Deleting log files

[panit]

Is it OK to delete log files? The /usr/local/apache/logs/error_log is over 5 GB so reading it is difficult. The majority of errors are due to CloudLinux but I can't update until I get all accounts on the server changed to use the new MySQL naming schema.

 

[GOT]

You can, but you need to hard restart apache to actually get rid of it.

You should look at service config-apache config-log rotation in whm and make sure its set to rotate the logs.

 

[cPanelMichael]

Hello @panit,

Can you confirm that error_log is selected in WHM >> Apache Configuration >> Log Rotation? If so, it should be rotated when it reaches the value configured for Log Rotation Size Threshold under the Stats and Logs tab in WHM >> Tweak Settings.

Thank you.

 

[panit]

I'm sorry but I made a mistake with which log it is. The one I mentioned is under 300 MB and is listed in the WHM settings so that is working correctly. The one I meant is /var/lib/mysql/my server.com.err. That's why I mentioned the mysql errors. Is there a setting that controls that log file?

 

[cPanelMichael]

Hello @panit,

MySQL documents how to maintain the error log file at:

MySQL :: MySQL 5.7 Reference Manual :: 5.4.2.6 Error Log File Flushing and Renaming

Going forward, you can setup log rotation for MySQL by customizing the /etc/logrotate.d/mysql file:

# The log file name and location can be set in
# /etc/my.cnf by setting the "log-error" option
# in [mysqld]  section as follows:
#
# [mysqld]
# log-error=/var/log/mysqld.log
#
# For the mysqladmin commands below to work, root account
# password is required. Use mysql_config_editor(1) to store
# authentication credentials in the encrypted login path file
# ~/.mylogin.cnf
#
# Example usage:
#
#  mysql_config_editor set --login-path=client --user=root --host=localhost --password
#
# When these actions has been done, un-comment the following to
# enable rotation of mysqld's log error.
#

#/var/log/mysqld.log {
#        create 640 mysql mysql
#        notifempty
#        daily
#        rotate 5
#        missingok
#        compress
#    postrotate
#       # just if mysqld is really running
#       if test -x /usr/bin/mysqladmin && \
#          /usr/bin/mysqladmin ping &>/dev/null
#       then
#          /usr/bin/mysqladmin flush-logs
#       fi
#    endscript
#}

Let me know if you have any additional questions.

Thank you.

 

[panit]

Thank you for that. It has been done and appears to be working. But the log file is only a day old has is already at 3 MB. It is mainly due to entries with "Access denied for user...". Does that mean the server denied access because the IP is in the firewalls deny file or that access was denied because they were trying to access a non-existent location? If it is the former, is there a way to stop that being recorded? It doesn't serve any useful purpose that I can see and will make finding real failure more difficult to see.

 

[cPanelMichael]

Hello @panit,

That entry shouldn't relate to a firewall rule because a a firewall rule would prevent access to MySQL all together. Can you let us know the full line that's recorded in the MySQL error log as it pertains to "Access denied for user"?

Thank you.

 

[panit]

There are two forms of the messages. The first one, with that same IP, appears 790 times in the log for the last 24 hours. There are other entries of both types but with different IP's.

2018-11-05 11:58:52 139637214775040 [Warning] Access denied for user 'mysqld'@'222.186.46.180' (using password: YES)
2018-11-05 12:21:42 139637843568384 [Warning] Access denied for user 'root'@'142.252.248.76' (using password: NO)

 

[cPanelMichael]

Hello @panit,

Do you have the MySQL port (3306) restricted with firewall rules? If not, you may want to use a firewall management utility such as CSF to do so:

ConfigServer Security & Firewall (csf)

With the default CSF firewall rules, MySQL will still function for local connections, but you will need to whitelist IP addresses for users that connect to their databases from external servers.

Thank you.

 

[panit]

I apologize for the delay. The reason for this post was because I needed to find attacking IP's. They have continued and the server has hung many times as a result. So I've been busy blocking IP ranges and it seems to have stopped them, for now at least.

CSF is installed but I have port 3306 open so it can be accessed from a program I use locally. There are also a few clients on the server that need such access. Since my IP, and those of the clients, are not static, I'm assuming there's no way to prevent these messages since the port is open. Is that correct.

 

[GOT]

Leaving port 3306 open in the firewall is almost certainly going to cause you problems, its not advisable.

However, if you are seeing the attacks in the apache logs, then that would not be related to mysql port being open.

 

[panit]

How does one close the port while allowing access from external programs? Or is that not possible?

If the errors are not related to that port, then how do I stop them?

 

[GOT]

If you close it in the firewall then you would need to whitelist IPs, but with changing Ips that gets to be a hassle. Some software allows you to use an SSH tunnel and if yours does then you could go that route instead. I would suggest changing the port that SSH listens on so that does not get attacked as well.

As for the attacks, you need to determine WHAT is being attacked first. You can do this by looking at the netstat output and seeing what ports are getting hammered.

 

[panit]

Thank you for the suggestions. I tried netstat but there is way too much displayed to try to figure out what is going on. I will just live with it. It is better than when I started this thread so that is good.

It would be nice, in my opinion, if cpanel had an option to prevent the showing of the access denied messages. If they are just showing that the connection was blocked, they don't seem to serve any purpose at all.

 

[cPanelMichael]

CSF is installed but I have port 3306 open so it can be accessed from a program I use locally. There are also a few clients on the server that need such access. Since my IP, and those of the clients, are not static, I'm assuming there's no way to prevent these messages since the port is open. Is that correct.

Hello @panit,

When these users are making the remote connections to MySQL databases, are they first browsing to the Remote MySQL option in cPanel to grant remote access to their IP addresses? If so, you could develop a script that takes the IP address entered on this option and adds it to the CSF whitelist for port 3306. To do this, you'd create the custom script and configure it to run automatically via a hook every time a new IP address is authorized via the Remote MySQL option in cPanel:

Guide to Standardized Hooks - Developer Documentation - cPanel Documentation

The following location should be helpful if you are looking for a file to fetch the customer's IP address from in your custom bash script:

/var/cpanel/databases/grants_$username.yaml

Here's the specific UAPI call you'd hook into at the post stage:

Cpanel::UAPI::Mysql::add_host

Thank you.