• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question How do i find outgoing website uid when using nginx?

Linulex

Linulex

Silver Pleskian
Hello all,

I have a server that is blacklisted because a website makes connection with a bot. I want stop this offcourse, but i need to find wich website it is. It use to be as simple as login outgoing connections and the uid would show up in the log after a while.

iptables -I OUTPUT 1 -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 80 -j LOG --log-level 1 --log-uid

BUT ... when using nginx as proxy, the logs always show the uid of nginx, not of the system user of the website.
All i get now is

Apr 16 11:01:53 res5 kernel: IN= OUT=bond0 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=64667 DF PROTO=TCP SPT=80 DPT=51448 WINDOW=165 RES=0x00 ACK URGP=0 UID=497 GID=498

497 = nginx, it doesn't log the system user anymore that goes with the website.

Does anyone knows a way to log outgoing connections that will give me the system uid?
Maybe in nginx or apache.

regards
Jan
 
Linulex said:
Apr 16 11:01:53 res5 kernel: IN= OUT=bond0 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=64667 DF PROTO=TCP SPT=80 DPT=51448 WINDOW=165 RES=0x00 ACK URGP=0 UID=497 GID=498
Click to expand...

Hi, Jan!
> SPT=80 DPT=51448
It looks like you are catching outgoing packets in income session.

If I correctly understand, then you want to catch packets in outcome session?
If you make outcome session from server (e.g.
Code: 
 wget http://google.com
), so in /var/log/messagesit it looks like ... SPT=43646 DPT=80 ...

Try to use variables $http_x_uuid $upstream_http_x_uuid in nginx logging, it may help to solve your situation:
NGINX Docs | Configuring Logging
nginx: Is it possible to capture response headers in access log when using nginx as a reverse proxy?
 
You must log in or register to reply here.

Similar threads

P
Issue I can not send mail to the outside
Replies
7
Views
948
python
P
M
Input How my firewall helped in uncovering a malicious PHP-script
Replies
1
Views
3K
virtubox
virtubox
Back
Top