Root access alert email

**Lyttek** · 05-24-2007 09:14 AM

I've had the server send me notification via email anytime root access to the server has occured. Since the move to CP11, I'm getting an email at 16 past midnight that root access has happened, but no IP address has been recorded, making me think it's something from a cron job... Here's an example:

ALERT-Root Shell Access on: Thu May 24 00:16:17 CDT 2007

While a normal email has:

ALERT-Root Shell Access on: Thu May 24 08:05:39 CDT 2007 root pts/0 May
24 08:05 (adsl-70-244-110-121.dsl.ksc2mo.swbell.net)

Obviously, I'd like to eliminate the first, since it makes me jump everytime i see it...

**bebop1065** · 05-24-2007 09:33 AM

Perhaps your script needs to be updated to reflect the new(?) location of the log file that recorded the ip address of the login?

Would you share that script?

**gtgeorge** · 05-24-2007 10:21 AM

We get the same email that coincides with the upcp update each early AM. We have gotten them daily since the services done by ConfigServer.

**verdon** · 05-24-2007 11:00 AM

try the forums at configserver for support for their scripts

**cpanelinfoseeker** · 05-24-2007 11:31 AM

I put a ticket in to Chirpy when this first happened as I was worried. This is normal when mailscanner is restarted. You can duplicate it by doing a manual restart in Mailscanner. I now just watch for the timestamp on the email to be sure that it happens during the nightly cycle only. At any other time, I would be extremely worried!

Hope this helps,
Ron

**Lyttek** · 05-24-2007 08:32 PM

Here's the code, taken directly from the 'secure your server' sticky:

Code:

Server e-mail everytime someone logs in as root

To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.

At command prompt type: pico .bash_profile

Scroll down to the end of the file and add the following line:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

Save and exit.

So, there's no script that's changed...

Having said that, when CP11 got updated, MailScanner choked, so I reinstalled using CS MailScanner package, so perhaps that's what's triggering it...

I'll have to try restarting MailScanner and see if that does as suggested.

And since you mention it, I've not been receiving (that I recall) the normal upcp emails... have to look into that as well

**chirpy** · 05-25-2007 04:54 AM

Our MailScanner script uses the su to root functionality in init to setup the correct environment on restart which is why you'll see a login for root.

**djblamire** · 06-03-2007 03:28 AM

Originally Posted by chirpy

Our MailScanner script uses the su to root functionality in init to setup the correct environment on restart which is why you'll see a login for root.

This is happening for me too.

Chirpy - Even though it only started since the upgrade to CP11 ??

Thanks
Daniel

LinkBack

Thread Tools

Root access alert email

Access root to a server in cluster -> access to dns ?

cPanel Access Alert/Notification

E-mail Alert on Root SSH Login

cpanel bug / Get root access with root password

addon domain alert email