The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Root access alert email

Discussion in 'E-mail Discussions' started by Lyttek, May 24, 2007.

  1. Lyttek

    Lyttek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    770
    Likes Received:
    3
    Trophy Points:
    18
    I've had the server send me notification via email anytime root access to the server has occured. Since the move to CP11, I'm getting an email at 16 past midnight that root access has happened, but no IP address has been recorded, making me think it's something from a cron job... Here's an example:

    ALERT-Root Shell Access on: Thu May 24 00:16:17 CDT 2007

    While a normal email has:

    ALERT-Root Shell Access on: Thu May 24 08:05:39 CDT 2007 root pts/0 May
    24 08:05 (adsl-70-244-110-121.dsl.ksc2mo.swbell.net)

    Obviously, I'd like to eliminate the first, since it makes me jump everytime i see it...
     
  2. bebop1065

    bebop1065 Active Member

    Joined:
    Apr 14, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    NJ
    Perhaps your script needs to be updated to reflect the new(?) location of the log file that recorded the ip address of the login?

    Would you share that script?
     
  3. gtgeorge

    gtgeorge Well-Known Member

    Joined:
    Feb 28, 2007
    Messages:
    86
    Likes Received:
    0
    Trophy Points:
    6
    We get the same email that coincides with the upcp update each early AM. We have gotten them daily since the services done by ConfigServer.
     
  4. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    try the forums at configserver for support for their scripts
     
  5. cpanelinfoseeker

    cpanelinfoseeker Well-Known Member

    Joined:
    Oct 25, 2002
    Messages:
    323
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    NE Illinois
    cPanel Access Level:
    Root Administrator
    I put a ticket in to Chirpy when this first happened as I was worried. This is normal when mailscanner is restarted. You can duplicate it by doing a manual restart in Mailscanner. I now just watch for the timestamp on the email to be sure that it happens during the nightly cycle only. At any other time, I would be extremely worried!

    Hope this helps,
    Ron
     
  6. Lyttek

    Lyttek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    770
    Likes Received:
    3
    Trophy Points:
    18
    Here's the code, taken directly from the 'secure your server' sticky:

    Code:
    Server e-mail everytime someone logs in as root
    
    To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.
    
    At command prompt type: pico .bash_profile
    
    Scroll down to the end of the file and add the following line:
    
    echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com
    
    Save and exit. 
    So, there's no script that's changed...

    Having said that, when CP11 got updated, MailScanner choked, so I reinstalled using CS MailScanner package, so perhaps that's what's triggering it...

    I'll have to try restarting MailScanner and see if that does as suggested.

    And since you mention it, I've not been receiving (that I recall) the normal upcp emails... have to look into that as well :confused:
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Our MailScanner script uses the su to root functionality in init to setup the correct environment on restart which is why you'll see a login for root.
     
  8. djblamire

    djblamire Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    This is happening for me too.

    Chirpy - Even though it only started since the upgrade to CP11 ??

    Thanks
    Daniel
     
Loading...

Share This Page