If you notice duplicate root login alerts from cPFence — sometimes 7–8 Slack or email notifications for what looks like the same login — this usually happens when multiple sessions are opened at once. This can be triggered by the cPFence WebUI or by certain SSH clients that establish parallel connections.
Step 1: Whitelist Your Server IPs
To prevent unnecessary root login alerts from your own servers, whitelist your cluster IPs. This ensures that internal system logins do not generate repeated notifications.
How to Whitelist Your Enhance Cluster’s IPs in cPFence
Step 2: Check Your SSH Client Settings
Some SSH clients create multiple sessions in the background (for example, when multiplexing connections). Each of these sessions triggers its own root login alert in Slack or email. Reviewing and adjusting your SSH client settings can help reduce duplicate alerts.
Step 3: Review Recent Logins
To confirm how many root login sessions are actually being created, review your SSH logs:
journalctl -u ssh --since=-15min --no-pagerThis will show all root login events within the last 15 minutes, including multiple parallel sessions if they exist.
Step 4: How cPFence Sends Alerts
cPFence sends one alert per new session. If several sessions are created, you will see multiple root login alerts, whether by Slack or email. This is expected behavior and ensures that every access attempt is logged and reported.
Need Further Assistance?
If you continue to receive duplicate root login alerts and need help tuning Slack or email notifications, please reach out to our support team via your client portal.
