Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Detect login/access on your OpenVZ from node?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Detect login/access on your OpenVZ from node?

komokomo Member
edited September 2011 in General

I know that every openvz has backdoor root access directly from node. I have never seen how this work. Is it like a login from serial console? Is is possible to detect this?

thanks

Thanked by 1rewo
«1

Comments

  • no, and yes :)

    the commands are executed as root, so if you look in your ~/.bash_history file you should be able to see commands that you did not run.

    You will not however see any type of connection as there is no ssh connection made to your vps.

  • While the console is connected, you will see a pseudo terminal consumed by vzctl. If you 'ps aux', you'll see it connected.

  • Well, this is certainly an interesting dilemma. Other than vzctl in ps aux I don't see any other evidence of being logged in directly from the host node via PowerConsole. Nothing in /var/log/auth.log, no output from w or last, nothing.

  • rajprakash said: While the console is connected, you will see a pseudo terminal consumed by vzctl. If you 'ps aux', you'll see it connected.

    +1

    madbuda said: the commands are executed as root, so if you look in your ~/.bash_history file you should be able to see commands that you did not run.

    That's true? I haven't checked that.

  • madbuda said: the commands are executed as root, so if you look in your ~/.bash_history file you should be able to see commands that you did not run.

    I don't know about you, but if I were to access a server illegitimately, I'd delete .bash_history (at least the commands that I ran) before I log out, as well as any evidence from the system logs... not that I've ever done that sort of thing before.

  • I think I might install openvz over the weekend to test this ;-)

  • Aren't logins recorded somewhere? Granted they can be deleted as noted up above but still.....

  • Yes in debian simply type lastlog in the shell. You can delete this as root by simply deleting /var/log/lastlog.

    Thanked by 1drmike
  • That just shows the last login though. That's you for your current login.

    Wow, look at all those accounts.

    Games? Gnats?

  • well, thats were the last logins are stored.

    Thanked by 1coachoutletulh
  • madbuda said: the commands are executed as root, so if you look in your ~/.bash_history file you should be able to see commands that you did not run.

    I already check my .bash_history and nothing found any command that execute by node root. (I know he execute w since he tell me about everything that I run)

    and last command only show login from my own IP :)

    Thanked by 1coachoutletulh
  • You won't find it in your own .bash_history. It is per user. And you probably won't have access to the one owned by root.

  • tommy said: I already check my .bash_history and nothing found any command that execute by node root. (I know he execute w since he tell me about everything that I run)

    and last command only show login from my own IP :)

    I suppose that. vzctl isn't a conventional login :S

  • drmike said: Aren't logins recorded somewhere? Granted they can be deleted as noted up above but still.....

    A login through PowerConsole doesn't show up anywhere, because it's not actually a login. It doesn't even update lastlog, which I confirmed by logging in as a regular user, checking lastlog, then logging in via PowerConsole, and checking lastlog again.

    As far as I'm concerned, this is a security risk, as it prevents proper auditing of logins. It should, at the very least, log PowerConsole logins via the syslog daemon. Does anyone know how one could go about disabling PowerConsole logins?

  • Hmmm, just wondering, maybe someone can try.

    What about, creating a second root user, and deleting the original.

  • You can't delete the root account - it's always uid 0. You could probably rename the root user, but that wouldn't help anything anyways. Usernames are like the points in Who's Line Is It Anyways.... they don't matter - the uid is what matters. Usernames are only there for the convenience of the users.

  • madbudamadbuda Member
    edited September 2011

    My comment above is when an admin executes 'vzctl enter' or the like to take control of a vps.

    "vzctl exec" and "vzctl enter" commands use HISTFILE=/dev/null in it's environement, to get around this you can put HISTFILE=~/.bash_history in your ~/.bashrc file.

    This will prevent an admin snooping around undetected.

    This is from my testing, may not work on all versions / flavors

    Thanked by 1rewo
  • Even better world be to set a custom history for node logins :P

  • madbuda said: to get around this you can put HISTFILE=~/.bash_history in your ~/.bashrc file.

    Someone can try this? I am too lazy to find my vzctl IP's and passwords

  • That works, I tested it on my test node. BTW, if the host knew it was there, they could just remove it then log in, and then put it back.

  • I'm more concerned with the fact that there's no way to know whether someone logged in or not. Honestly, if someone's in my system, especially as root, it doesn't matter what they've done - you can no longer trust logs that are stored locally, you can't trust the binaries, and you can't trust that the data on the system is confidential.

  • yomeroyomero Member
    edited September 2011

    So, we can't trust in our hosting companies :S

    dmmcintyre3 said: BTW, if the host knew it was there, they could just remove it then log in, and then put it back.

    Yeah, surely there is no way to avoid it if they have the real machine.

  • I would hope that our hosting companies are ethical enough to stay out of customer's VPSes, and I trust that most of them are, but I'd still like to be able to verify it. Trust, but verify.

  • That's what you use integrity checks of your files on the system for. Tripwire FTW!

  • I don't think tripwire can determine if files have been read. And it certainly can't determine if files have been read by someone who shouldn't be reading them, especially if they're using the root account and you also use the root account regularly.

  • I can tell you how is it from an admin point of view - usually the admin is quite busy with real work and does not have the time or energy required to mess with your files.
    But if you open a ticket and complain that there is some problem with your VPS it would be normal for the admin to enter it and try to debug the problem.

    Thanked by 1wych
  • japonjapon Member
    edited September 2011

    I don't think tripwire can determine if files have been read.

    We were talking about changing or deleting the lastlog-file. But yes, Tripwire can check if a file has been read.

    Thanked by 1Droidzone
  • reworewo Member
    edited September 2011

    interesting question. thanks for it.

    pam_exec should be able to detect every login in combination with common-session. pam_exec could call a script (shell/perl) which sends you an email when someone is logged in.

  • @rds100

    Yeah, that's definitely acceptable. My main concern, really, is with the lack of logging when this occurs. I don't think I'm alone when I say that I'd like to have logs of every instance when someone logs in as the root user on my VPS. It's important, to me at least, to be able to verify for myself that no one has been in my VPS without explicit permission, and the lack of logging for logins via vzctl just plain bugs me.

  • @rewo

    As far as I can tell, vzctl enter (which seems to be used by PowerConsole, as well as being available to the host node root user) completely bypasses your container's pam system, so pam_exec is useless here.

Sign In or Register to comment.