Solved

postfix log file question

Posted on 2007-04-02
3
254 Views
Last Modified: 2013-12-15
I am running FC4 running postfix when i check the log files i get this:
Apr  2 01:11:02 mail2 su(pam_unix)[19952]: session opened for user dennis by (uid=0)
Apr  2 01:11:02 mail2 su(pam_unix)[19952]: session closed for user dennis
Apr  2 01:11:02 mail2 su(pam_unix)[19955]: session opened for user dennis by (uid=0)
Apr  2 01:11:02 mail2 su(pam_unix)[19955]: session closed for user dennis
Apr  2 01:11:02 mail2 su(pam_unix)[19958]: session opened for user dennis by (uid=0)
Apr  2 01:11:02 mail2 su(pam_unix)[19958]: session closed for user dennis
Apr  2 01:11:02 mail2 su(pam_unix)[19961]: session opened for user dennis by (uid=0)
Apr  2 01:11:02 mail2 su(pam_unix)[19961]: session closed for user dennis
Apr  2 01:11:02 mail2 su(pam_unix)[19964]: session opened for user dennis by (uid=0)
Apr  2 01:11:02 mail2 su(pam_unix)[19964]: session closed for user dennis
Apr  2 01:39:02 mail2 su(pam_unix)[20083]: session opened for user paul by (uid=0)
Apr  2 01:39:02 mail2 su(pam_unix)[20083]: session closed for user paul
Apr  2 01:39:02 mail2 su(pam_unix)[20086]: session opened for user paul by (uid=0)
Apr  2 01:39:02 mail2 su(pam_unix)[20086]: session closed for user paul
Apr  2 01:39:02 mail2 su(pam_unix)[20089]: session opened for user paul by (uid=0)
Apr  2 01:39:02 mail2 su(pam_unix)[20089]: session closed for user paul
Apr  2 01:39:02 mail2 su(pam_unix)[20092]: session opened for user paul by (uid=0)
Apr  2 01:39:02 mail2 su(pam_unix)[20092]: session closed for user paul
Apr  2 01:39:02 mail2 su(pam_unix)[20095]: session opened for user paul by (uid=0)
Apr  2 01:39:02 mail2 su(pam_unix)[20095]: session closed for user paul
Apr  2 03:44:01 mail2 su(pam_unix)[20622]: session opened for user billy by (uid=0)
Apr  2 03:44:01 mail2 su(pam_unix)[20622]: session closed for user billy
Apr  2 03:44:01 mail2 su(pam_unix)[20625]: session opened for user billyt by (uid=0)
Apr  2 03:44:02 mail2 su(pam_unix)[20625]: session closed for user billy
Apr  2 03:44:02 mail2 su(pam_unix)[20628]: session opened for user billy by (uid=0)
Apr  2 03:44:02 mail2 su(pam_unix)[20628]: session closed for user billy
Apr  2 03:44:02 mail2 su(pam_unix)[20631]: session opened for user billy by (uid=0)
Apr  2 03:44:02 mail2 su(pam_unix)[20631]: session closed for user billy
Apr  2 03:44:02 mail2 su(pam_unix)[20634]: session opened for user billy by (uid=0)
Apr  2 03:44:02 mail2 su(pam_unix)[20634]: session closed for user billy
Apr  2 03:44:02 mail2 su(pam_unix)[20637]: session opened for user billy by (uid=0)
Apr  2 03:44:02 mail2 su(pam_unix)[20637]: session closed for user billy

is this just postfix cycling thru the users?  

also i was wondering about creating a new root account named dennis  and then disabling the root account how do i do that?
0
Comment
Question by:knightdogs
  • 2
3 Comments
 
LVL 27

Accepted Solution

by:
Nopius earned 500 total points
ID: 18841354
> is this just postfix cycling thru the users?  
No. These logs come from 'su' command executed by root to become different users: 'billy', 'paul' and 'dennis'. Why it was executed - I don't know.

> also i was wondering about creating a new root account named dennis  and then disabling the root account how do i do that?
Do you mean you need to change user name 'root' to 'denis'?
I don't recommend but it's the simplest way to do so: edit files '/etc/passwd' and /etc/shadow and change user name 'root' to 'denis'. But most system scripts that rely on username 'root' for superuser will fail.
Another approach is to use selinux, but it's too complex and it works only for FC5 and above.
Third possible way - is also to change /etc/passwd but for user 'denis' change uid and gid fields to 0, he become your second root user. Also not recommended.
0
 

Author Comment

by:knightdogs
ID: 18842895
I am sorry for not being more clear.  i ran rkhunter and it said that root can be logged in to and that was a secrutiy concern.  i thought if i created another account like root, named dennis, and then disabled root that would fix it.  i saw a site 2 weeks ago that got hacked and it showed root uid 0   bla  bla  bla  and i figured that the hacker finally guessed roots password and took over so if i removed roots account i would slow them down, am i wrong?
0
 
LVL 27

Expert Comment

by:Nopius
ID: 18886073
knightdogs, thanks for points.

> figured that the hacker finally guessed roots password and took over so if i removed roots account i would slow them down, am i wrong?
You are wrong. System becomes unmanageble without root account.

Disallowing root to perform _remote_ login be done in /etc/ssh/sshd_config, with option 'PermitRootLogin No'. However really good security measure to prevent password guessing is a strong enouth root password (with, suppose, 10 randomly generated characters, not a dictionary word, with catipal/small letters and with digits).

Disallowing root FTP login is also possible, depends on your system, how to do it.
Disallowing any protocol (ftp, telnet, pop3 without apop/tls) with cleartext password is also a good preventive measure.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

As technology users and professionals, we’re always learning. Our universal interest in advancing our knowledge of the trade is unmatched by most industries. It’s a curiosity that makes sense, given the climate of change. Within that, there lies a…
Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question