Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Limit server-wide access to error_log

Discussion in 'Security' started by David Colter, Jul 11, 2018.

  1. David Colter

    David Colter Member

    Joined:
    Jun 30, 2016
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    A VPS server was recently upgraded to EA4. I think this may have caused (among other issues) for the error_log files to become visible with a browser.

    I found the thread: how to limit access to error_log where Michael suggests 3 step to apply a fix to all virtual hosts.

    Unfortunately, step 1 fails on this vps with:

    cannot touch `/etc/apache2/conf.d/userdata/denyerrorlog.conf': No such file or directory

    I would prefer to have this security in place for accounts added in the future. What is the solution?

    David
     
    #1 David Colter, Jul 11, 2018
    Last edited: Jul 11, 2018
  2. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,814
    Likes Received:
    133
    Trophy Points:
    118
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @David Colter

    Actually, you shouldn't need to do this at all - the following directive should be present in the httpd.conf:

    Code:
    # Required cPanel security policy: Disallow remote access to .htaccess, .htpasswd, .user.ini, and php.ini files
    
    <Files ~ "^error_log$">
        Order allow,deny
        Deny from all
        Satisfy All
    </Files>
    
    <FilesMatch "^(\.ht(access|passwds?)|\.user\.ini|php\.ini)$">
        Require all denied
    </FilesMatch>
    Can you confirm whether or not this exists on your server?

    The reason the creation of the file failed is most likely because the
    Code:
    /etc/apache2/conf.d/userdata/
    directory doesn't exist, but as I mentioned before the error_log should be denied already.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. David Colter

    David Colter Member

    Joined:
    Jun 30, 2016
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Thank you Lauren,

    I looked into httpd.conf. The following lines of all the above are MISSING:
    Code:
    <Files ~ "^error_log$">
        Order allow,deny
        Deny from all
        Satisfy All
    </Files>
    
    What is the suggested way of having this directed added? Why would they be missing?

    EDIT: I added this to the pre virtualhosts include in WHM. After restarting Apache, they were still not in httpd.conf.

    David
     
    #3 David Colter, Jul 11, 2018
    Last edited: Jul 11, 2018
  4. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,814
    Likes Received:
    133
    Trophy Points:
    118
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @David Colter

    Adding this to the pre VirtualHost include wouldn't be in the httpd.conf it would be in the include and the include would be referenced.

    If you rebuild the apache conf with the below steps is anything changed?

    Code:
    mv /etc/apache2/conf/httpd.conf{,.bk}
    /scripts/rebuildhttpdconf
    /scripts/restartsrv_httpd
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. David Colter

    David Colter Member

    Joined:
    Jun 30, 2016
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    No change!!
    Code:
    root@vps [~]# mv /etc/apache2/conf/httpd.conf{,.bk}
    
    root@vps [~]# /scripts/rebuildhttpdconf
    
    Built /etc/apache2/conf/httpd.conf OK
    
    root@vps [~]# /scripts/restartsrv_httpd
    
    .... a load of messages, with over a dozen WARNINGS due to ModSecurity settings. (example)
    
         [Thu Jul 12 01:21:00.262971 2018] [:error] [pid 24452:tid 139695868544768] [client 47.90.92.121:56030] [client 47.90.92.121] ModSecurity: Access denied with code 403 (phase 2). Match of "rx ^(?:\\\\w+\\\\/[\\\\w\\\\-\\\\.]+)(?:;(?:charset=[\\\\w\\\\-]{1,18}|boundary=[\\\\w\\\\-]+)?)?$" against "REQUEST_HEADERS:Content-Type" required. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/32_Apps_OtherApps.conf"] [line "4664"] [id "243930"] [rev "2"] [msg "COMODO WAF: Remote code execution in Apache Struts versions 2.3.31 - 2.3.5 and 2.5 - 2.5.10 (CVE-2017-5638)||xxx.xxx.14.171|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "OtherApps"] [hostname "xxx.xxx.14.171"] [uri "/indexAction.action"] [unique_id "W0blPMWRIVMijBwQRwrsKAAAANQ"]
    
    
    (using a COMODO package due to limitations on a WordPress installation)
    regardless of remote or from WHM Terminal

    resulting in only the following being in httpd.conf:
    Code:
    # Required cPanel security policy: Disallow remote access to .htaccess, .htpasswd, .user.ini, and php.ini files
    
    <FilesMatch "^(\.ht(access|passwds?)|\.user\.ini|php\.ini)$">
        Require all denied
    </FilesMatch>
    
    What now?
     
    #5 David Colter, Jul 12, 2018
    Last edited: Jul 12, 2018
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice