command from the session and now I can't log into any account on the server.Code:ls -la /etc/pam.d/* > $tmpcis/CIS_8.1.Before.tmp cd /etc/pam.d for FILE in `find . -type f -exec grep -l rhosts_auth {} \;`; do echo "Removing .rhosts support in ${FILE}." grep -v rhosts_auth $FILE > $tmpcis/${FILE}.tmp /bin/cp -f $tmpcis/${FILE}.tmp $FILE chown root:root $FILE chmod 0644 $FILE done ls -la /etc/pam.d/* > $tmpcis/CIS_8.1.After.tmp echo "The following entries changed under '/etc/pam.d'" echo "diff $tmpcis/CIS_8.1.Before.tmp $tmpcis/CIS_8.1.After.tmp" diff $tmpcis/CIS_8.1.Before.tmp $tmpcis/CIS_8.1.After.tmp chmod -R 0400 $tmpcis/* cd $cishome
There isn't even a reference to '/proc' in the script, and none of the links in the directory used in the script point to anything in the '/proc' filesystem.
I don't know if this has just disabled the ability to log in remotely, or totally bolluxed my proc filesystem and made the server completely unusable (i.e.: time for a reformat).
- 07-03-2009 #2Just Joined!
- Join Date
- Jul 2006
- Location
- Northern BC, Canada
- Posts
- 54
No suggestions?
- 07-04-2009 #3Linux Engineer
- Join Date
- Apr 2006
- Location
- Saint Paul, MN, USA / CentOS, Debian, Solaris, SuSE
- Posts
- 1,117
Hi.
If variable tmpcis was not defined, then the command
would have been effectively:Code:chmod -R 0400 $tmpcis/*
making all files read-only for the owner.Code:chmod -R 0400 /*
I have no idea if this would produce the symptoms you see. I usually place
in my [bash] scripts to prevent problems like this.Code:set -o nounset
Strictly from a cursory look at your script and strictly a guess.
Perhaps booting into single-user might provide more information.
If it's any consolation, I once ran a script on a remote server that disabled networking, so I had to drive 2 cities away to reset the box. I was very careful afterwards
... cheers, drl
Welcome - get the most out of the forum by reading forum basics and guidelines: click here.
90% of questions can be answered by using man pages, Quick Search, Advanced Search, Google search, Wikipedia.
We look forward to helping you with the challenge of the other 10%.
( Mn, 2.6.n, AMD-64 3000+, ASUS A8V Deluxe, 1 GB, SATA + IDE, Matrox G400 AGP )
- 07-06-2009 #4Just Joined!
- Join Date
- Jul 2006
- Location
- Northern BC, Canada
- Posts
- 54
ouch.
Getting to this server is only a half-day trip, including the drive both ways and a couple hours' work as needed. If I push it, and bring a ready replacement, I could technically swap it out in 3 hours including checks to make sure everything is working. (It's not production yet, I have just been building a personal hardening procedure as I go along, trying various things).
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts