Remote IP address no longer appearing in notices of 'root login' using su

ottdev

Well-Known Member
Oct 1, 2013
124
4
68
cPanel Access Level
Root Administrator
WHM 11.48.1 (build 2)

Since the email notifications changed from plain text to HTML after a recent update, the new messages show only 0.0.0.0/"local machine" for the following alert for login via su - it used to show a valid IP (of my ISP, for example if I was the one logging in).

Subject: Root Login from Local Machine
Successful Root Login from Local Machine.
Service: su
Local User triggering request: shurfam
Remote IP Address: 0.0.0.0
Authentication Database: system
Username: root
This notice is the result of a request made by a computer with the IP address of “0.0.0.0” through the “su” service on the server.
Copyright© 2015 cPanel, Inc.
This new HTML style one for root login to whostmgrd does get the IP okay
Subject: Root Login from IP 99.241.x.x
Successful Root Login.
Service: whostmgrd
Local IP Address: 64.x.x.x
Local Port: 2087
Remote IP Address: 99.241.x.x
Remote Port: 64308
Authentication Database: system
Username: root
This notice is the result of a request made by a computer with the IP address of “99.241.x.x” through the “whostmgrd” service on the server.
A reverse DNS lookup on the IP address returned the host name “CPExxxxxxx-CM18xxxxxxxxxc0.cpe.net.cable.rogers.com”.
This computer’s location appears to be: Canada (CA).
Here is the older plain text version for login via su last seen before we updated on Feb 9th:
Subject: Root Login from IP 99.241.x.x
Root was logged into pam using following authentication service: system (su)
Reverse DNS: CPExxxxxxxx-CM18xxxxxxxxc0.cpe.net.cable.rogers.com
Origin Country: Canada (CA)
Please use the following links to add to the black list:
Single IP: https://myserverdomain.tld:2087/cgi/bl.cgi?ip=99.241.x.x
...
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
Hello :)

Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
Internal case number 173085 is open to address the issue that occurs when logging in as a user and then using su to switch over to root. The IP provided shows logins from 0.0.0.0 instead of your actual IP address when this occurs. You can monitor our change log for the inclusion of this case number:

cPanel Change Logs

Note that this issue might be addressed by internal case 173073, so look for that number as well.

Thank you.