Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Idea: Mod_security logs for customers...

Discussion in 'Security' started by 4u123, Feb 26, 2008.

  1. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    832
    Likes Received:
    12
    Trophy Points:
    168
    I was chatting to a customer recently and she said that it would be great if she could get access to the mod_security log for her site. I explained that the log is simply a central one that can only be viewed by a server admin.

    We continued to discuss it and she convinced me that it would be very beneficial for customers to have access to the mod_security log entries that related to their domains. Not only for seeing when their sites are getting visits by hackers, but to see false positives and as a kind of pre-warning of possible vulnerable scripts.

    Being honest, we dont have time to keep a very close eye on the mods ecurity logs on all servers - there are too many. I think it would be great for our customers to have access to this info from cpanel.

    I guess it wouldnt be very difficult to do - simply run a script on a schedule that would pick out the log entries for each domain and copy them into an individual log file for that account - then have a log viewer in cpanel available for them to read the entries.

    Simple to acheive yet also beneficial for customers and a good selling point too!

    If anyone is capable of writing a small module like this I'd be very interested in contributing.
     
    #1 4u123, Feb 26, 2008
  2. LinuxStandard

    LinuxStandard Active Member

    Joined:
    Jan 22, 2008
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    51
    That is a very interesting idea and it might be possible in newer versions of mod_security. The downside of that is it would only be compatible with Apache 2.x+ and only in versions of mod_security 2.5+.
     
    #2 LinuxStandard, Feb 26, 2008
  3. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    715
    Likes Received:
    5
    Trophy Points:
    243
    All it'd need to do is query the modsec database for the 'host' column (Host: header in modsec1, Host in section "b" of modsec2)

    That'd work with any version of mod sec and require no handling of the log file itself.

    The trick would be to make sure a cpanel user had no way to add or change data or view domains that were not theirs. (E.g one way would be a cronjob to copy entries in modsec that belonged to the user to user_modsec, then a UI in cPanel to view that database like in WHM)
     
    #3 cPDan, Feb 26, 2008
  4. katmai

    katmai Well-Known Member

    Joined:
    Mar 13, 2006
    Messages:
    531
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Brno, Czech Republic
    it can be done by creating a username with read access, and with host access for the db, with no password.

    there should be no downsides to this. i am using the setup on some servers i got.
     
    #4 katmai, Feb 26, 2008
  5. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    715
    Likes Received:
    5
    Trophy Points:
    243
    This was sent to me, but then removed?

    It may be somethign some might wonder about:

    cPanel already parses, inserts into the database, and rotates the modsec log, so none of that would be necessary. Its pretty complex, especially modsec 2 so I don't recommend reinventing that wheel :)

    All you need is to provide access to the data you want a userto have access to.

    I could see user's being upset if someone else could see their data since it might give away private information.
     
    #5 cPDan, Feb 26, 2008
  6. budway

    budway Well-Known Member

    Joined:
    Apr 16, 2003
    Messages:
    189
    Likes Received:
    0
    Trophy Points:
    166
    I must say this is very point-less.

    It's like displaying each rejected connection on exim due to remote-ip been blacklist.

    The mod security configuration it's done for all domains and not for each that way there will be no gain in her looking at the logs.

    This is not similar to the 404 error logs

    If this was enable per reseller I cold see a reason but for end-user no.
    (but I really think this will add to wasted cpu resources)
     
    #6 budway, Feb 26, 2008
  7. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    715
    Likes Received:
    5
    Trophy Points:
    243
    That is a good point, the data isn't very useful to the end user. I can think of one case where it'd be useful:

    If they have 'superapp' installed on their site and all of a sudden there are lots of rejected requests because its URL format is seen by a rule as bad.

    The more I think about it though, if I was concerned with that on my site, I'd setup an ErrorDocument for 406's...

    Since its already parsed into MySQL it'd be pretty trivial CPU-wise but yes spending resources on basically useless data is kind of a waste :)
     
    #7 cPDan, Feb 26, 2008
  8. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    /dev/null
    my opinion is that NOBODY except internal staff should have access to your modsec ruleset information, as if it ends up in the wrong persons lap, they willl find a way to bypass the rules from the information they have on previous blocked requests.
     
    #8 nickp666, Feb 27, 2008
(You must log in or sign up to post here.)
Loading...
Similar Threads - Idea Mod_security logs
  1. L.V

    CentOS 5 to 7 upgrade/migration best practices, ideas

    L.V, Oct 8, 2016, in forum: General Discussion
    Replies:
    1
    Views:
    3,356
    cPanelMichael
    Oct 11, 2016
  2. PabloC

    Problem with mod_security - can't edit WP's posts, get 404

    PabloC, Feb 26, 2018, in forum: Security
    Replies:
    3
    Views:
    120
    Infopro
    Feb 27, 2018
  3. doktorrr

    Mod_security geoip rule doesn't work

    doktorrr, Feb 26, 2018, in forum: Security
    Replies:
    9
    Views:
    138
    cPanelMichael
    Feb 27, 2018
  4. feldon27

    Mod_Security DBM Question in 2018

    feldon27, Feb 5, 2018, in forum: Security
    Replies:
    5
    Views:
    187
    cPanelMichael
    Mar 19, 2018
  5. electric

    Let customers view and whitelist mod_security rules?

    electric, Aug 26, 2017, in forum: Security
    Replies:
    2
    Views:
    462
    cPanelMichael
    Aug 28, 2017

Share This Page