• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 278
  • Last Modified:

postfix log file question

I am running FC4 running postfix when i check the log files i get this:
Apr  2 01:11:02 mail2 su(pam_unix)[19952]: session opened for user dennis by (uid=0)
Apr  2 01:11:02 mail2 su(pam_unix)[19952]: session closed for user dennis
Apr  2 01:11:02 mail2 su(pam_unix)[19955]: session opened for user dennis by (uid=0)
Apr  2 01:11:02 mail2 su(pam_unix)[19955]: session closed for user dennis
Apr  2 01:11:02 mail2 su(pam_unix)[19958]: session opened for user dennis by (uid=0)
Apr  2 01:11:02 mail2 su(pam_unix)[19958]: session closed for user dennis
Apr  2 01:11:02 mail2 su(pam_unix)[19961]: session opened for user dennis by (uid=0)
Apr  2 01:11:02 mail2 su(pam_unix)[19961]: session closed for user dennis
Apr  2 01:11:02 mail2 su(pam_unix)[19964]: session opened for user dennis by (uid=0)
Apr  2 01:11:02 mail2 su(pam_unix)[19964]: session closed for user dennis
Apr  2 01:39:02 mail2 su(pam_unix)[20083]: session opened for user paul by (uid=0)
Apr  2 01:39:02 mail2 su(pam_unix)[20083]: session closed for user paul
Apr  2 01:39:02 mail2 su(pam_unix)[20086]: session opened for user paul by (uid=0)
Apr  2 01:39:02 mail2 su(pam_unix)[20086]: session closed for user paul
Apr  2 01:39:02 mail2 su(pam_unix)[20089]: session opened for user paul by (uid=0)
Apr  2 01:39:02 mail2 su(pam_unix)[20089]: session closed for user paul
Apr  2 01:39:02 mail2 su(pam_unix)[20092]: session opened for user paul by (uid=0)
Apr  2 01:39:02 mail2 su(pam_unix)[20092]: session closed for user paul
Apr  2 01:39:02 mail2 su(pam_unix)[20095]: session opened for user paul by (uid=0)
Apr  2 01:39:02 mail2 su(pam_unix)[20095]: session closed for user paul
Apr  2 03:44:01 mail2 su(pam_unix)[20622]: session opened for user billy by (uid=0)
Apr  2 03:44:01 mail2 su(pam_unix)[20622]: session closed for user billy
Apr  2 03:44:01 mail2 su(pam_unix)[20625]: session opened for user billyt by (uid=0)
Apr  2 03:44:02 mail2 su(pam_unix)[20625]: session closed for user billy
Apr  2 03:44:02 mail2 su(pam_unix)[20628]: session opened for user billy by (uid=0)
Apr  2 03:44:02 mail2 su(pam_unix)[20628]: session closed for user billy
Apr  2 03:44:02 mail2 su(pam_unix)[20631]: session opened for user billy by (uid=0)
Apr  2 03:44:02 mail2 su(pam_unix)[20631]: session closed for user billy
Apr  2 03:44:02 mail2 su(pam_unix)[20634]: session opened for user billy by (uid=0)
Apr  2 03:44:02 mail2 su(pam_unix)[20634]: session closed for user billy
Apr  2 03:44:02 mail2 su(pam_unix)[20637]: session opened for user billy by (uid=0)
Apr  2 03:44:02 mail2 su(pam_unix)[20637]: session closed for user billy

is this just postfix cycling thru the users?  

also i was wondering about creating a new root account named dennis  and then disabling the root account how do i do that?
0
knightdogs
Asked:
knightdogs
  • 2
1 Solution
 
NopiusCommented:
> is this just postfix cycling thru the users?  
No. These logs come from 'su' command executed by root to become different users: 'billy', 'paul' and 'dennis'. Why it was executed - I don't know.

> also i was wondering about creating a new root account named dennis  and then disabling the root account how do i do that?
Do you mean you need to change user name 'root' to 'denis'?
I don't recommend but it's the simplest way to do so: edit files '/etc/passwd' and /etc/shadow and change user name 'root' to 'denis'. But most system scripts that rely on username 'root' for superuser will fail.
Another approach is to use selinux, but it's too complex and it works only for FC5 and above.
Third possible way - is also to change /etc/passwd but for user 'denis' change uid and gid fields to 0, he become your second root user. Also not recommended.
0
 
knightdogsAuthor Commented:
I am sorry for not being more clear.  i ran rkhunter and it said that root can be logged in to and that was a secrutiy concern.  i thought if i created another account like root, named dennis, and then disabled root that would fix it.  i saw a site 2 weeks ago that got hacked and it showed root uid 0   bla  bla  bla  and i figured that the hacker finally guessed roots password and took over so if i removed roots account i would slow them down, am i wrong?
0
 
NopiusCommented:
knightdogs, thanks for points.

> figured that the hacker finally guessed roots password and took over so if i removed roots account i would slow them down, am i wrong?
You are wrong. System becomes unmanageble without root account.

Disallowing root to perform _remote_ login be done in /etc/ssh/sshd_config, with option 'PermitRootLogin No'. However really good security measure to prevent password guessing is a strong enouth root password (with, suppose, 10 randomly generated characters, not a dictionary word, with catipal/small letters and with digits).

Disallowing root FTP login is also possible, depends on your system, how to do it.
Disallowing any protocol (ftp, telnet, pop3 without apop/tls) with cleartext password is also a good preventive measure.
0

Featured Post

Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now