centos - linux服务器被破解ROOT后如何快速更改密码？

Question

本人有台国外的linux，最近老检测到有黑客在暴力破解，已经禁止此ip了。同时设置了root登陆系统后会自动发邮件通知等等。

最坏的情况下，黑客还是通过各种手法拿到了我的root密码，如何快速响应处理这些问题并修改root密码？

---

添加情景：假设黑客破解了密码后，立即经修改了root密码

Answer 1

The root password should not exist at all...

The correct posture is that your user is in sudoer. The root user has no password and cannot log in

As for how to protect your own users, in addition to removing the password and using a certificate as mentioned, you can also consider

• Change the SSH port number. Ports like 22 are bound to be exposed to the firepower of a large number of scanners
• To be more radical, you can also limit SSH to only monitor a few IP addresses
• PAM verification module for Google Authenticator. That is to say, two-step verification. After a hacker hacks your computer, takes away your certificate, and obtains your certificate password, you will still be unable to log in for a short period of time.

I am not familiar with security, I hope someone who is more familiar with Linux security can answer:)

Answer 2

If you suspect that the root permissions of your server have been illegally obtained by others, there are two situations:

• The server root password has been changed, and all public key/sudo users cannot log in.
  
  
  • VPS: Use your service provider’s dashboard to reset your password
  • Hosted machine: Contact your hosting computer room, use ilo or directly SA to operate in person to reset the root password
• Recovering root permissions or leaking root permissions, but you can still log in
  
  
  • Please avoid all actions on this machine, especially ssh to other machines, etc.
  • Back up data to third-party machine
  • Rate the disk and reinstall the system. Don’t take any chances. Change the password and continue using it. It’s very likely that you already have a backdoor on your machine
  • If you have logged into other machines through this machine during the suspicion period, it will still be very troublesome for the above content to also apply to other machines. So taking precautions in advance is the most important. Password login is prohibited, use the public key to log in, the private key must have a password, etc. .

Answer 3

If you just face this question directly, the answer is that there is no way. Root is the God of Linux... restraining the power of God is only possible unless the upper layer has chroot or a virtual machine package. Root that is already running directly on the server cannot do it.

So it is correct to use the method of considering the XY problem and replace the remedy with prevention. @mcfog's answer is very good.

Answer 4

It will be difficult if someone changes your password.

You can prevent it

关闭密码登录，使用ssh证书登录