Resolved mod_security log rotation conf file location?

[Bitpalast]

On our 12.5.30 systems, mod_security log rotation configuration can be found in /etc/lotrotate.d. On our Onyx installations the file does not exist at all.

I have read https://support.plesk.com/hc/en-us/...ot-rotate-properly-It-affects-free-disk-space

Does the mod_security log rotation file need to be created manually in Onyx? Can it do any damage, specifically the log rotation directive?

 

[Linulex]

Then something is missing in your installation. in ours (centos 6.8) mod_security 2.9.0-centos6.16102616 created the file

/etc/logrotate.d/mod_security

with content

/var/log/modsec_audit.log {
    daily
    rotate 7
    missingok
    compress
    postrotate
        /sbin/service httpd reload > /dev/null 2>/dev/null || true
    endscript
}

this vps was updated from plesk 12.5.30, but mod security was installed after the updated (this morning in fact to test it)

regards
Jan

 

[Bitpalast]

Probably, yes. I wonder why this is missing and what the consequences are. Probably the only consequence is that modsec_audit.log never rotates. I am giving this attention because yesterday we have seen a hard restart while another one was still going on, so I suspected that modsecurity's log rotation setting is doing it, but obviously not in that case.

 

[Linulex]

on an rpm system you, can find out what is in a package by these commands

rpm -qi --filesbypkg mod_security

on centos 6.8 this gives

Name        : mod_security                 Relocations: (not relocatable)
Version     : 2.9.0                             Vendor: Plesk
Release     : centos6.16102616              Build Date: Wed Oct 26 11:21:05 2016
Install Date: Sun Feb  5 11:17:34 2017         Build Host: bcos6x64.plesk.ru
Group       : System Environment/Daemons    Source RPM: mod_security-2.9.0-centos6.16102616.src.rpm
Size        : 1051297                          License: Apache License 2.0
Signature   : DSA/SHA1, Wed Oct 26 11:26:59 2016, Key ID bd11a6aa914bdf7e
Packager    : Plesk <[email protected]>
URL         : http://www.modsecurity.org/
Summary     : Open source, cross-platform, web server WAF module
Description :
With over 70% of all attacks now carried out over the web application level,
organisations need every help they can get in making their systems secure.
Web application firewalls are deployed to establish an external security layer
that increases security, detects, and prevents attacks
before they reach web applications.
mod_security              /etc/httpd/conf.d/security2.conf
mod_security              /etc/httpd/conf/modsecurity.d
mod_security              /etc/httpd/conf/modsecurity.d/rules
mod_security              /etc/logrotate.d/mod_security
mod_security              /usr/bin/mlogc
mod_security              /usr/lib64/httpd/modules/mod_security2.so
mod_security              /usr/share/doc/mod_security-2.9.0
mod_security              /usr/share/doc/mod_security-2.9.0/CHANGES
mod_security              /usr/share/doc/mod_security-2.9.0/LICENSE
mod_security              /usr/share/doc/mod_security-2.9.0/NOTICE
mod_security              /usr/share/doc/mod_security-2.9.0/README.TXT
mod_security              /usr/share/doc/mod_security-2.9.0/authors.txt
mod_security              /usr/share/doc/mod_security-2.9.0/doc
mod_security              /usr/share/doc/mod_security-2.9.0/doc/README.txt
mod_security              /usr/share/doc/mod_security-2.9.0/mlogc-default.conf
mod_security              /var/cache/modsecurity

What do you mean "a hard restart", of apache? of the server?

maybe you have some tests that restarts services when over xx load, or open apache clients is more then xx, etc... like we do.

regards
Jan





regards
Jan

 

[Bitpalast]

maybe you have some tests that restarts services when over xx load, or open apache clients is more then xx, etc... like we do.

Indeed, we run intra-day statistics updates / log rotation when logs reach a certain size, because the one-time Plesk rotation at night is not enough to keep logs small for fail2ban. In that case it could indeed happen that two Apache restart/reload sequences happen at the same time. Interesting thought, maybe that was causing it.

I'll update the logsize check script and test whether another restart is in progress before initializing a statistics data maintenance.

 

[Linulex]

we rotate logs daily and have this script run every night

<?php
$pwfile = "/etc/psa/.psa.shadow";
$pw = trim(file_get_contents($pwfile));

mysql_connect("localhost","admin", $pw);
mysql_select_db("psa");
if (!($result=mysql_query("select htype, name from domains where htype = 'vrt_hst' ORDER by name;"))) {
        print("MySQL error: " . mysql_error());
}
$aantal = mysql_num_rows($result);
    for ($r = 0; $r < mysql_num_rows( $result); $r++) {
        $row = mysql_fetch_array ($result);
        echo "$row[name]\n";
    exec ("/usr/local/psa/bin/site -u $row[name] -log-rotate true -log-bytime daily -log-max-num-files 7 -log-compress false");
    }

?>

we don't compress logs for searchability.

This way we never have trouble with to big logfiles.
Fail2ban is only used on general logs, like /var/log/secure, ftp and maillog, not on individual domain logs. We keep hostings safe by active maintaining mod_security rules, including creating our own when needed/called for, maldetect and mod_cband. ip addresses that go to far are placed permanently in the firewall .

regards
Jan