ModSecurity: Audit log: Failed to create subdirectories: /var/asl/data/audit/20130703/20130703-1247 (Permission denied) [hostname "blah.com"]
I have carefully followed the installation instructions at https://www.atomicorp.com/wiki/index.ph ... ith_cpanel, and also at http://puntapirata.com/How-to-Install-ModSec-Rules.php
Here is my modsec2.user.conf:
Code: Select all
SecPcreMatchLimit 50000
SecPcreMatchLimitRecursion 50000
SecAuditLogType Concurrent
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 20621440
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyLimit 20621440
SecRequestBodyInMemoryLimit 2062144
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial
# ADD THE FOLLOWING LINE ONLY IF YOU HAVE CXS INSTALLED!
# cxs web script scanning
#SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi.sh" "log,auditlog,deny,severity:2,phase:2,t:none,id:'1010101'"
SecAuditLogDirMode 0777
SecAuditLogFileMode 0777
#WORDPRESS BRUTE FORCE LOGIN PROTECTION
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
# Setup brute force detection.
# React if block flag has been set.
SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 8 hours, more than 6 login attempts in 1 hour.'"
# Tracking - 302 means that the login was successful and the user is being redirected. in this case we reset the counter to 0
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
# 200 means we're staying on the login page, therefore login was unsuccessful.
# increment the counter by 1, decrementing it by 1 every hour (60 x 60 = 3600)
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/3600,id:5000137"
# check for > 6 on the counter. if > 6 then set the block flag to prevent further access,
# set the block flag to expire in 8 hours (60 * 60 *8 = 28800). reset the counter to 0
SecRule ip:bf_counter "@gt 6" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=28800,setvar:ip.bf_counter=0"
</Locationmatch>
# ASL/GOTROOT Rules
Include /usr/local/apache/conf/modsec_rules/*asl*.conf
Include /usr/local/apache/conf/modsec2.whitelist.conf
Here is a directory listing for /var/asl/data/audit:
Code: Select all
drwxrwxrwx 6 nobody nobody 4096 Jul 3 00:55 ./
drwxr-xr-x 5 root root 4096 Jun 28 17:05 ../
drwxr-xr-x 3 profi??? profi??? 4096 Jun 28 19:07 20130628/
drwxr-xr-x 3 ben??? bent??? 4096 Jul 1 15:29 20130701/
drwxr-xr-x 15 use??? use??? 4096 Jul 2 19:23 20130702/
drwxr-xr-x 6 use??? use??? 4096 Jul 3 10:29 20130703/
Code: Select all
chmod o-rx -R /var/asl/data/*
chmod ug+rwx -R /var/asl/data/*
Code: Select all
drwxrwx-w- 6 nobody nobody 4096 Jul 3 00:55 ./
drwxr-xr-x 5 root root 4096 Jun 28 17:05 ../
drwxrwx--- 3 profi??? profi??? 4096 Jun 28 19:07 20130628/
drwxrwx--- 3 ben??? ben??? 4096 Jul 1 15:29 20130701/
drwxrwx--- 15 use??? use??? 4096 Jul 2 19:23 20130702/
drwxrwx--- 6 use??? use??? 4096 Jul 3 10:29 20130703/
I am using ModSecurity for Apache/2.7.3, on top of cPanel 11.38 with mod_ruid2 enabled.
Any help greatly appreciated!