Solved

postfix log file question

Posted on 2007-04-02
3
251 Views
Last Modified: 2013-12-15
I am running FC4 running postfix when i check the log files i get this:
Apr  2 01:11:02 mail2 su(pam_unix)[19952]: session opened for user dennis by (uid=0)
Apr  2 01:11:02 mail2 su(pam_unix)[19952]: session closed for user dennis
Apr  2 01:11:02 mail2 su(pam_unix)[19955]: session opened for user dennis by (uid=0)
Apr  2 01:11:02 mail2 su(pam_unix)[19955]: session closed for user dennis
Apr  2 01:11:02 mail2 su(pam_unix)[19958]: session opened for user dennis by (uid=0)
Apr  2 01:11:02 mail2 su(pam_unix)[19958]: session closed for user dennis
Apr  2 01:11:02 mail2 su(pam_unix)[19961]: session opened for user dennis by (uid=0)
Apr  2 01:11:02 mail2 su(pam_unix)[19961]: session closed for user dennis
Apr  2 01:11:02 mail2 su(pam_unix)[19964]: session opened for user dennis by (uid=0)
Apr  2 01:11:02 mail2 su(pam_unix)[19964]: session closed for user dennis
Apr  2 01:39:02 mail2 su(pam_unix)[20083]: session opened for user paul by (uid=0)
Apr  2 01:39:02 mail2 su(pam_unix)[20083]: session closed for user paul
Apr  2 01:39:02 mail2 su(pam_unix)[20086]: session opened for user paul by (uid=0)
Apr  2 01:39:02 mail2 su(pam_unix)[20086]: session closed for user paul
Apr  2 01:39:02 mail2 su(pam_unix)[20089]: session opened for user paul by (uid=0)
Apr  2 01:39:02 mail2 su(pam_unix)[20089]: session closed for user paul
Apr  2 01:39:02 mail2 su(pam_unix)[20092]: session opened for user paul by (uid=0)
Apr  2 01:39:02 mail2 su(pam_unix)[20092]: session closed for user paul
Apr  2 01:39:02 mail2 su(pam_unix)[20095]: session opened for user paul by (uid=0)
Apr  2 01:39:02 mail2 su(pam_unix)[20095]: session closed for user paul
Apr  2 03:44:01 mail2 su(pam_unix)[20622]: session opened for user billy by (uid=0)
Apr  2 03:44:01 mail2 su(pam_unix)[20622]: session closed for user billy
Apr  2 03:44:01 mail2 su(pam_unix)[20625]: session opened for user billyt by (uid=0)
Apr  2 03:44:02 mail2 su(pam_unix)[20625]: session closed for user billy
Apr  2 03:44:02 mail2 su(pam_unix)[20628]: session opened for user billy by (uid=0)
Apr  2 03:44:02 mail2 su(pam_unix)[20628]: session closed for user billy
Apr  2 03:44:02 mail2 su(pam_unix)[20631]: session opened for user billy by (uid=0)
Apr  2 03:44:02 mail2 su(pam_unix)[20631]: session closed for user billy
Apr  2 03:44:02 mail2 su(pam_unix)[20634]: session opened for user billy by (uid=0)
Apr  2 03:44:02 mail2 su(pam_unix)[20634]: session closed for user billy
Apr  2 03:44:02 mail2 su(pam_unix)[20637]: session opened for user billy by (uid=0)
Apr  2 03:44:02 mail2 su(pam_unix)[20637]: session closed for user billy

is this just postfix cycling thru the users?  

also i was wondering about creating a new root account named dennis  and then disabling the root account how do i do that?
0
Comment
Question by:knightdogs
  • 2
3 Comments
 
LVL 27

Accepted Solution

by:
Nopius earned 500 total points
ID: 18841354
> is this just postfix cycling thru the users?  
No. These logs come from 'su' command executed by root to become different users: 'billy', 'paul' and 'dennis'. Why it was executed - I don't know.

> also i was wondering about creating a new root account named dennis  and then disabling the root account how do i do that?
Do you mean you need to change user name 'root' to 'denis'?
I don't recommend but it's the simplest way to do so: edit files '/etc/passwd' and /etc/shadow and change user name 'root' to 'denis'. But most system scripts that rely on username 'root' for superuser will fail.
Another approach is to use selinux, but it's too complex and it works only for FC5 and above.
Third possible way - is also to change /etc/passwd but for user 'denis' change uid and gid fields to 0, he become your second root user. Also not recommended.
0
 

Author Comment

by:knightdogs
ID: 18842895
I am sorry for not being more clear.  i ran rkhunter and it said that root can be logged in to and that was a secrutiy concern.  i thought if i created another account like root, named dennis, and then disabled root that would fix it.  i saw a site 2 weeks ago that got hacked and it showed root uid 0   bla  bla  bla  and i figured that the hacker finally guessed roots password and took over so if i removed roots account i would slow them down, am i wrong?
0
 
LVL 27

Expert Comment

by:Nopius
ID: 18886073
knightdogs, thanks for points.

> figured that the hacker finally guessed roots password and took over so if i removed roots account i would slow them down, am i wrong?
You are wrong. System becomes unmanageble without root account.

Disallowing root to perform _remote_ login be done in /etc/ssh/sshd_config, with option 'PermitRootLogin No'. However really good security measure to prevent password guessing is a strong enouth root password (with, suppose, 10 randomly generated characters, not a dictionary word, with catipal/small letters and with digits).

Disallowing root FTP login is also possible, depends on your system, how to do it.
Disallowing any protocol (ftp, telnet, pop3 without apop/tls) with cleartext password is also a good preventive measure.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
A customer recently asked me about anti-malware and the different deployment options available for his business. Daily news about cyberattacks, zero-day vulnerabilities, and companies that suffered a security breach made him wonder if the endpoint a…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now