• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

Log entries

A

arctic_ged

Guest
Ia hve a server running plesk 10 (centOS 5), and i found these entries (hundreds of them) inside var/log/secure, can anyone tell me what they mean?

....
Mar 22 08:18:51 www su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Mar 22 08:18:52 www su: pam_unix(su-l:session): session closed for user popuser
Mar 22 08:18:52 www su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Mar 22 08:18:53 www su: pam_unix(su-l:session): session closed for user popuser
Mar 22 08:18:53 www su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Mar 22 08:18:54 www su: pam_unix(su-l:session): session closed for user popuser
Mar 22 08:18:54 www su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Mar 22 08:18:55 www su: pam_unix(su-l:session): session closed for user popuser
....
Click to expand...
 
The /var/log/secure file logs security related messages on the server. These messages are authenticated data which can consist of failed login attempts and messages from any security processes running on the machine.

This is not a Plesk related schematic and is completely acceptable. If your /var/log/secure (may also be an iteration of files, secure.1, secure.2, etc) is a few MB or typically in it's MB range (1-20MB) then you have nothing to worry about. If your log starts getting larger (sometimes GB) then you should consider examining it to determine the cause.

You can run the following command to see if you have any intruders:
for ip in `awk '/Illegal user/ {print $10}' /var/log/secure |sort -u`; do echo "$ip : "`grep -c $ip /var/log/secure`; done
Click to expand...

This will return IP addresses and a count of how many times that IP has failed to authenticate a valid connection to the server. If it's suspiciously high, you can blacklist the IP. But be sure it's not your IP, some are renowned to overlook such a simple thing. If the command returns nothing, your pretty much worrying about nothing.

You can truncate these files if need be, or delete the log file to save clogging up space, but be sure to recreate the file(s).
 
Last edited by a moderator:
You must log in or register to reply here.

Similar threads

D
Issue logrotate service fail, plesk-ext-monitoring-hcd.service
Replies
2
Views
395
daniellee100
D
M
Issue File dump-header not found on first position in archive.
Replies
0
Views
760
massin
M
Ming
Issue Passenger issue - boost::thread_resource_error: Resource temporarily unavailable
Replies
12
Views
3K
Ming
Ming
Q
Resolved problem with ram server
Replies
8
Views
1K
Qusay
Q
Linulex
Resolved NOTICE: [pool plesk] child 14939 exited with code 0 after 31.033533 seconds from start
Replies
3
Views
1K
Linulex
Linulex
Back
Top