Absolutely right you are....never even considered they would have stuck that in there.  I guess that’s what happens when you let a control panel do the install for you.


On 11/29/07 2:13 PM, "Dan Morgan" <dmorgan002@gmail.com> wrote:

CPanel's installation uses the file /etc/cron.hourly/modsecparse.pl to cut the log file to an SQL database and clear the log file.  There is an interface in WHM plugins.  I personally disabled the cronjob as it didn't work for me.

On Nov 29, 2007 11:07 AM, Danny Shurett <dshurett@alphaomegahosting.net> wrote:

Yes it is.


On 11/29/07 1:56 PM, "Dan Morgan" <dmorgan002@gmail.com> wrote:

On Nov 29, 2007 10:33 AM, Danny Shurett < dshurett@alphaomegahosting.net <mailto:dshurett@alphaomegahosting.net> > wrote:
I have a strange problem with my mod security implementation.  When I login to my server I usually see either an empty audit log or a severely diminished one.  For example, it is currently only about 4k and the entries are an hour old at the most.  Often I login and it is 0 bytes.  If I manually force a hit, I can see it written to the audit log.  Also, I notice modsecurity stuff is being written to the error_log for apache.  Here are some details:

Apache 2.2.6
Modsec 2.1.3
Apache uptime 23hrs

SecRuleEngine On SecDefaultAction "log,deny,phase:2,status:406,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"


SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
SecDefaultAction "phase:2,deny,log,status:406"
SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
Include "/usr/local/apache/conf/modsec2.user.conf"
SecDefaultAction "log,deny,phase:2,status:406,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"

Sample rule

SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300018,rev:3,severity:2,msg:'Generic PHP code injection protection via ARGS'"
SecRule REQUEST_URI "\.php(3|4|5)?(\?|&)" chain
SecRule ARGS "(ht|f)tps?:/"
SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300040,rev:1,severity:2,msg:'Generic PHP code injection protection in URI'"
SecRule REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/"

-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

This logging problem sounds familiar.  This isn't by chance a CPanel server installation is it?

Dan M. Morgan


-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4




-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4