I setup a new VPS with ubuntu 18.04, including virtualmin/usermin. In auth.log I see a lot of
su[12936]: Successful su for domain by root
su[12936]: + ??? root:domain
systemd-logind[148]: New session c315 of user domain .
su[12936]: pam_unix(su:session): session opened for user domain by (uid=0)
su[12936]: pam_unix(su:session): session closed for user domain
in syslog, I see a lot of
systemd[1]: Started Session c314 of user domain.
systemd[1]: Started Session c315 of user domain.
domain is the user of my virtual server defined in the VPS. c314/c315 increased by 1 each time... It used to appear every 2-3 minutes, now it's every 5 minutes.
Reading on the internet about this, all the "solutions" were how to remove this logging from the log but nothing was explaining what are all those open/close sessions in the first place.
Also, when running loginctl list-sessions
those sessions are accumulated in "active=yes" and "state=closing" mode and never disappear from the list. At the moment there are 95 such sessions.
What is happening on my VPS, who is opening/closing sessions so many times and why? Also, why those sessions never disappear from the sessions list?
Thanks
update
loginctl session-status c315
c315 - domain (1000)
Since: Sat 2020-02-08 20:27:08 UTC; 23h ago
Leader: 12936
TTY: ???
Remote: user root
Service: su; type tty; class user
State: closing
Unit: session-c315.scope
Unit user-1000.slice (/user.slice/user-1000.slice):
└─session-2691929.scope
├─19035 sshd: domain [priv]
├─19051 sshd: domain@pts/0
├─19052 -bash
├─20124 sudo systemd-cgls -u user-1000.slice
├─20125 systemd-cgls -u user-1000.slice
└─20126 pager