[CentOS] server is always getting hacked

Thu Jul 2 03:29:45 UTC 2009
Michael A. Peters <mpeters at mac.com>

Robert Heller wrote:
> At Wed, 01 Jul 2009 16:08:08 -0600 CentOS mailing list <centos at centos.org> wrote:
> 
>> On Wed, 01 Jul 2009 15:05:58 -0700
>> Gary Greene wrote:
>>
>>> . With sudo,
>>> you get a record of what command was executed with superuser rights by whom
>>> at whenever given hour.
>> sudo bash
> 
> Which in turn is logged.  Such a log entry might raise a red flag.
> 
> 

Speaking of logged - I don't do this but Dad set up his systems 
(solaris) to immediately boot the user and send an alert to the operator 
if the root user issued the id command and had not become root from a 
member of the wheel group.

He was a university admin, they had to have telnet open because of grad 
students doing research in countries that did not allow secure 
connections. Most of the time, that single action got the hacker off 
before any damage was done. Those were primarily Solaris systems he 
dealt with.

They also had a log server that everything was logged to (off the 
network, fed I think by serial cable if I recall but it may have been 
cat 5 - sun had funny looking serial ports that took a cat 5 jacks to 
me), as local logs are easily modified once you have a root shell.

But I don't personally deal with any systems that big and complex.