We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
PHP -> Syslog
PHP -> Syslog
Hi,
I was starting to move my websites to my new vps which is running vestacp (Ubuntu 16.04)
One of the feature that I used in my wordpress and drupal sites was to log to the syslog. This in order to ban offenders who tries to brute force my user accounts.
Since the move both the drupal & wordpress plugin fail to write to the syslog.
Anyone has an idea where that the problem could be?
I was starting to move my websites to my new vps which is running vestacp (Ubuntu 16.04)
One of the feature that I used in my wordpress and drupal sites was to log to the syslog. This in order to ban offenders who tries to brute force my user accounts.
Since the move both the drupal & wordpress plugin fail to write to the syslog.
Anyone has an idea where that the problem could be?
Re: PHP -> Syslog
Something changed, you need to figure out what exactly.
OS and php version on your servers same?
VPS have same type? (openvz/kvm or something?)
OS and php version on your servers same?
VPS have same type? (openvz/kvm or something?)
Re: PHP -> Syslog
OS & Php version are different but it used to work on my testserver.skurudo wrote:Something changed, you need to figure out what exactly.
OS and php version on your servers same?
VPS have same type? (openvz/kvm or something?)
Will reinstall the testserver and try to find out what triggers it.
Re: PHP -> Syslog
Keep us posted, quite an interesting problem
Re: PHP -> Syslog
Ok first test.
On my baremetal testserver the rsyslog is behaving normally.
On the production server which is a virtualised server it is not.
Config of rsyslog is identical.
Identical ubuntu server 16:04 (Or almost identical).
The baremetal server is installed using the ubuntu server 16.04 iso and the production is installed with the ubuntu alternate 16.04. Ask the vps provider for the virtualisation technology to search in that direction.
On my baremetal testserver the rsyslog is behaving normally.
On the production server which is a virtualised server it is not.
Config of rsyslog is identical.
Identical ubuntu server 16:04 (Or almost identical).
The baremetal server is installed using the ubuntu server 16.04 iso and the production is installed with the ubuntu alternate 16.04. Ask the vps provider for the virtualisation technology to search in that direction.
Re: PHP -> Syslog
It is with great shame that I come before you.
I found the error by using: logger TroubleshootingTest
Even that didn't worked. After some googling most of the syslog problems are solved with solving iptables.
I don't use iptables directly because I use csf.
One of the options in csf is:
Now I am going to put a bandaid on my head because I smashed my head against the walls for a couple day now because of this problem.
I found the error by using: logger TroubleshootingTest
Even that didn't worked. After some googling most of the syslog problems are solved with solving iptables.
I don't use iptables directly because I use csf.
One of the options in csf is:
That was on 3. Changing this fixed it.SECURITY WARNING
================
Unfortunately, syslog and rsyslog allow end-users to log messages to some
system logs via the same unix socket that other local services use. This
means that any log line shown in these system logs that syslog or rsyslog
maintain can be spoofed (they are exactly the same as real log lines).
Since some of the features of lfd rely on such log lines, spoofed messages
can cause false-positive matches which can lead to confusion at best, or
blocking of any innocent IP address or making the server inaccessible at
worst.
Any option that relies on the log entries in the files listed in
/etc/syslog.conf and /etc/rsyslog.conf should therefore be considered
vulnerable to exploitation by end-users and scripts run by end-users.
NOTE: Not all log files are affected as they may not use syslog/rsyslog
The option RESTRICT_SYSLOG disables all these features that rely on affected
logs. These options are:
LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT
LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP
LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT
PORTKNOCKING_ALERT
This list of options use the logs but are not disabled by RESTRICT_SYSLOG:
ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG
The following options are still enabled by default on new installations so
that, on balance, csf/lfd still provides expected levels of security:
LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT
If you set RESTRICT_SYSLOG to "0" or "2" and enable any of the options listed
above, it should be done with the knowledge that any of the those options
that are enabled could be triggered by spoofed log lines and lead to the
server being inaccessible in the worst case. If you do not want to take that
risk you should set RESTRICT_SYSLOG to "1" and those features will not work
but you will not be protected from the exploits that they normally help block
The recommended setting for RESTRICT_SYSLOG is "3" to restrict who can access
the syslog/rsyslog unix socket.
For further advice on how to help mitigate these issues, see
/etc/csf/readme.txt
0 = Allow those options listed above to be used and configured
1 = Disable all the options listed above and prevent them from being used
2 = Disable only alerts about this feature and do nothing else
3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **
Now I am going to put a bandaid on my head because I smashed my head against the walls for a couple day now because of this problem.
Re: PHP -> Syslog
Very good, thanks for your report, rpr