Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Idea: Mod_security logs for customers...

Discussion in 'Security' started by 4u123, Feb 26, 2008.

  1. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    847
    Likes Received:
    14
    Trophy Points:
    168
    I was chatting to a customer recently and she said that it would be great if she could get access to the mod_security log for her site. I explained that the log is simply a central one that can only be viewed by a server admin.

    We continued to discuss it and she convinced me that it would be very beneficial for customers to have access to the mod_security log entries that related to their domains. Not only for seeing when their sites are getting visits by hackers, but to see false positives and as a kind of pre-warning of possible vulnerable scripts.

    Being honest, we dont have time to keep a very close eye on the mods ecurity logs on all servers - there are too many. I think it would be great for our customers to have access to this info from cpanel.

    I guess it wouldnt be very difficult to do - simply run a script on a schedule that would pick out the log entries for each domain and copy them into an individual log file for that account - then have a log viewer in cpanel available for them to read the entries.

    Simple to acheive yet also beneficial for customers and a good selling point too!

    If anyone is capable of writing a small module like this I'd be very interested in contributing.
     
    #1 4u123, Feb 26, 2008
  2. LinuxStandard

    LinuxStandard Active Member

    Joined:
    Jan 22, 2008
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    51
    That is a very interesting idea and it might be possible in newer versions of mod_security. The downside of that is it would only be compatible with Apache 2.x+ and only in versions of mod_security 2.5+.
     
    #2 LinuxStandard, Feb 26, 2008
  3. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    716
    Likes Received:
    8
    Trophy Points:
    243
    All it'd need to do is query the modsec database for the 'host' column (Host: header in modsec1, Host in section "b" of modsec2)

    That'd work with any version of mod sec and require no handling of the log file itself.

    The trick would be to make sure a cpanel user had no way to add or change data or view domains that were not theirs. (E.g one way would be a cronjob to copy entries in modsec that belonged to the user to user_modsec, then a UI in cPanel to view that database like in WHM)
     
    #3 cPDan, Feb 26, 2008
  4. katmai

    katmai Well-Known Member

    Joined:
    Mar 13, 2006
    Messages:
    537
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    Brno, Czech Republic
    it can be done by creating a username with read access, and with host access for the db, with no password.

    there should be no downsides to this. i am using the setup on some servers i got.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 katmai, Feb 26, 2008
  5. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    716
    Likes Received:
    8
    Trophy Points:
    243
    This was sent to me, but then removed?

    It may be somethign some might wonder about:

    cPanel already parses, inserts into the database, and rotates the modsec log, so none of that would be necessary. Its pretty complex, especially modsec 2 so I don't recommend reinventing that wheel :)

    All you need is to provide access to the data you want a userto have access to.

    I could see user's being upset if someone else could see their data since it might give away private information.
     
    #5 cPDan, Feb 26, 2008
  6. budway

    budway Well-Known Member

    Joined:
    Apr 16, 2003
    Messages:
    189
    Likes Received:
    0
    Trophy Points:
    166
    I must say this is very point-less.

    It's like displaying each rejected connection on exim due to remote-ip been blacklist.

    The mod security configuration it's done for all domains and not for each that way there will be no gain in her looking at the logs.

    This is not similar to the 404 error logs

    If this was enable per reseller I cold see a reason but for end-user no.
    (but I really think this will add to wasted cpu resources)
     
    #6 budway, Feb 26, 2008
  7. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    716
    Likes Received:
    8
    Trophy Points:
    243
    That is a good point, the data isn't very useful to the end user. I can think of one case where it'd be useful:

    If they have 'superapp' installed on their site and all of a sudden there are lots of rejected requests because its URL format is seen by a rule as bad.

    The more I think about it though, if I was concerned with that on my site, I'd setup an ErrorDocument for 406's...

    Since its already parsed into MySQL it'd be pretty trivial CPU-wise but yes spending resources on basically useless data is kind of a waste :)
     
    #7 cPDan, Feb 26, 2008
  8. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    769
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    /dev/null
    my opinion is that NOBODY except internal staff should have access to your modsec ruleset information, as if it ends up in the wrong persons lap, they willl find a way to bypass the rules from the information they have on previous blocked requests.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #8 nickp666, Feb 27, 2008
(You must log in or sign up to post here.)
Loading...
Similar Threads - Idea Mod_security logs
  1. David Colter

    Is having a root .my.cnf file a bad idea?

    David Colter, Nov 16, 2018, in forum: Database Discussion
    Replies:
    2
    Views:
    129
    cPanelMichael
    Nov 16, 2018
  2. Reado

    Website optimised for HTTP 2.0, not 1.1 - Bad idea?

    Reado, Oct 5, 2018, in forum: Workarounds and Optimization
    Replies:
    2
    Views:
    157
    cPanelLauren
    Oct 9, 2018
  3. Jangan

    SpamAssassin Ideal Score Settings?

    Jangan, Jun 24, 2018, in forum: E-mail Discussion
    Replies:
    1
    Views:
    590
    cPanelLauren
    Jun 25, 2018
  4. Gojko

    HTTPD conflict with mod_security?

    Gojko, Nov 20, 2018, in forum: EasyApache
    Replies:
    2
    Views:
    137
    rpvw
    Nov 21, 2018
  5. subtopic

    OWASP mod_security breaking Wordpress page save

    subtopic, Sep 18, 2018, in forum: Security
    Replies:
    4
    Views:
    273
    subtopic
    Sep 20, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice