Plesk 12.x / Linux :: Logrotate For Modsecurity
Aug 1, 2014
I want to create logrotate in logrotate.d for modsecurity log.
I find following code, but it don't works.
Code:
/var/log/modsec_audit.log {
rotate 7
compress
missingok
notifempty
sharedscripts
postrotate
/sbin/service httpd reload > /dev/null 2>/dev/null || true
endscript
}
View 1 Replies
ADVERTISEMENT
Jul 6, 2014
Plesk 12 on Centos 6.5
I added the following to my /etc/logrotate.conf
/var/log/modsec_audit.log {
missingok
daily
rotate 4
compress
}
I'm not exactly sure if the above is the correct syntax, but the result was that two days later my current modsec_audit.log was Gzipped and a new modsec_audit.log was created.
The problem is that nothing was logged to this new file.
From the Plesk 12 control panel I turned off mod security and then turned it back on again and hey presto, the new logfile started to log events.
This leaves the problem of why nothing was recorded when the file was created.
View 2 Replies
View Related
May 26, 2015
I currently have the Web Application Firewall (ModSecurity) installed but would like a visual interface to block IP's, subnets etc.. Can I install the Plesk firewall as well without any conflict with the Web Application Firewall?
View 3 Replies
View Related
Jun 9, 2015
I have a Real Time Web Application Security Rules Subscription. I change the ModSecurity Rule Setup and add the Atomic LoginData to Plesk. All looks fine but the ModSecurity Log is now empty.
- Debian 7 with all Updates
- Plesk Version 12.0.18 Update #49
Output from: ~# aum -df upgrade asl
[URL] ....
View 1 Replies
View Related
Oct 24, 2014
I have enabled modsecurity system and in 1 day the modsec_audit.log file has grown to more than 700Mb. Is there any way to reduce the number of messages that this module logs?
View 4 Replies
View Related
Jun 12, 2014
Error when trying to set atomic subscription rule:
Failed to install the ModSecurity rule set: SecReadStateLimit is depricated, use SecConnReadStateLimit instead.
Syntax error on line 70 of /etc/httpd/conf/modsecurity.d/rules/atomic/modsec/00_asl_zz_strict.conf:
Error creating rule: Could not add entry "127.0.0.0/8" from: 127.0.0.0/8.
In directory /etc/httpd/conf/modsecurity.d/rules I have only: atomic.new modsecurity_crs-plesk tortix tortix.backup
There is no file 00_asl_zz_strict.conf
View 8 Replies
View Related
Jun 18, 2014
Once Atomic Basic is enabled, the following error appears:
Code:
Failed to install the ModSecurity rule set: modsecurity_ctl failed: gpg: key 4520AFA9: "Atomicorp (Atomicorp Official Signing Key) <support@atomicorp.com>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 gpg: Signature made Tue Jun 17 16:53:49 2014 CEST using RSA key ID 4520AFA9 gpg: Good signature from "Atomicorp (Atomicorp Official Signing Key)
[Code] .....
OS Debian 7.5
Plesk version 12.0.18 Update #4, last updated at June 18, 2014 02:51 AM
View 19 Replies
View Related
Jun 22, 2009
This is our logrotate definition for Apache's logs folder:
Code:
/var/log/httpd/*log {
rotate 5
missingok
notifempty
size=100M
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true
endscript
}
Yet, while it does truncate logs in five, we seem to have fairly different sizes: 182M, 168M, 968M (!)... It seems to be ignoring "size=100M",
View 2 Replies
View Related
Oct 25, 2009
is it possible to disable log rotate? I can't seem to find the cron under my weeklys or dailys nor monthlys unless it's named "mad-db" but is there a way to make it say yearly? or just disable it all together? I say this because the script I use has a function already to clear the logs and when log rotate runs it kills all processes going by the script
View 8 Replies
View Related
Jul 21, 2008
In /etc/logrotate.conf
I have the following:
Quote:
daily
rotate 7
create
compress
include /etc/logrotate.d
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 4
}
How can I keep my logs until the 18th of every month?
Would:
monthly
rotate 18
View 6 Replies
View Related
Jun 19, 2007
I recently purchased a new dedicated server, since I have had this server (8 days) I have being receiving the following email:
Quote:
/etc/cron.daily/logrotate:
error: error accessing /var/log/httpd: No such file or directory
error: httpd:1 glob failed for /var/log/httpd/*log
View 9 Replies
View Related
Jun 30, 2008
i have a little issue with the domlogs folder.
I should empty this files but i don't know if it is possible to do without reboot Apache.
a) how can i setup logrotate to rotate domlogs?
And if it is possible:
b) how can i setup logrotate to rotate domlogs without restart apache?
I have already setup whm-> tweak settings to delete old domain's access logs after stats run and the whm is setup to generate statistics every 20 hours.
But every day the site is slowly because the domlogs are too big.
View 6 Replies
View Related
Aug 4, 2008
how to rename access logs according to Week Number?
I notice that 1&1 do this, producing a file like "access.log.31.gz".
I'd like the access log to be in this format: access_log_[domain-name]_[Week-Number].gz, or if domain-name is not possible: access_log_[Week-Number].gz
Here's my current logrotate script for access_log:
Code:
/home/default/muro.co.uk/user/logfiles/access_log {
missingok
rotate 8
weekly
postrotate
/bin/kill -USR1 `cat /var/run/httpd.pid`
endscript
}
View 4 Replies
View Related
Nov 1, 2009
i need information about this option 'Check /etc/cron.daily/logrotate for /tmp noexec workaround', there are in the server check, of the csf test, someone can explain to me about this function? should do it?
the actually state is 'warning'.
View 12 Replies
View Related
Mar 18, 2007
I recently leased a dedicated server and it has somethign called modsecurity installed and I "think" it is causing me a slight problem. I installed Tikiwiki (using FANTASTICO as teh installer) to put a wiki on my site. Problem: When I edit a page and hit "Save." I get "FOBIDDEN you do not have permission to access /tiki/tiki-editpage.php on this server". After playing around with it all day, I finally asked my server management folks if they could figure out the issue and they said it looked like a "modsecurity" issue. If I understand correctly, modsecurity will clocu URLs that have certain characteristics.
my questions are:
1) How can I determine exactly which modsecurity rule is being violated and
2) How can I remove just taht rule so that things will work with the wiki program?
View 4 Replies
View Related
Nov 30, 2007
I have a site on my server that is running a Flash splash-page and ModSecurity keeps getting tripped when anyone accesses the page.
I am running the default configuration supplied by CPanel 11. The rule that is getting tripped is the XSS rule.
Here is some more info:
Code:
Pattern match "(?:�(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)�W*?=|abort�)|(?:l(?:owsrc�W*?�(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)�W*? ..." at ARGS:texts. [id "950004"] [msg "Cross-site Scripting (XSS) Attack. Matched signature <src="http:>"] [severity "CRITICAL"]
[30/Nov/2007:12:11:10 --0500] hFuubkMPEAcAAHVLfHgAAAAL 76.118.117.41 62197 67.15.16.7 80
--f2de940f-B--
GET /widgets/business_splash5.swf?nazvanie=Bob+Brewer&skip_intro=SKIP+INTRO&button=gpage.html&
;sloganss=&titl=&zvuk=downloads/DTH_final.mp3&pic1=http://bobbrewer.info/images/bb2_serie
s2.jpg&pic2=http://bobbrewer.info/images/bb2_series2.jpg&pic3=http://bobbrewer.info/images/bb
3_series3.jpg&pic4=http://bobbrewer.info/images/bb_series2.jpg&texts=%3cP+align%3dcenter%3e%3
cFONT+face%3d%22Comic+Sans+MS%22+color%3d%23ffff00+size%3d5%3eBobby+Brewer+Guitarist%3c/FONT%3e%3c/P%
3e++%3cP+align%3dcenter%3e%3cA+class%3dRE+href%3d%22undefined%22%3e%3cIMG+height%3d128+alt%3d%22%22+h
space%3d0+src%3d%22http://bobbrewer.info/images/bb2_series2.jpg%22+width%3d170+border%3d0%3e%3c/A%3e%
3c/P%3e&colorline1=%23BEC7DB&colorline2=%235B71A4&colorline3=%2333ffff&colorline4=&am
p;colorline5=%23BEC7DB&colorname=%2333ffff&colorline6=%235B71A4&colorline7=%23BEC7DB&
colorline8=&colorline9=%23BEC7DB&colorline10=&colorline11=%235B71A4&colorline12=%2333
ffff&colorline13=%23BEC7DB&colortitle=%23000000&colorline14=%2333ffff&colorline17=%23
33ffff&colorline17=%23BEC7DB&colorpolosa2=%235B71A4&colorpolosa1=%23BEC7DB HTTP/1.1
Accept: */*
Referer: http://bobbrewer.info/index.html
x-flash-version: 9,0,28,0
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
Host: bobbrewer.info
Connection: Keep-Alive
--f2de940f-F--
HTTP/1.1 406 Not Acceptable
Content-Length: 455
Keep-Alive: timeout=5, max=85
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
--f2de940f-H--
Message: Access denied with code 406 (phase 2). Pattern match "(?:�(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:e
lec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)�W*?=|abort�)|(?:l(?:owsrc�W*?�(?:(?:ja
va|vb)script|shell)|ivescript)|(?:href|url)�W*? ..." at ARGS:texts. [id "950004"] [msg "Cross-site Scripting (XSS) Attack. Matched signature <src="http:>"] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Stopwatch: 1196442670313070 6595 (855 5738 -)
Producer: ModSecurity v2.1.3 (Apache 2.x)
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a DAV/2 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_auth_passthrough/2.1
The code in his web page that I think is tripping this is:
Code:
<!-- widgets/business_splash5.swf -->
<OBJECT WIDTH="550" HEIGHT="400" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553
540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflas
h.cab#version=7,0,0,0" align="middle" valign="top">
<PARAM NAME=movie VALUE="widgets/business_splash5.swf?nazvanie=Bob+Brewer&skip
_intro=SKIP+INTRO&button=gpage.html&sloganss=&titl=&zvuk=downloads/DTH_final.mp3
&pic1=http://bobbrewer.info/images/bb2_series2.jpg&pic2=http://bobbrewer.info/im
ages/bb2_series2.jpg&pic3=http://bobbrewer.info/images/bb3_series3.jpg&pic4=http
://bobbrewer.info/images/bb_series2.jpg&texts=%3cP+align%3dcenter%3e%3cFONT+face
%3d%22Comic+Sans+MS%22+color%3d%23ffff00+size%3d5%3eBobby+Brewer+Guitarist%3c/FO
NT%3e%3c/P%3e++%3cP+align%3dcenter%3e%3cA+class%3dRE+href%3d%22undefined%22%3e%3
cIMG+height%3d128+alt%3d%22%22+hspace%3d0+src%3d%22http://bobbrewer.info/images/
bb2_series2.jpg%22+width%3d170+border%3d0%3e%3c/A%3e%3c/P%3e&colorline1=%23BEC7D
B&colorline2=%235B71A4&colorline3=%2333ffff&colorline4=&colorline5=%23BEC7DB&col
orname=%2333ffff&colorline6=%235B71A4&colorline7=%23BEC7DB&colorline8=&colorline
9=%23BEC7DB&colorline10=&colorline11=%235B71A4&colorline12=%2333ffff&colorline13
=%23BEC7DB&colortitle=%23000000&colorline14=%2333ffff&colorline17=%2333ffff&colo
rline17=%23BEC7DB&colorpolosa2=%235B71A4&colorpolosa1=%23BEC7DB">
<PARAM NAME="scale" VALUE="noscale">
<PARAM NAME=quality VALUE=high>
<PARAM name="wmode" value="transparent">
<EMBED wmode="transparent" quality="high" WIDTH="550" HEIGHT="400"
src="widgets/business_splash5.swf?nazvanie=Bob+Brewer&skip_intro=SKIP+I
NTRO&button=gpage.html&sloganss=&titl=&zvuk=downloads/DTH_final.mp3&pic1=http://
bobbrewer.info/images/bb2_series2.jpg&pic2=http://bobbrewer.info/images/bb2_seri
es2.jpg&pic3=http://bobbrewer.info/images/bb3_series3.jpg&pic4=http://bobbrewer.
info/images/bb_series2.jpg&texts=%3cP+align%3dcenter%3e%3cFONT+face%3d%22Comic+S
ans+MS%22+color%3d%23ffff00+size%3d5%3eBobby+Brewer+Guitarist%3c/FONT%3e%3c/P%3e
++%3cP+align%3dcenter%3e%3cA+class%3dRE+href%3d%22undefined%22%3e%3cIMG+height%3
d128+alt%3d%22%22+hspace%3d0+src%3d%22http://bobbrewer.info/images/bb2_series2.j
pg%22+width%3d170+border%3d0%3e%3c/A%3e%3c/P%3e&colorline1=%23BEC7DB&colorline2=
%235B71A4&colorline3=%2333ffff&colorline4=&colorline5=%23BEC7DB&colorname=%2333f
fff&colorline6=%235B71A4&colorline7=%23BEC7DB&colorline8=&colorline9=%23BEC7DB&c
olorline10=&colorline11=%235B71A4&colorline12=%2333ffff&colorline13=%23BEC7DB&co
lortitle=%23000000&colorline14=%2333ffff&colorline17=%2333ffff&colorline17=%23BE
C7DB&colorpolosa2=%235B71A4&colorpolosa1=%23BEC7DB"
type="application/x-shockwave-flash" pluginspage=[url]
View 2 Replies
View Related
Feb 22, 2008
how i can install modsecurity 2.5.0?
View 3 Replies
View Related
Oct 3, 2006
Upon reviewing my modsecurity log today, I found an interesting hit from google.
-------------------
Requesting IP: 66.249.65.67 is http://ws.arin.net/cgi-bin/whois.pl?...t=66.249.65.67
Date: 2006-10-03
Time: 07:10:16
Handler: mod_gzip_handler
Get: /page/index/1&show=25,07,2005?php%20echo%20$bmc_vars%5B'site_url'%5D;%20?%3E/profile.php?id=1
Mod_Security-Message: Access denied with code 406. Pattern match "echo " at THE_REQUEST
Mod_Security-Action: 406
------------
The rule that set off this 406 response was:
SecFilterSelective THE_REQUEST "echo "
What I find interesting is that I do not have any such URL structure on this website that google requested.
View 2 Replies
View Related
May 29, 2007
I am running apache 1.3 + modsecurity 1 my problem is i can not use ajax coz of modsecurity is there any way to make ajax work with modsecurity on apache 1 coz i know it's work on apache 2
View 1 Replies
View Related
Oct 20, 2007
where I can find or get the latest, and with better design ruleset for modsecurity? I have one, but it is really old.
View 1 Replies
View Related
Sep 19, 2008
i installed it from whm
cpanel > Manage Plugins > Name: modsecurity > Install and Keep Updated
but its not working
( i think this is add-one for make configuration in Plugins options )
so i want to install it from ssh
i have apache 2.2.9
php 5
View 10 Replies
View Related
Oct 17, 2007
We have a small Hosting reseller account at eNom. We have a new customer that moved his website from another hosting company to ours. The website is on a shared IP. Enom also uses a internal IP for internal use associated to the domain.
The problem we have is that AOL users can not see the website. As far as we can tell no other ISP's are having this problem. Everyone can see it except AOL users.
When AOL users go to the site they get "Page can not be found". After several calls to eNom support and them triple checking the DNS we still have the problem.
I looked at the error log for the website this morning. I found several errors. I looked up the IP's with the errors and they all pointed back to AOL.. See below for two examples of the errors....
Is this a server problem or DNS?
What do these errors mean and what do I do about it?
The domain is http://2hotlicks.com . They sell Hot Sauce.. Would AOL block it because of the keywords in the Domain name?
[Wed Oct 17 08:11:56 2007] [error] [client 207.200.116.7] ModSecurity: Access denied with code 400 (phase 2). Pattern match "(?:\bhttp.(?:0\.9|1\.[01])|<(?:html|meta)\b)" at REQUEST_HEADERS:Via. [id "950911"] [msg "HTTP Response Splitting Attack. Matched signature <http/1.1>"] [severity "ALERT"] [hostname "www.2hotlicks.com"] [uri "/"] [unique_id "uPWvAgoHAlYAAA25N5AAAAAI"]
[Tue Oct 16 13:11:20 2007] [error] [client 207.200.116.137] ModSecurity: Access denied with code 400 (phase 2). Pattern match "(?:\bhttp.(?:0\.9|1\.[01])|<(?:html|meta)\b)" at REQUEST_HEADERS:Via. [id "950911"] [msg "HTTP Response Splitting Attack. Matched signature <http/1.1>"] [severity "ALERT"] [hostname "www.2hotlicks.com"] [uri "/combos.htm"] [unique_id "yddhwAoHAlYAAEEfgyEAAAAi"]
View 2 Replies
View Related
Sep 7, 2014
After install the ModSecurity Web Application Firewall for Apache no button for manageing module is displayed in plesk.
Installation was successful. How can I repair the button in plesk / webbased manage mod_security?
View 13 Replies
View Related
Jul 12, 2007
So I've been working on getting the modsecurity upload scan function to work for over 4 hours now and i'm done with this junk to say the least.
Using modsec 1.9
Cpanel 10x
Apache 1.3
in the modsec.conf
SecUploadDir /tmp
SecUploadApproveScript /usr/local/apache/htdocs/upload_scan.pl
All I get in the audit_log is:
Access denied with code 406. Error verifying files: Received no output from the approver script (execution failed?) "/usr/local/apache/htdocs/upload_scan.pl" ....
View 1 Replies
View Related
Jun 20, 2014
I am trying to install Magento on my apache server. I am running into the dreaded mcrypt issue as Magento needs it to run. I have now been googling for the past few hours and have gotten nowhere.
Here are my details:
Linux
Centos 5.5
PHP 5.3.3
x86_64
Plesk 12
I have tried installing all sorts of different repos and it just isn't working.
When I try to install using # yum install php-mcrypt I get the following:
Loaded plugins: fastestmirror
Package php-mysql is obsoleted by php-mysqlnd, trying to install php-mysqlnd-5.5.13-3.el5.remi.x86_64 instead
--> Processing Dependency: php53-gd for package: psa-php53-configurator
--> Processing Dependency: php53-imap for package: psa-php53-configurator
[Code].....
View 6 Replies
View Related
Feb 25, 2015
Does Parallels support Plesk 12 being installed on a Linux VM that is provisioned on Microsoft Windows Server 2012 R2 Hyper-V?Is it fully supported?
View 2 Replies
View Related
Nov 17, 2008
Best platform for IMAP mail (Cpanel, Plesk Linux or Plesk Windows)
I need to setup 5 email accounts on my domain, each will use IMAP and store messages on server, so total space taken by each account will be 2-5 GB.
I have decided to go with eurovps.com as I'm close to them and ping is fast.
What is the best solution for IMAP and large email accounts: Linux Cpanel, Linux Plesk or Windows Plesk?
Each account will be accessed by 2 people differently by Thunderbird and occasionally by webmail, so nice webmail is a plus.
View 7 Replies
View Related
Nov 3, 2008
I have a server running Linux and PLESK, and am interested in switching to Windows and PLESK. Will the backups made under Linux restore under Windows?
View 1 Replies
View Related
