Root access alert email

[Lyttek]

I've had the server send me notification via email anytime root access to the server has occured. Since the move to CP11, I'm getting an email at 16 past midnight that root access has happened, but no IP address has been recorded, making me think it's something from a cron job... Here's an example:

ALERT-Root Shell Access on: Thu May 24 00:16:17 CDT 2007

While a normal email has:

ALERT-Root Shell Access on: Thu May 24 08:05:39 CDT 2007 root pts/0 May
24 08:05 (adsl-70-244-110-121.dsl.ksc2mo.swbell.net)

Obviously, I'd like to eliminate the first, since it makes me jump everytime i see it...

[bebop1065]

Perhaps your script needs to be updated to reflect the new(?) location of the log file that recorded the ip address of the login?

Would you share that script?

[gtgeorge]

We get the same email that coincides with the upcp update each early AM. We have gotten them daily since the services done by ConfigServer.

[verdon]

try the forums at configserver for support for their scripts

[cpanelinfoseeker]

I put a ticket in to Chirpy when this first happened as I was worried. This is normal when mailscanner is restarted. You can duplicate it by doing a manual restart in Mailscanner. I now just watch for the timestamp on the email to be sure that it happens during the nightly cycle only. At any other time, I would be extremely worried!

Hope this helps,
Ron

[Lyttek]

Here's the code, taken directly from the 'secure your server' sticky:

Code:

Server e-mail everytime someone logs in as root

To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.

At command prompt type: pico .bash_profile

Scroll down to the end of the file and add the following line:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

Save and exit.

So, there's no script that's changed...

Having said that, when CP11 got updated, MailScanner choked, so I reinstalled using CS MailScanner package, so perhaps that's what's triggering it...

I'll have to try restarting MailScanner and see if that does as suggested.

And since you mention it, I've not been receiving (that I recall) the normal upcp emails... have to look into that as well

[chirpy]

Our MailScanner script uses the su to root functionality in init to setup the correct environment on restart which is why you'll see a login for root.

[djblamire]

Quote:

Originally Posted by chirpy

Our MailScanner script uses the su to root functionality in init to setup the correct environment on restart which is why you'll see a login for root.

This is happening for me too.

Chirpy - Even though it only started since the upgrade to CP11 ??

Thanks
Daniel