I am having a problem with unauthorized users using my system as an email relay. One IP address in particular is constantly trying to access my smtp interface. I have added the files Sender_access and Client_access to block this person, it looks like successfully, but it is annoying to have this person try to connect to my server every second. It also makes my logs very large and hard to examine.
However, it looks like occasionally a hacker has gotten in. They then created thousands of emails which is damaging my ip reputation and of course generating tons of spam. I have been monitoring this situation as I have added more rules to postfix and usually can erase the queue before too many messages are sent. I have noticed the few times this has happened it looks like someone is logging in using root.
This does not seem correct, and I am tempted to change this to no login allowed. Would this be okay or do I need to secure the account with a password. I never use the root user to login to either the console or virtualmin as my user account works so it seems to be that I should disable this. I just want to make sure this is safe.
On another note, is there a way to prevent the user from the ip address from attacking my server every second that would be nice. If I could just block this ip address from even reaching my smtp interface. Hopefully changing the root user will close this security loophole. Perhaps I am approaching this incorrectly.
As Stegan mentioned, if someone has root access on your server, you’re already lost. Email is the absolute least of your problems. A rooted system can never be trusted again.
Setting root user to no login is not the right way to prevent root logins; you’d want to configure ssh to disallow direct root logins. But, every user should absolutely require a password to login!
I can’t think of any reason No password required would be enabled for the root user. That’s wildly alarming. Like, I can’t even wrap my head around it. Even an attacker wouldn’t change that because it’d leave the system open to all attackers. I have no idea what to think of your situation.
You obviously should never have any users on a remotely accessible server that allow any login without a password. If you made that change, it was a huge mistake. If you didn’t make the change, then someone has rooted your system, and it can never be trusted again.
@mrivner Can you give a little history on the server? The software seems up to date. How long has it been in service? Is this a fairly fresh install?
EDIT: Since Ubuntu doesn’t force a root password during install I just set up a VM to test to make sure nothing strange was happening. Even though there is no password it is set up to Unix authentication and I couldn’t ssh or log in via Webmin so it would seem this setting was post install.
Thanks for the responses. First of all, I would NEVER create a user without a password. Definitely not Root the most important user in the system. While I am relatively new to Linux, I have experience in DOS, Windows, Novell, C, 8085/6502 assembly language. When I saw the screen that I displayed above, I had a feeling that was wrong. I have since added a password to root.
This server was a brand-new Windows machine (W11) which I almost immediately converted to Ubuntu Linux. I did not load any windows programs on the machine other than the ones that were preinstalled. Of course, they are all overwritten by Ubuntu. I then installed Virtualmin. It currently is not a production server, but it is on the Internet. I am basically running websites using Apache and Joomla. I have the most recent version of Joomla. While I have Postfix running on the machine, I have not opened any emails on this machine. The legitimate emails have all been from the system and Joomla. I have not opened any attachments. Nobody except me has logined to the console or the Virtualmin website. I have no other users on this system other than an alias user for each of the websites on the system.
In addition to the above, if I tried logging in as root on both the console and Virtualmin it would be rejected. The only user that I have been able to login both on the console and Virtualmin webapp are the ones that I created. All have them have passwords. I have been looking at the Virtualmin dashboard and only see my logins. Interestingly, now that I added a password to root I still am unable to login as root. On the console, root user is not displayed.
I guess to be safe, I would have to do a clean install of the entire system from scratch which I would hate to do. I have not seen any indication that the system is behaving erratically except for the relay issue. This was also an issue (the spam relay) on a previous server, but my current machine is not a mirror of that one. The OS is fresh as is the vitualmin install.
This is simply the default way Ubuntu works. Root is created without a password. But, as you found, that makes it impossible to log in. Well, that and sometimes, especially with ssh, you must specifically give root permission to login with a password.
I was simply testing whether or not the default behavior might somehow cause a problem with Webmin. It did not. I simply posted to verify.
To clarify: There is a big difference between no password set (which makes it impossible to login directly as root, and is the default on Ubuntu, you’d use any sudo-capable user to login to Webmin, and for ssh you’d login as that user and then you can use sudo to run commands as root or become root with sudo su -), and no password needed (which is wildly dangerous, and probably should never be used…I’ve asked Jamie to remove it from the UI…it’s a thing that is possible from the command line, which Webmin sets out to be able to mostly replace, but IMHO it shouldn’t be easy to do).
Okay after readying the above responses, I am more confused than before. So I never ran any console linux command to change the root password. Also using Filezilla, I was not able to connect up using root as a user either in FTP or SSH modes. Even now, after setting a password using the vitualmin interface, I am unable to login using ftp or ssh. But I remember never being able to get in as root, I always had to use one of my usernames. Also because of NAT, I am only able to use ftp on my valid users within the intranet but not in the Internet. So I am not certain about the vulnerability of my machine. But based on what I read above, I am now confused about what the correct default setting on this page should be.
“Pre-encrypted” password would be a hashed password (in one of the hashes supported on Linux). The password you have filled in is obviously not that. Nothing will ever hash to that value.
If you want to type in a plain text password, you type it in the “Normal password” field.
I am fine not using root and having no password work since I can do anything I want from the usual superuser password. Since people don’t know my superuser name or password, it is more secure than root which is a known superuser.
But I am still confused about the default value of password in the field I displayed above since I am reasonably certain that I never changed it until today. The date for password changed before I changed it today was the day I setup the server.
