jeffschips

Well-Known Member
Jun 5, 2016
221
23
68
new york
cPanel Access Level
Root Administrator
Hello. In my attempt to track down a malicious IP address attacking the server I've been looking at logs. Not only cannot I not find the malicious IP address in any logs which I know was attacking because a different service has logged it in it's application and it shows in that database - albeit without any of the commands or paths used - but in the process of searching I found that my modsec_audit directory is empty. See below commands:

Code:
[[email protected] logs]# cd modsec_audit

[[email protected] modsec_audit]# ls

nobody

[[email protected] modsec_audit]# cd nobody

[[email protected] nobody]# ls

[[email protected] nobody]# ls -la

total 8

drwxr-x---. 2 nobody nobody 4096 May 22 09:27 .

drwx-wx-wt. 3 root   root   4096 Jun  1 22:09 ..

[[email protected] nobody]#
Notice June 1 entry as root root. Is that normal?

Running grep skipmodseclog /var/cpanel/cpanel.config shows:
Code:
skipmodseclog=0
running grep -i modsec_audit /usr/local/cpanel/logs/tailwatchd_log |tail -n5 shows:

Code:
[[email protected] nobody]# grep -i modsec_audit /usr/local/cpanel/logs/tailwatchd_log |tail -n5
[1716] [2021-06-02 22:30:34 -0400] [Cpanel::TailWatch] [INFO] Restored /etc/apache2/logs/modsec_audit.log (size:816978) to 816978 (requested 816978)
[1716] [2021-06-02 22:30:34 -0400] [Cpanel::TailWatch] [INFO] Will resume /etc/apache2/logs/modsec_audit.log to 816978
[1716] [2021-06-02 22:30:34 -0400] [Cpanel::TailWatch] [INFO] Reading back thirty lines of /etc/apache2/logs/modsec_audit.log starting at 800594
[1716] [2021-06-02 22:30:34 -0400] [Cpanel::TailWatch] [INFO] Restoring /etc/apache2/logs/modsec_audit.log to catch up position 816978
[1716] [2021-06-02 22:30:34 -0400] [Cpanel::TailWatch] [INFO] Restored /etc/apache2/logs/modsec_audit.log to position 816978
Should nobody be root? Any solutions to an empty modsec_audit file?

And finally, if my other application shows the offending ip address (google cloud platform repeat offender) but I can't find cpanel logs showing the actual activity in either /home/xxxxxx/logs or /var/log/apache2/domlogs I would think that warrants further investigation. No?
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,028
313
cPanel Access Level
Root Administrator
Hey hey! All of the logs files in that area on my personal machine are also root:root so that seems normal to me.

Are you using the default OWASP rules on the machine? If so, have there been any customizations to the modsec2.cpanel.conf file on the system? To rule out that possibility you could run the following two commands to reset that file and see if that changes the behavior:

Code:
cp /etc/apache2/conf.d/modsec/modsec2.cpanel.conf{,.bak-`date +%Y%m%d`}
/scripts/restartsrv_httpd
 

jeffschips

Well-Known Member
Jun 5, 2016
221
23
68
new york
cPanel Access Level
Root Administrator
Thank you @cPRex.

Following your suggestion I received notices that it had been reset, but also a bunch of printout in bright red letters which seemed to be mod_sec "matched" phrases and blocks. However, that directory in /var/log/modsec_audit is still empty.