Root was logged into pam using following authentication service: system (sudo)

fomistoklus

• January 15, 2015 10:58

Hi there, every 30 minutes cpanel alerts me to email about root login. I'm using RAID on the server and nagios plugin for monitoring it. So, each nagios check performs script execution via sudo. About what I can see in /var/log/secure log file. I found the corresponding thread, but an old one, from 2012

• 

  cPanelMichael

  • January 15, 2015 16:02

  Hello :) You can browse to "WHM Home " Security Center " cPHulk Brute Force Protection" and ensure the option to receive a notification when root successfully logs in from an IP address that is not white listed is disabled. Thank you.

  0
• 

  fomistoklus

  • January 15, 2015 16:11

  Hello cPanel Staff , logins are without IP address, they are from system users.

  0
• 

  cPanelMichael

  • January 15, 2015 16:13

  Does the issue persist after disabling the option referenced in my last post? Thank you.

  0
• 

  fomistoklus

  • January 15, 2015 16:54

  Hello Michael, yes :( Thank you.

  0
• 

  cPanelMichael

  • January 15, 2015 17:00

  Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome. Thank you.

  0
• 

  caisc

  • January 16, 2015 15:21

  Is CSF firewall installed and running on your server?

  0
• 

  Ben A. Hilleli

  • January 16, 2015 20:18

  ]Is CSF firewall installed and running on your server?

  
  Yes we do (note: it's my server, fomistoklus is a contractor who keeps it on "good behaviour") I'm almost certain we've had cpHulk on for ages and did not always recieve these incessant, every 30 minute alert -- which is why it's somewhat concerning.

  0

Please sign in to leave a comment.