[CentOS] Unknown rootkit causes compromised servers

Tue Jan 29 13:25:50 UTC 2008
Johnny Hughes <johnny at centos.org>

Jim Perrin wrote:
> On Jan 29, 2008 5:52 AM, mouss <mouss at netoyen.net> wrote:
>> Jim Perrin wrote:
>>> Along the lines of staying safe, now is probably a good time to check
>>> your password policies.
>>>
>>> 1. Don't allow root access to ssh. (modify /etc/ssh/sshd_config)
>>>
>> why isn't this the default?
>>
> 
> Taking an educated guess on this one, I'd say to allow configuration
> after a remote install.
> 
>>> 2. restrict root logins to only the local machine. (modify /etc/securetty)
>>> 3. Limit users with access to 'su' to the wheel group (use visudo and
>>> also modify /etc/pam.d/su)
>>>
>> same question here.
> 
> For this one I'd guess that it's because by default folks  don't get
> added to wheel. So if an admin forgets to add his own user account, he
> can no longer gain root with 'su'.  He has to walk his happy ass to
> the console to log in. Everything about the *nix culture points to not
> walking anywhere except possibly to a pub :-P

Well ... not to say anything bad about beer, BUT

The real reason is that RHEL does not ship that way, so CentOS does not 
either.

The bottom line for this and all other questions like it is this:

We clone the configuration of the upstream system on purpose so that 
CentOS performs as much as possible like the upstream product ... 
if/when they change the defaults, so will we.

Thanks,
Johnny Hughes

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20080129/323a8b3f/attachment-0004.sig>