UnixServerAdmin

Server Administration & Management

Logs files in linux (cPanel)

In a cPanel server, you may find logs are often stored differently comapring a control panel less server. Even Plesk saves logs in different paths. Here is a list of services and their log path that may help you finding the logs.

Apache
/usr/local/apache/logs/access_log
/usr/local/apache/logs/error_log
/usr/local/apache/domlogs/example.com

MySQL
/var/lib/mysql/hostname.err
hostname should be resemble your hostname.

Exim
/var/log/exim_mainlog
/var/log/exim_paniclog
/var/log/exim_rejectlog

Courier-IMAP
/var/log/maillog

cPanel
/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/license_log
/usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/stats_log

Pure-FTP
/var/log/messages
/var/log/xferlog  (symlinked to /usr/local/apache/domlogs/ftpxferlog)

System (cron, syslog, named, etc)
/var/log/messages
/var/log/boot.log
/var/log/cron
/var/log/dmesg

Security (ssh, ModSecurity, etc)
/var/log/secure
/usr/local/apache/logs/audit_log
/var/log/messages

August 15, 2011 Posted by | Apache, cPanel, Cron, DNS, Exim, Mod_Security, MySQL, Pure-FTPd, SSH, Tips & Tricks, Unix/Linux | , , , , , , , , , , | Leave a comment

How to disable Mod_security rules

Case-A :- By domain, for a specific application, for a list of IPs

1) Edit the vhost/vhost_ssl.conf for the domain

# vi /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf

2) Add the LocationMatch for the rule to exclude.

<LocationMatch /foo/bar.php>
  <IfModule mod_security2.c>
    SecRule REMOTE_ADDR “@pmFromFile /etc/asl/whitelist” “nolog,phase:1,allow”
  </IfModule>
</LocationMatch>

3) Add IP to /etc/asl/whitelist

echo “10.11.12.13” >> /etc/asl/whitelist

Case-B :- If you want to create a special whitelist for just that application

1) Edit the vhost/vhost_ssl.conf for the domain

# vi /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf

2) Add the LocationMatch for the rule to exclude.

<LocationMatch /foo/bar.php>
  <IfModule mod_security2.c>
    SecRule REMOTE_ADDR “@pmFromFile /path/to/your/custom/whitelist_for_this_application” “nolog,phase:1,allow”
  </IfModule>
</LocationMatch>

3) Create your custom whitelist and add IP to /etc/asl/whitelist

echo “10.11.12.13” >> /path/to/your/custom/whitelist_for_this_application

Keep in mind these custom lists are *not* managed by ASL, so if you want to add IPs to these lists you will need to do it from the command line.

Case-C :- Disable Mod_security rules globally for a specific application

Add this to either you vhost.conf file, or if your want to make this global make sure this exclusion is loaded after your rules are loaded. A good place to add this in the 999_asl_user_exclude.conf file. If you don’t have this file, just create it. The system is smart enough to know to load it.

<LocationMatch /url/to/your/application>
  <IfModule mod_security2.c>
    SecRuleRemoveById 1234567
    SecRuleRemoveById 9999999
  </IfModule>
</LocationMatch>

Whats important to remember is that the LocationMatch variable must match the URL, not the path on the system.

July 1, 2011 Posted by | Mod_Security | , | Leave a comment

Mod_Security: Access denied eror code 403

You may get the following error in Apache logs:-

===================================================
mod_security: Access denied with code 403. Error reading request body, error code 70007:
The timeout specified has expired
===================================================

Fix:-

1. Open the Apache configuration file

# vi /usr/local/apache/conf/httpd.conf

2. Change the  Timeout value to 300

3. Restart Apache service.

# /etc/init.d/httpd restart

Issue will be fixed.

June 30, 2011 Posted by | Mod_Security | | 1 Comment

Customizing a rule regarding Mod_Security

If you need to customize a rule do not change the asl*conf files. These files will be overwritten by updates. If you need to change a rule because it is incorrectly blocking something we recommend you report it to use as a False Postive, using the Reporting_False_Positives procedure. If you simply want to modify a rule to perform different actions, then copy the entire rule into your own rule file, and make sure you tell mod_security not to enable the original ASL rule. You can do that by using the mod_security action SecRuleRemoveById. Here is a simple example:

If you had an original rule like this:

 SecRule REQUEST_URI “/foo” “t:normalisePath,id:9000000,rev:1,severity:2,msg:’Atomicorp.com WAF Rules: Block /foo'”

And you want it to block “bar” instead of “foo”, then you would copy the entire rule into your own custom rule file. If you are using our rules we recommend you use the filename 99_asl_zzz_custom.confm and change the id: field to an unused ID.

 SecRuleRemoveById 9000000
 SecRule REQUEST_URI “/bar” “t:normalisePath,id:9999999,rev:1,severity:2,msg:’Atomicorp.com WAF Rules: Block /foo'”

These are the reserved ranges:

*     1-99,999; reserved for local (internal) use. Use as you see fit but do not use this range for rules that are distributed to others.
*     100,000-199,999; reserved for internal use of the engine, to assign to rules that do not have explicit IDs.
*     200,000-299,999; reserved for rules published at modsecurity.org.
*     300,000-399,999; reserved for rules published at gotroot.com.
*     400,000-419,999; unused (available for reservation).
*     420,000-429,999; reserved for ScallyWhack.
*     430,000-699,999; unused (available for reservation).
*     700,000-799,999; reserved for Ivan Ristic.
*     900,000-999,999; reserved for the Core Rules project.
*     1,000,000 and above; unused (available for reservation).

June 29, 2011 Posted by | Mod_Security | | Leave a comment

How to disable Mod_Security using .htaccess file

By .htaccess, we can disable mod_security, edit .htaccess file and add following line :-

================
SecFilterEngine off
================

May 24, 2011 Posted by | Apache, htaccess, Mod_Security | , , , | Leave a comment

WordPress and Mod_Security issues

ModSecurity is an open source web application firewall. This helps to prevent attacks on websites, SQL injection, command execution via browser etc. However, this may break some application installed in your website. With ModSecurity2, you can not bypass any rule by ID from your .htaccess file.

If your web hosting provider has enabled mod_security with Apache, you may face some problem to post topic, upload images, insert images in the post etc. Since ModSecurity2 does not allow to bypass rules by ID via .htaccess, you will have to contact your web hosting provider to bypass some rules for your website. ModSecurity provides facility to bypass rules based on the location. You will require to create global whitelist configuration file to bypass certain rules based on the location.

Recently, I faced problem to upload and insert images in the post. After reading some websites, I found some global rules which I bypassed some ModSecurity rules using global whitelist configuration file which fixed my problem. The rules that I bypassed are as follow (I have put space before LocationMatch and /LocationMatch. Remove that space in your configuration file):

< LocationMatch “/wp-admin/post.php”>
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
< /LocationMatch>

< LocationMatch “/wp-admin/admin-ajax.php”>
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
< /LocationMatch>

< LocationMatch “/wp-admin/page.php”>
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
< /LocationMatch>

< LocationMatch “/wp-admin/options.php”>
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
< /LocationMatch>

< LocationMatch “/wp-admin/theme-editor.php”>
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
< /LocationMatch>

< LocationMatch “/wp-includes/”>
SecRuleRemoveById 960010 960012 950006
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
< /LocationMatch>

Hope this will help others who are facing the similar problem in their WordPress blog with mod_security.

January 18, 2011 Posted by | Mod_Security, WordPress | , | 1 Comment