Ubuntu Security :: W Or Top Show 2 Users But Only One Logged In
Mar 17, 2011
I have 2 servers, web server & mail server. they show 2 users in the summary area when I run w or top commands. But the actual list of users logged in (using either w or who) shows only 1 user.
ps -ef |grep username only shows my current login as a running sshd process.
So I can find no trace of this other user except in the summary line for w or top. I have no shells or other logins left running elsewhere or abruptly terminated, no gui sessions (these are servers), no tty logins. Do I have another user logged in? Has someone hacked me & covered up most of their trail? Why do these commands show 2 users when everything else points to 1 user?
The line in bold is the security issue. There is only 1 user account on the system. There should only be 1 user logged in, not 2 users logged in. The remainder of the log file lists 1 user logged in, for similar log output. 2 users logged in does not appear again in the log file.
Does the second line of bold indicate that an attempt was made to log in to the system using SSH?
There was an internet connection interruption (no service) around the time of the log file event. The service did return, later.
Does that line indicate that an unauthorized user logged in to the system?
Just noticed this, when I am logged into OpenSuse 11.3 under my default user (autologin) I have 3 of the same user logged in, eg when I run top it shows 3 users and when I run the users command it shows the same user 3 times. Is there any reason for this? Do I need to investigate this at all?
When I'm logged into my account, I can't shut down the computer if someone else is also logged in unless I supply the root password. However, if I log out, I can shut down from GDM without being challenged, even though another person is logged in, which could cause problems if that person is in the middle of some work. Is there a way to password-protect the gdm shutdown function if people are logged in?
From Solaris I know a command "lastlog" which shows the times when each existing user logged in the last time.
When I enter the same command in Ubuntu then it is executed (=it must exist) but for all users "** Never logged in **" is displayed although of cause at least the current user must be logged in some time. Do I have to enable this kind of logging somehow?
Whenever I want to shut down, I have to enter my password, because shutting down while other users are logged in is a privileged operation. Now, I couldn't download an update because the update lock was in use. I'd be surprised if someone had targeted my system, especially because I didn't install any obscure .debs or anything recently, but I'd really like to find out if it's been compromised somehow. Say, by obtaining an overview of all users currently logged into my system or something. Is that possible?
I installed a few media servers to stream something to my PS3 over the weekend, but now when trying to shutdown the computer, I'm asked to authenticate with a password since other users are still logged in. I installed quite a few programs over the weekend trying to get it to work, so I can't remove a specific one. Is there a way to see which daemons are logged in under a different session? Found it. It turned out to be mythtv.
I run a linux file server for my office and we user SFTP for remote partners to login and download files. Is there a way to see if there are any active connections or logins so I can know when it is safe to perform maintenance on the machine?
Since the machine is almost constantly serving large files, scheduled maintenance is often bumped off due to someone either upload
I try to write a script which would kill processes of users who are not logged in. My approach is to find out what users are logged in and then kill processes of all nonsystem users who fail the test of being logged. I use `w` for finding all logged in users, but apparently there are users on the list which `w` gives me who own absolutely no process in the output of `ps aux`. How do I log off those users, since killing their processes wont work (since they own no processes)?
On Ubuntu 10.04 when there are more than just one user logged in, if one of users logs off system hangs with a black screen.
After I reboot the machine and log in again, just after GDM login screen I get a window with a message about PowerMeter crash, with suggestion to 'cancel' and 'log off'. Only 'Log off' works, i.e. I'm successfully logged in.
Last entries from system.log before system freeze are:
If there is a simple way to prevent accidental shutdown when the following situation occurs:
Sometimes, I log in on my father's computer to run some administrations' tasks (updates...). For that, I use SSH since I'm frequently far from my parents and what I want is to prevent a shutdown run by my father. Of course, he should be able to turn off by himself if nobody else is connected.
Molly-Guard allows to prevent distant shutdown, my request is a kind of complementary software.
Does anyone know a project which could fit with this request? Do you have simple ideas to write a short code I know bash, perl, python...
I can't seem to get last logged in dat/time for vsftpd users. They are linux users maintained within passwd groups ect ... i think this is because ftp doesn't actually give them a real session. That being true, how do i get the last logged in time for my ftp users?
I was doing some rather lengthy procedures using a terminal. Then I wrote script using Kate, and input it into that terminal, and then realized that I was logged in as a normal user in that terminal as opposed to a superuser, which is how I was logged in at the other terminal. I've never noticed this before because I've never done anything that takes this long.
Is there any way to link all terminal sessions in such a way that they all show me logged in as the same user? I don't even know if this is even important, but I don't want to risk losing any things that I had done.
We are trying to set up a classroom training environment where our SIG can hold classes for prospective converts from Microsoft/Mac. The ten machines will have /home/student01..10 and /home/linsig01..10 as users. We want /home/student01 to be able to explore and sudo so they can learn to administer their personal machines at home. We don't want them to be able to modify (sudo) /home/linsig01. I've seen the tutorial on Access Control Lists but I'd like other input so we get it right the first time.
i have setup auto ssh login for my server. And it works, but only when i have a active connection. if i use "ssh server.com" it asks for my password. If i then open a new terminal and issue "ssh server.com" it logs right in. I really don*t understand whats wrong.
I have tried setting up 2 virtual machines on my local computer and with the same setup it works fine.
SOLVED: my home folder was encrypted, so when no users were logged in the home folder was unmounted
I would just like to know how to, and know if its secure to run the following programs WHILE LOGGED OUT of Ubuntu: openvpn, deluge, and if it can be securely done while the home directory is encrypted.
I am using Fedora 10 .Generally to update I open a virtual console by pressing Ctrl-Alt-F2,login as root and give the "yum update" command.Then I continue using my graphical terminal for other tasks from the 'non-root' account..Now my room-mate comes uses my 'non-root' account to browse web for few minutes and then opens a terminal types "halt", ENTER and viola...! My root account seems to be insulted by a 'non-root' user!.When I am doing updates or other important work as root any silly user can just 'halt' my computer. Can somebody tell me how to set up my computer so that when root is logged in no other user can simply halt the computer.
I installed IPlist earlier today on my main/admin account (which I only use for installing programs. I don't use this account daily.) and everything was fine. When I logged into my every day account and tried to load the program, it prompted me for my password. When I entered it, I got this message:Quote:Failed to run /usr/sbin/ipblock start_gui as user root.The underlying authorization mechanism (sudo)t allow you to run this program. Contact the system administrator.Does this mean I am not able to use this program on this account, or is there a way around it? I'm new to Ubuntu so forgive me if I'm asking the obvious. I looked around and couldn't find an answer. I really don't want to use my admin account for daily activities, but I also really want to be able to use IPlist
I am pretty new to Linux, but this can't be the way the system is supposed to operate.
Fedora 12 KDE 4.4 kernel 188.8.131.52-70.fc12.i686 Toshiba satellite L305D
As of updating KDE to 4.4 and a kernel update from two weekends ago hibernate/resume works perfectly. The problem is I feel that all terminals should be locked/logged out automatically upon suspend/hibernate. Through bug reporting at KDE found that an additional setting is required in KDE to lock the desktop before suspend/hibernate. But any of my other terminals that are logged in remain logged in upon resume. Is there an additional setting that I have to flip to secure the terminals? Would this be considered a security hole? Is there anything short of me manually logging out that I can do to automate locking/logging my terminals?
To avoid having to input a password for the keyring each time I connect to the net via wireless, I enabled the 'Available to all users' option in Network Manager. Now, my question is this. Are the 'users' it refers to just those created on this machine? Would a drive-by be able to use my network without entering the password?
We have 4 servers having rhel 5.2. We have several users logged in on one of them. We have nis server/client running on them and have common home area mounted on all of them. Now we want to disable/block the accounts of the users who have not accessed our servers in last 2 months from today.What logic should we apply to do so? We were checking stat of .bashrc of each user but is not correct logic. We are going to write shell script for the same. We dont want to do anything in users home area or their files.
Failed login attempts are logged to syslog with the user id or login id set to UNKNOWN_USER or UNSET.Anybody know if this is configurable. I would rather it just pass the actual id that the user used. Doesn't matter if it exist or not, just want to know if someone is guessing at user names and what those user names are