Limit server-wide access to error_log

David Colter

Active Member
Jun 30, 2016
40
10
8
USA
cPanel Access Level
Root Administrator
A VPS server was recently upgraded to EA4. I think this may have caused (among other issues) for the error_log files to become visible with a browser.

I found the thread: how to limit access to error_log where Michael suggests 3 step to apply a fix to all virtual hosts.

Unfortunately, step 1 fails on this vps with:

cannot touch `/etc/apache2/conf.d/userdata/denyerrorlog.conf': No such file or directory

I would prefer to have this security in place for accounts added in the future. What is the solution?

David
 
Last edited:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Hi @David Colter

Actually, you shouldn't need to do this at all - the following directive should be present in the httpd.conf:

Code:
# Required cPanel security policy: Disallow remote access to .htaccess, .htpasswd, .user.ini, and php.ini files

<Files ~ "^error_log$">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>

<FilesMatch "^(\.ht(access|passwds?)|\.user\.ini|php\.ini)$">
    Require all denied
</FilesMatch>
Can you confirm whether or not this exists on your server?

The reason the creation of the file failed is most likely because the
Code:
/etc/apache2/conf.d/userdata/
directory doesn't exist, but as I mentioned before the error_log should be denied already.

Thanks!
 

David Colter

Active Member
Jun 30, 2016
40
10
8
USA
cPanel Access Level
Root Administrator
Thank you Lauren,

I looked into httpd.conf. The following lines of all the above are MISSING:
Code:
<Files ~ "^error_log$">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>
What is the suggested way of having this directed added? Why would they be missing?

EDIT: I added this to the pre virtualhosts include in WHM. After restarting Apache, they were still not in httpd.conf.

David
 
Last edited:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Hi @David Colter

Adding this to the pre VirtualHost include wouldn't be in the httpd.conf it would be in the include and the include would be referenced.

If you rebuild the apache conf with the below steps is anything changed?

Code:
mv /etc/apache2/conf/httpd.conf{,.bk}
/scripts/rebuildhttpdconf
/scripts/restartsrv_httpd
 

David Colter

Active Member
Jun 30, 2016
40
10
8
USA
cPanel Access Level
Root Administrator
No change!!
Code:
[email protected] [~]# mv /etc/apache2/conf/httpd.conf{,.bk}

[email protected] [~]# /scripts/rebuildhttpdconf

Built /etc/apache2/conf/httpd.conf OK

[email protected] [~]# /scripts/restartsrv_httpd

.... a load of messages, with over a dozen WARNINGS due to ModSecurity settings. (example)

     [Thu Jul 12 01:21:00.262971 2018] [:error] [pid 24452:tid 139695868544768] [client 47.90.92.121:56030] [client 47.90.92.121] ModSecurity: Access denied with code 403 (phase 2). Match of "rx ^(?:\\\\w+\\\\/[\\\\w\\\\-\\\\.]+)(?:;(?:charset=[\\\\w\\\\-]{1,18}|boundary=[\\\\w\\\\-]+)?)?$" against "REQUEST_HEADERS:Content-Type" required. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/32_Apps_OtherApps.conf"] [line "4664"] [id "243930"] [rev "2"] [msg "COMODO WAF: Remote code execution in Apache Struts versions 2.3.31 - 2.3.5 and 2.5 - 2.5.10 (CVE-2017-5638)||xxx.xxx.14.171|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "OtherApps"] [hostname "xxx.xxx.14.171"] [uri "/indexAction.action"] [unique_id "W0blPMWRIVMijBwQRwrsKAAAANQ"]
(using a COMODO package due to limitations on a WordPress installation)
regardless of remote or from WHM Terminal

resulting in only the following being in httpd.conf:
Code:
# Required cPanel security policy: Disallow remote access to .htaccess, .htpasswd, .user.ini, and php.ini files

<FilesMatch "^(\.ht(access|passwds?)|\.user\.ini|php\.ini)$">
    Require all denied
</FilesMatch>
What now?
 
Last edited: