Hi, I've installed on my server OSSEC following the howto. When I create a site in IspConfig the directories are created with user www-data & group web(number) - also some have root - root. The strange thing is that when I create a user with IspConfig for the site the folders are changed to wired users & groups, for example followings: web3: web3_info - web3 (this seems to be correct) web6: web5_internet - ossec web7: ossec - web7 web8: ossecm - web8 web5 was a test site, I deleted it and after that: web6: web6_admin - ossec These are the users created in ispconfig: web3_info, web6_admin, web7_webmail, web8_mailing (all these user have admin rights in IspConfig) I've been playing around, for example at web7 I created a second user/email with the name web7_spam, when I gave this user administrator the folder changed to web7_spam - web7. But after changing web7_webmail to administrator: ossec - web7 (when no user is administrator www-data - web7) The ossec group was created by OSSEC HIDS (http://www.howtoforge.com/intrusion_detection_with_ossec_hids)
OSSEC has never been tested with ISPConfig, it seems that ossec is replacing some users and groups in /etc/passwd and /etc/group.
Hi till! for me, this is not a problem, because i only tested it after reading, there were some problems. this is only at my testing-server i format all 4-5 days after testing some things. so only for your information (nothing more): group: Code: root:x:0: daemon:x:1: bin:x:2: sys:x:3: adm:x:4: tty:x:5: disk:x:6: lp:x:7: mail:x:8: news:x:9: uucp:x:10: man:x:12: proxy:x:13: kmem:x:15: dialout:x:20:admin fax:x:21: voice:x:22: cdrom:x:24:admin floppy:x:25:admin tape:x:26: sudo:x:27: audio:x:29:admin dip:x:30: www-data:x:33: backup:x:34: operator:x:37: list:x:38: irc:x:39: src:x:40: gnats:x:41: shadow:x:42: utmp:x:43: video:x:44:admin sasl:x:45: plugdev:x:46:admin staff:x:50: games:x:60: users:x:100:web14_tre,web14_ov,web14_test,web14_test2 nogroup:x:65534: crontab:x:101: Debian-exim:x:102: admin:x:1000: ssh:x:103: bind:x:104: mysql:x:105: postfix:x:106: postdrop:x:107: admispconfig:x:1001:admispconfig web8:x:10008:admispconfig web9:x:10009:admispconfig web14:x:10014:admispconfig,web14_km ossec:x:10015: passwd Code: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh Debian-exim:x:102:102::/var/spool/exim4:/bin/false admin:x:1000:1000:Administrator,,,:/home/admin:/bin/bash identd:x:100:65534::/var/run/identd:/bin/false sshd:x:101:65534::/var/run/sshd:/bin/false fetchmail:x:103:65534::/var/run/fetchmail:/bin/sh bind:x:104:104::/var/cache/bind:/bin/false mysql:x:105:105:MySQL Server,,,:/var/lib/mysql:/bin/false postfix:x:106:106::/var/spool/postfix:/bin/false ftp:x:107:65534::/home/ftp:/bin/false admispconfig:x:1001:1001:Administrator ISPConfig:/home/admispconfig:/bin/bash web14_tre:x:10013:10014:tre:/var/www/web14/user/web14_tre/./:/bin/bash web14_ov:x:10011:10014:Oliver Vogel:/var/www/web14/user/web14_ov/./:/bin/bash web14_km:x:10012:10014:Klaus Meins:/var/www/web14/./:/bin/bash web14_test:x:10014:10014:Test:/var/www/web14/user/web14_test/./:/bin/bash ossec:x:10015:10015::/var/ossec:/sbin/nologin ossecm:x:10016:10015::/var/ossec:/sbin/nologin ossece:x:10017:10015::/var/ossec:/sbin/nologin ossecr:x:10018:10015::/var/ossec:/sbin/nologin web14_test2:x:10015:10014:test2:/var/www/web14/user/web14_test2/./:/bin/false
The passwd file explains the problem: OSSEC has installed its own users within the userid range of ISPConfig (UID > 10000, defined in the ISPConfig settings). If the ossec userid's where > 1000 and < 10000 there should be no problem or if ossec is installed before ISPConfig.
that's it! yes, you're right! after chancing the id's to 2000,2001 and so on and after chancing the group-file to 2000 (and rebooting the system to be sure that there is no garbage back) i created a new user and everything seems to be o.k.
I've also changed the users to 2xxxx and the ispconfig configuration and now all works perfect. Thanks a lot!
After all this years, just an update. Latest OSSEC versions create users with 20000+ ids like: ossec:x:20001:20002::/var/ossec:/sbin/nologin ossecm:x:20002:20002::/var/ossec:/sbin/nologin ossecr:x:20003:20002::/var/ossec:/sbin/nologin So this issue no longer occurs.