CentOS access denied ???

milauria

Joined
Mar 27, 2010
Messages
27
Likes
0
Points
0
#1
I have Elastix 1.6 installed and working fine, however since today I can't access to CentOS command line via putty/ssh.

I type root + password and get this "access denied" error, the password has not been changed by me for sure
Elastix is ok I can get in/out with no issues at all but CentOS ... no!

It already happened once with no apparent reason but I had to reinstall anyway and I thought it was me doing something wrong, but today it just happened again and it is quite annoying.

anything I can do? any guidance on how to login again ? thanks a lot !
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#2
Can you access the box from the "console" (the "physical machine" ) , if you can't you have likely been compromised, if you can then "it's save-able" if you can't, then consider the box screwed and go back to your "oh-shit backup" scenario, if you don't have one then you have only yourself to blame :)

p.s.

do NOT allow root access in ssh and change the port it's running on, use very strong passwords. install fail2ban and rkhunter or their like and visit the security forum. And anybody who disagrees with or has not implemented these basic changes, should examine their /var/log/secure* files, I guarantee they will be effing "gob-smacked" !!

dicko
 

milauria

Joined
Mar 27, 2010
Messages
27
Likes
0
Points
0
#3
No success even via console and I had to reinstall from scratch... lesson learnt and set a more secure password.

Following you advise I have now created a new user with "useradd" command but now I log in with this and cant run "Asterisk -r" as it does not seems to find the executable anymore, am I amissing some steps to configure a secondary user to access via ssh ? Thanks
 

tucomp

Joined
Mar 31, 2010
Messages
2
Likes
0
Points
0
#4
Dicko,
I am in the same boat. Would a power outage may have caused the root pw to change? i am in a tight spot. all pw's have changed. pbxlogin, web, etc. boots to console, can ping, phones are green, but 'no worky'! i have a backup of the config only and am a total newbie. please help! i tried your append single fix, but i need further instructions, since after i 'append' (as in add that to the end of the kernel line/), i get no prompts.
Any assistance would be greatly appreciated!
Salud,
Rafa in OC, CA
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#5
No a power outage can't do that, if you had a "dictionary" root password ( a word ) then also consider the machine compromised.

Sorry but I suggest you rebuild your machine from scratch and restore the config.

dicko
 

Kalama Sutra

Joined
Apr 15, 2009
Messages
95
Likes
0
Points
0
#6
So I'd best not use a Klingon dictionary, either .... :woohoo:

Unless of course, I've a Klingon keyboard input device.

I just couldn't help myself, Dicko.


For the rest of you fellows ... I Do Feel Your PAIN ... :blush:
 

tucomp

Joined
Mar 31, 2010
Messages
2
Likes
0
Points
0
#7
thanks for responding... lesson learned.
 

milauria

Joined
Mar 27, 2010
Messages
27
Likes
0
Points
0
#8
I have added a new non-root user for safety reason, I log in but then I can't run Asterisk CLI .... system says command not recognized http://www.elastix.org/components/com_f ... s/ermm.png

Should I take any action to configure a CentOs user to manage asterisk CLI and avoid using root user with ssh sessions ? Thanks
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#9
The trick is to edit /etc/ssh/sshd.config to change the line

Port NNNN (from 22 to something else (above 1024, but that's another story) because the drive-by's on 22 are just effing annoying)

change the line to:

PermitRootLogin no


service sshd restart

to make it take effect.

You then login to ssh with your non-privileged account, and then you can "Switch user" to root

su -

it will ask for your root password and "bingo" (non privileged accounts for obvious reasons don't have access to asterisk)

you can also do the sudoers thing but that's another story :)

dicko


p.s.
do this from the local console to start off with, because if you screw it up, you will have to get in your car and go fix it. :) :)
It's also preferable to use "keys" and disable password authentification , but that's also "another story"
 

rafael

Joined
May 14, 2007
Messages
1,454
Likes
1
Points
0
#10
SSH public/private key authentication would make your installation much more secure than password. This link may help you:
http://sial.org/howto/openssh/publickey-auth/

Changing the port would help, but it does not mean you are secure. Remember security by obscurity is not security. It would stop the lazy ckrackers, but no the danger ones.

Not permiting root login would really help a lot.

And backup, always backup ;).

Regards,

rafael
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,901
Messages
130,885
Members
17,562
Latest member
colak
Top