Idea: Mod_security logs for customers...

[4u123]

I was chatting to a customer recently and she said that it would be great if she could get access to the mod_security log for her site. I explained that the log is simply a central one that can only be viewed by a server admin.

We continued to discuss it and she convinced me that it would be very beneficial for customers to have access to the mod_security log entries that related to their domains. Not only for seeing when their sites are getting visits by hackers, but to see false positives and as a kind of pre-warning of possible vulnerable scripts.

Being honest, we dont have time to keep a very close eye on the mods ecurity logs on all servers - there are too many. I think it would be great for our customers to have access to this info from cpanel.

I guess it wouldnt be very difficult to do - simply run a script on a schedule that would pick out the log entries for each domain and copy them into an individual log file for that account - then have a log viewer in cpanel available for them to read the entries.

Simple to acheive yet also beneficial for customers and a good selling point too!

If anyone is capable of writing a small module like this I'd be very interested in contributing.

 

[LinuxStandard]

That is a very interesting idea and it might be possible in newer versions of mod_security. The downside of that is it would only be compatible with Apache 2.x+ and only in versions of mod_security 2.5+.

 

[cPDan]

All it'd need to do is query the modsec database for the 'host' column (Host: header in modsec1, Host in section "b" of modsec2)

That'd work with any version of mod sec and require no handling of the log file itself.

The trick would be to make sure a cpanel user had no way to add or change data or view domains that were not theirs. (E.g one way would be a cronjob to copy entries in modsec that belonged to the user to user_modsec, then a UI in cPanel to view that database like in WHM)

 

[katmai]

it can be done by creating a username with read access, and with host access for the db, with no password.

there should be no downsides to this. i am using the setup on some servers i got.

 

[cPDan]

This was sent to me, but then removed?

It may be somethign some might wonder about:

Its possible in any version but it would need to be determined which version was in use.

All you'd have to do is compare the domain in the log with the cpanel user files in /var/cpanel/users to see who was the domain owner - then copy the log entry into the corresponding file for that user.

In modsec 1 Each log entry starts with "==xxxxxxxx==============================" where "xxxxxxxx" is a unique identifier so it would be easy to distinguish between each entry.

In modsec 2 the start and end is slightly different "--xxxxxxxx-X--" but in both, the start and end of the entry contains a unique matching ID - so the entry can always be determined from comparing matching ID's.

In both versions, there is a "Host" field that can be used to determine the account owner from the cpanel users files.

A simple Perl script could determine the start and end of each log entry, pick out the Host field, locate the cpanel user and copy the entry into the users own log file.

I'm guessing the script would need to save the date and time of the last entry it processed into a file so it could pick up where it left off ? otherwise it might duplicate entries if the audit log wasnt cleared before the script ran again.

cPanel already parses, inserts into the database, and rotates the modsec log, so none of that would be necessary. Its pretty complex, especially modsec 2 so I don't recommend reinventing that wheel

All you need is to provide access to the data you want a userto have access to.

I could see user's being upset if someone else could see their data since it might give away private information.

 

[budway]

I must say this is very point-less.

It's like displaying each rejected connection on exim due to remote-ip been blacklist.

The mod security configuration it's done for all domains and not for each that way there will be no gain in her looking at the logs.

This is not similar to the 404 error logs

If this was enable per reseller I cold see a reason but for end-user no.
(but I really think this will add to wasted cpu resources)

 

[cPDan]

I must say this is very point-less.

It's like displaying each rejected connection on exim due to remote-ip been blacklist.

The mod security configuration it's done for all domains and not for each that way there will be no gain in her looking at the logs.

This is not similar to the 404 error logs

If this was enable per reseller I cold see a reason but for end-user no.

That is a good point, the data isn't very useful to the end user. I can think of one case where it'd be useful:

If they have 'superapp' installed on their site and all of a sudden there are lots of rejected requests because its URL format is seen by a rule as bad.

The more I think about it though, if I was concerned with that on my site, I'd setup an ErrorDocument for 406's...

(but I really think this will add to wasted cpu resources)

Since its already parsed into MySQL it'd be pretty trivial CPU-wise but yes spending resources on basically useless data is kind of a waste

 

[nickp666]

my opinion is that NOBODY except internal staff should have access to your modsec ruleset information, as if it ends up in the wrong persons lap, they willl find a way to bypass the rules from the information they have on previous blocked requests.