The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Idea: Mod_security logs for customers...

Discussion in 'Security' started by 4u123, Feb 26, 2008.

  1. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    I was chatting to a customer recently and she said that it would be great if she could get access to the mod_security log for her site. I explained that the log is simply a central one that can only be viewed by a server admin.

    We continued to discuss it and she convinced me that it would be very beneficial for customers to have access to the mod_security log entries that related to their domains. Not only for seeing when their sites are getting visits by hackers, but to see false positives and as a kind of pre-warning of possible vulnerable scripts.

    Being honest, we dont have time to keep a very close eye on the mods ecurity logs on all servers - there are too many. I think it would be great for our customers to have access to this info from cpanel.

    I guess it wouldnt be very difficult to do - simply run a script on a schedule that would pick out the log entries for each domain and copy them into an individual log file for that account - then have a log viewer in cpanel available for them to read the entries.

    Simple to acheive yet also beneficial for customers and a good selling point too!

    If anyone is capable of writing a small module like this I'd be very interested in contributing.
     
  2. LinuxStandard

    LinuxStandard Active Member

    Joined:
    Jan 22, 2008
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    That is a very interesting idea and it might be possible in newer versions of mod_security. The downside of that is it would only be compatible with Apache 2.x+ and only in versions of mod_security 2.5+.
     
  3. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    4
    Trophy Points:
    18
    All it'd need to do is query the modsec database for the 'host' column (Host: header in modsec1, Host in section "b" of modsec2)

    That'd work with any version of mod sec and require no handling of the log file itself.

    The trick would be to make sure a cpanel user had no way to add or change data or view domains that were not theirs. (E.g one way would be a cronjob to copy entries in modsec that belonged to the user to user_modsec, then a UI in cPanel to view that database like in WHM)
     
  4. katmai

    katmai Well-Known Member

    Joined:
    Mar 13, 2006
    Messages:
    526
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brno, Czech Republic
    it can be done by creating a username with read access, and with host access for the db, with no password.

    there should be no downsides to this. i am using the setup on some servers i got.
     
  5. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    4
    Trophy Points:
    18
    This was sent to me, but then removed?

    It may be somethign some might wonder about:

    cPanel already parses, inserts into the database, and rotates the modsec log, so none of that would be necessary. Its pretty complex, especially modsec 2 so I don't recommend reinventing that wheel :)

    All you need is to provide access to the data you want a userto have access to.

    I could see user's being upset if someone else could see their data since it might give away private information.
     
  6. budway

    budway Well-Known Member

    Joined:
    Apr 16, 2003
    Messages:
    186
    Likes Received:
    0
    Trophy Points:
    16
    I must say this is very point-less.

    It's like displaying each rejected connection on exim due to remote-ip been blacklist.

    The mod security configuration it's done for all domains and not for each that way there will be no gain in her looking at the logs.

    This is not similar to the 404 error logs

    If this was enable per reseller I cold see a reason but for end-user no.
    (but I really think this will add to wasted cpu resources)
     
  7. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    4
    Trophy Points:
    18
    That is a good point, the data isn't very useful to the end user. I can think of one case where it'd be useful:

    If they have 'superapp' installed on their site and all of a sudden there are lots of rejected requests because its URL format is seen by a rule as bad.

    The more I think about it though, if I was concerned with that on my site, I'd setup an ErrorDocument for 406's...

    Since its already parsed into MySQL it'd be pretty trivial CPU-wise but yes spending resources on basically useless data is kind of a waste :)
     
  8. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    my opinion is that NOBODY except internal staff should have access to your modsec ruleset information, as if it ends up in the wrong persons lap, they willl find a way to bypass the rules from the information they have on previous blocked requests.
     
Loading...

Share This Page