Skip to main content

SenseLog (Log Analysis)

This module is responsible for analyzing log files on your server and responding with the appropriate actions upon any malicious activity found. New log files are added constantly for auto-detecting. We first apply new log analyzer rules in test mode. All test incidents generated this way will be analyzed for false positives, so we can keep the rate low. These incidents will not show up on the dashboard.

BitNinja can find log files in the following paths at the moment:

Apache access logs

  • Debian / Ubuntu default path: /var/log/apache2/access.log
  • RHEL / Red Hat / CentOS / Fedora Linux default: /var/log/httpd/access_log
  • FreeBSD default: /var/log/httpd-access.log
  • /home/accesslog/access.log
  • Plesk vhosts: /var/www/vhosts/[domain]/statistics/log/access_log
  • /var/www/vhosts/[domain]/system/log/access_log
  • Virtualmin vhost logs: /var/log/virtualmin/\*access_log
  • cPanel logs: /usr/local/apache/logs/access_log
  • cPanel per user logs: /usr/local/apache/domlogs/
  • DirectAdmin vhost logs
  • /var/log/httpd/domains/

Apache error logs

  • Debian: /var/log/apache2/error.log
  • CentOS: /var/log/httpd/error_log
  • FreeBSD: /var/log/httpd-error.log
  • Plesk vhosts error logs: /var/www/vhosts/[domain]/statistics/log/error_log
  • /var/www/vhosts/[domain]/system/log/error_log
  • Virtualmin vhosts error logs
  • cPanel error logs: /usr/local/apache/logs/error_log

NginX access logs

  • /var/log/nginx/access.log

NginX error logs

  • /var/log/nginx/error.log

System-wide logs

  • Debian: /var/log/auth.log
  • CentOS: /var/log/secure
  • /var/log/messages

cPanel logs

  • /usr/local/cpanel/logs/login_log

Exim4 logs

  • Debian: /var/log/exim4/mainlog
  • CentOS: /var/log/exim/main.log
  • cPanel, Plesk: /var/log/exim_mainlog
tip

The anti-brute-force rule in SenseLog for Exim4 is disbaled, as it caused too many false positives in the past. Add this line in the SenseLog module to enable it: enadbled[] = '25_1_003'

Postfix logs

tip

The anti-brute-force rule in SenseLog for Postfix is disbaled, as it caused too many false positives in the past. Add this line in the SenseLog module to enable it: enadbled[] = '25_1_004'

  • /var/log/maillog
  • /var/log/mail.log

Dovecot logs

tip

The anti-brute-force rule in SenseLog for Dovecot is disabled, however, it can be enabled from the config file of the SenseLog module. Available from version 2.28.16 and above. Uncomment this line enadbled[] = '25_1_002'

  • /var/log/dovecot.log

ProFTP logs

  • /var/log/proftpd/proftpd.log

VsFtp logs

  • /var/log/vsftpd.log

PureFtp logs

  • /var/log/messages
  • /var/log/pure-ftpd.log
tip

The anti-brute-force rule in SenseLog for PureFtp is disabled by deafult. Add this line to the module's config to enable it: enadbled[] = 'FtpPureftp'

MySQL logs

  • Based on the files opened by the MySQL processes; its name should end with .err.

Configuration

You can find the configuration file for this module at /etc/bitninja/SenseLog/config.ini.

Disabling rules

BitNinja has several supervisors, each of these are responsible to recognise a specific attack and ban the origin IP

We should write the details later, when we include the patterns to the patterns to the documentation. Every applications with log analyzer rules have one or more supervisors, which control the following components:

  • a set of log paths in which the module should search for the given patterns
  • an action which defines what to do with the IPs found
  • a set of patterns and thresholds which triggers the supervisor's action

You can completely disable a supervisor if you would like to skip analyzing application's log files belong to it.

On the code snippet below, you can see how to disable supervisors.

    ;
    ; Example: Enable/Disable Supervisors
    ;
    [supervisor]

    disabled[] = 'ApacheNoscript'
    disabled[] = 'FtpVsftpd'

The list of available supervisors

  • ApacheAbdul protects against attacks with abdullkarem in the request string. For further information, see our blog post.
  • ApacheE107 finds directory traversal attacks for vulnerable E107 installations.
  • ApacheGooglemap2 prevents reflective DDoS attacks via plugin_googlemap2.
  • ApacheJoomla recognises and prevents Autoshell upload attempts.
  • ApacheJoomlaLogin prevents brute-force attacks against Joomla sites.
  • ApacheMagento protects against Magento vulnerabilities including directory traversal using magmi.php.
  • ApacheParentDenied gives protection agains a broad range of directory traversal attacks.
  • ApacheRecommendedSite prevents spamming attempts of a known botnet.
  • ApacheShellshockFilter protects against code injection over Shellshock.
  • ApacheSuspiciousUserAgent finds requests from well-known tools based on the user agent.
  • ApacheWpConfig is used against directory traversal attacks targeting wp-config.php.
  • ApacheWpEnumeration prevents Wordpress user enumeration attacks.
  • ApacheWpLogin prevents brute-force attacks against Wordpress-based sites.
  • ApacheWpXmlrpc prevents reflective DDoS attacks via xmlrpc.php.
  • ApacheWpXmlrpcSuspiciousUserAgent quickly prevents brute-force attacks from a known bot.
  • CpanelLogin protects cPanel accounts from brute-force attacks.
  • FtpProftpd prevents brute-force attacks against ProFTP servers.
  • FtpPureftpd prevents brute-force attacks against PureFTP servers.
  • FtpVsftpd prevents brute-force attacks against VsFTP servers.
  • MysqlLogin prevents brute-force attacks against MySQL servers.
  • NginxHttpAuth protects sites with basic HTTP authentication against brute-force attacks.
  • PostfixLogin prevents brute-force attacks against Postfix servers.
  • SshdLoginfail prevents brute-force attacks against OpenSSH servers.

Specifying custom log paths

Custom log paths can be added to every available log detector via these lines. Please don't add rotated log files to paths, because it will duplicate incidents, which causes anomalies in your statistics. Please also note that SenseLog is only able to handle 3000 - 4000 log files for the time being. Above this number SenseLog might crash and retry to detect log files. This issue and limitation will be solved shortly.

;
; Custom log paths for LogDetectors
; The ini array 'logpathes' can be path to a file or a pattern, like: /var/log/vhost_*/*_access.log .
; This pattern will load all matching logfiles to the monitored list.
;

[ApacheAccess]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'


[ApacheError]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[Auth]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[CpanelLogin]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[Exim]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[FtpProftpd]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[FtpPureftpd]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[FtpVsftpd]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[MysqlError]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[NginxError]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[PostfixLogin]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

SenseLog configurations can be reloaded via BitNinja CLI, without restarting BitNinja. This will make your changes applied instantly.

bitninjacli --module=SenseLog --reload