modsec_audit always empty
Hello. In my attempt to track down a malicious IP address attacking the server I've been looking at logs. Not only cannot I not find the malicious IP address in any logs which I know was attacking because a different service has logged it in it's application and it shows in that database - albeit without any of the commands or paths used - but in the process of searching I found that my modsec_audit directory is empty. See below commands:
Notice June 1 entry as root root. Is that normal? Running grep skipmodseclog /var/cpanel/cpanel.config shows:
running grep -i modsec_audit /usr/local/cpanel/logs/tailwatchd_log |tail -n5 shows:
Should nobody be root? Any solutions to an empty modsec_audit file? And finally, if my other application shows the offending ip address (google cloud platform repeat offender) but I can't find cpanel logs showing the actual activity in either /home/xxxxxx/logs or /var/log/apache2/domlogs I would think that warrants further investigation. No?
[root@xxxxxxxxxxxxx logs]# cd modsec_audit
[root@xxxxxxxxxxxxx modsec_audit]# ls
nobody
[root@xxxxxxxxxxxxx modsec_audit]# cd nobody
[root@xxxxxxxxxxxxx nobody]# ls
[root@xxxxxxxxxxxxx nobody]# ls -la
total 8
drwxr-x---. 2 nobody nobody 4096 May 22 09:27 .
drwx-wx-wt. 3 root root 4096 Jun 1 22:09 ..
[root@xxxxxxxxxxxxx nobody]# Notice June 1 entry as root root. Is that normal? Running grep skipmodseclog /var/cpanel/cpanel.config shows:
skipmodseclog=0running grep -i modsec_audit /usr/local/cpanel/logs/tailwatchd_log |tail -n5 shows:
[root@xxxxxxxxxxxxx nobody]# grep -i modsec_audit /usr/local/cpanel/logs/tailwatchd_log |tail -n5
[1716] [2021-06-02 22:30:34 -0400] [Cpanel::TailWatch] [INFO] Restored /etc/apache2/logs/modsec_audit.log (size:816978) to 816978 (requested 816978)
[1716] [2021-06-02 22:30:34 -0400] [Cpanel::TailWatch] [INFO] Will resume /etc/apache2/logs/modsec_audit.log to 816978
[1716] [2021-06-02 22:30:34 -0400] [Cpanel::TailWatch] [INFO] Reading back thirty lines of /etc/apache2/logs/modsec_audit.log starting at 800594
[1716] [2021-06-02 22:30:34 -0400] [Cpanel::TailWatch] [INFO] Restoring /etc/apache2/logs/modsec_audit.log to catch up position 816978
[1716] [2021-06-02 22:30:34 -0400] [Cpanel::TailWatch] [INFO] Restored /etc/apache2/logs/modsec_audit.log to position 816978Should nobody be root? Any solutions to an empty modsec_audit file? And finally, if my other application shows the offending ip address (google cloud platform repeat offender) but I can't find cpanel logs showing the actual activity in either /home/xxxxxx/logs or /var/log/apache2/domlogs I would think that warrants further investigation. No?
-
Hey hey! All of the logs files in that area on my personal machine are also root:root so that seems normal to me. Are you using the default OWASP rules on the machine? If so, have there been any customizations to the modsec2.cpanel.conf file on the system? To rule out that possibility you could run the following two commands to reset that file and see if that changes the behavior: cp /etc/apache2/conf.d/modsec/modsec2.cpanel.conf{,.bak-`date +%Y%m%d`} /scripts/restartsrv_httpd0 -
Thank you @cPRex. Following your suggestion I received notices that it had been reset, but also a bunch of printout in bright red letters which seemed to be mod_sec "matched" phrases and blocks. However, that directory in /var/log/modsec_audit is still empty. 0 -
Interesting - it sounds like this is something best handled in a ticket. Post the number here once you get a chance to get one submitted so I can follow along. 0
Please sign in to leave a comment.
Comments
3 comments