Re: [tlug] CentOS using default/blank? password postgres

[Sigurd Urdahl <sigurdur@example.com>]

Christian Horn wrote:
> On Thu, Aug 21, 2008 at 03:24:20PM +0900, Hung Nguyen Vu wrote:
>   
> > My friend's CentOS 5.2 got hit by a scan and the bad guy was in.
> >
> > postgres pts/1        Wed Aug 20 08:45 - 08:54  (00:08)
> > host20-31-dynamic.52-82-r.retail.telecomitalia.it
> > postgres pts/1        Wed Aug 20 08:17 - 08:40  (00:23)     121.14.139.26
> >
> > I am not sure if CentOS mentions this issue at any point but at least,
> > during the installation of postgres,
> > he was not informed that he had to change the password of  user postgres.
> >     
>
> At least the upstream from redhat has no linux-password set for user
> postgres by default:
>
> # grep postgre /etc/shadow
> postgres:!!:14098::::::
> # cat /etc/redhat-release 
> Red Hat Enterprise Linux Server release 5.2 (Tikanga)
>   

But this is not an empty password, it is an invalid password entry. from 
man 5 shadow (on rhel 5.2):

   If the password field contains some string that is not valid result of
   crypt(3), for instance ! or *, the user will not be able to use a unix
   password to log in, subject to pam(7).

not really sure what hit Hung's friend, but I think I would have checked 
the logs for other anomalies. A good start should be to run  something like

   zgrep Accepted /var/log/auth.log* |grep postgres

to see how and where the logins have been done. And maybe have a look in 
postgres' homedir to make sure noone has left a ssh key there.

-sig


--
Sigurd Urdahl
Linux, goofing, cooking, making fire, computer security, having a
beer. Give me good music.