Solved

postfix log file question

Posted on 2007-04-02
3
257 Views
Last Modified: 2013-12-15
I am running FC4 running postfix when i check the log files i get this:
Apr  2 01:11:02 mail2 su(pam_unix)[19952]: session opened for user dennis by (uid=0)
Apr  2 01:11:02 mail2 su(pam_unix)[19952]: session closed for user dennis
Apr  2 01:11:02 mail2 su(pam_unix)[19955]: session opened for user dennis by (uid=0)
Apr  2 01:11:02 mail2 su(pam_unix)[19955]: session closed for user dennis
Apr  2 01:11:02 mail2 su(pam_unix)[19958]: session opened for user dennis by (uid=0)
Apr  2 01:11:02 mail2 su(pam_unix)[19958]: session closed for user dennis
Apr  2 01:11:02 mail2 su(pam_unix)[19961]: session opened for user dennis by (uid=0)
Apr  2 01:11:02 mail2 su(pam_unix)[19961]: session closed for user dennis
Apr  2 01:11:02 mail2 su(pam_unix)[19964]: session opened for user dennis by (uid=0)
Apr  2 01:11:02 mail2 su(pam_unix)[19964]: session closed for user dennis
Apr  2 01:39:02 mail2 su(pam_unix)[20083]: session opened for user paul by (uid=0)
Apr  2 01:39:02 mail2 su(pam_unix)[20083]: session closed for user paul
Apr  2 01:39:02 mail2 su(pam_unix)[20086]: session opened for user paul by (uid=0)
Apr  2 01:39:02 mail2 su(pam_unix)[20086]: session closed for user paul
Apr  2 01:39:02 mail2 su(pam_unix)[20089]: session opened for user paul by (uid=0)
Apr  2 01:39:02 mail2 su(pam_unix)[20089]: session closed for user paul
Apr  2 01:39:02 mail2 su(pam_unix)[20092]: session opened for user paul by (uid=0)
Apr  2 01:39:02 mail2 su(pam_unix)[20092]: session closed for user paul
Apr  2 01:39:02 mail2 su(pam_unix)[20095]: session opened for user paul by (uid=0)
Apr  2 01:39:02 mail2 su(pam_unix)[20095]: session closed for user paul
Apr  2 03:44:01 mail2 su(pam_unix)[20622]: session opened for user billy by (uid=0)
Apr  2 03:44:01 mail2 su(pam_unix)[20622]: session closed for user billy
Apr  2 03:44:01 mail2 su(pam_unix)[20625]: session opened for user billyt by (uid=0)
Apr  2 03:44:02 mail2 su(pam_unix)[20625]: session closed for user billy
Apr  2 03:44:02 mail2 su(pam_unix)[20628]: session opened for user billy by (uid=0)
Apr  2 03:44:02 mail2 su(pam_unix)[20628]: session closed for user billy
Apr  2 03:44:02 mail2 su(pam_unix)[20631]: session opened for user billy by (uid=0)
Apr  2 03:44:02 mail2 su(pam_unix)[20631]: session closed for user billy
Apr  2 03:44:02 mail2 su(pam_unix)[20634]: session opened for user billy by (uid=0)
Apr  2 03:44:02 mail2 su(pam_unix)[20634]: session closed for user billy
Apr  2 03:44:02 mail2 su(pam_unix)[20637]: session opened for user billy by (uid=0)
Apr  2 03:44:02 mail2 su(pam_unix)[20637]: session closed for user billy

is this just postfix cycling thru the users?  

also i was wondering about creating a new root account named dennis  and then disabling the root account how do i do that?
0
Comment
Question by:knightdogs
  • 2
3 Comments
 
LVL 27

Accepted Solution

by:
Nopius earned 500 total points
ID: 18841354
> is this just postfix cycling thru the users?  
No. These logs come from 'su' command executed by root to become different users: 'billy', 'paul' and 'dennis'. Why it was executed - I don't know.

> also i was wondering about creating a new root account named dennis  and then disabling the root account how do i do that?
Do you mean you need to change user name 'root' to 'denis'?
I don't recommend but it's the simplest way to do so: edit files '/etc/passwd' and /etc/shadow and change user name 'root' to 'denis'. But most system scripts that rely on username 'root' for superuser will fail.
Another approach is to use selinux, but it's too complex and it works only for FC5 and above.
Third possible way - is also to change /etc/passwd but for user 'denis' change uid and gid fields to 0, he become your second root user. Also not recommended.
0
 

Author Comment

by:knightdogs
ID: 18842895
I am sorry for not being more clear.  i ran rkhunter and it said that root can be logged in to and that was a secrutiy concern.  i thought if i created another account like root, named dennis, and then disabled root that would fix it.  i saw a site 2 weeks ago that got hacked and it showed root uid 0   bla  bla  bla  and i figured that the hacker finally guessed roots password and took over so if i removed roots account i would slow them down, am i wrong?
0
 
LVL 27

Expert Comment

by:Nopius
ID: 18886073
knightdogs, thanks for points.

> figured that the hacker finally guessed roots password and took over so if i removed roots account i would slow them down, am i wrong?
You are wrong. System becomes unmanageble without root account.

Disallowing root to perform _remote_ login be done in /etc/ssh/sshd_config, with option 'PermitRootLogin No'. However really good security measure to prevent password guessing is a strong enouth root password (with, suppose, 10 randomly generated characters, not a dictionary word, with catipal/small letters and with digits).

Disallowing root FTP login is also possible, depends on your system, how to do it.
Disallowing any protocol (ftp, telnet, pop3 without apop/tls) with cleartext password is also a good preventive measure.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OnPage: Incident management and secure messaging on your smartphone
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question