Log Analysis

Module name: SenseLog

This module is responsible for analyzing log files on your server and responding with the appropriate actions upon any malicious activity found. New log files are added constantly for auto-detecting. We first apply new log analyzer rules in test mode. All test incidents generated this way will be analyzed for false positives, so we can keep the rate low. These incidents will not show up on the dashboard.

BitNinja can find log files in the following paths at the moment:

Apache access logs

  • Debian / Ubuntu default path - /var/log/apache2/access.log
  • RHEL / Red Hat / CentOS / Fedora Linux default - /var/log/httpd/access_log
  • FreeBSD default - /var/log/httpd-access.log
  • /home/accesslog/access.log
  • Plesk vhosts at - /var/www/vhosts/[domain]/statistics/log/access_log
  • /var/www/vhosts/[domain]/system/log/access_log
  • Virtualmin vhost logs at - /var/log/virtualmin/*access_log
  • cPanel logs at /usr/local/apache/logs/access_log
  • cPanel per user logs at /usr/local/apache/domlogs/
  • DirectAdmin vhost logs
  • /var/log/httpd/domains/

Apache error logs

  • Debian /var/log/apache2/error.log
  • CentOS /var/log/httpd/error_log
  • FreeBSD /var/log/httpd-error.log
  • Plesk vhosts error logs - /var/www/vhosts/[domain]/statistics/log/error_log
  • /var/www/vhosts/[domain]/system/log/error_log
  • Virtualmin vhosts error logs
  • cPanel error logs at /usr/local/apache/logs/error_log

NginX access logs

  • /var/log/nginx/access.log

NginX error logs

  • /var/log/nginx/error.log

System-wide logs

  • Debian /var/log/auth.log
  • CentOS /var/log/secure
  • /var/log/messages

cPanel logs * /usr/local/cpanel/logs/login_log

Exim4 logs

  • Debian /var/log/exim4/mainlog
  • CentOS /var/log/exim/main.log
  • cPanel, Plesk /var/log/exim_mainlog

Postfix logs

  • /var/log/maillog
  • /var/log/mail.log

ProFTP logs

  • /var/log/proftpd/proftpd.log

VsFtp logs

  • /var/log/vsftpd.log

MySQL logs

  • Based on the files opened by the MySQL processes; it’s name should end with .err

Configuration

You can find the configuration file for this module at /etc/bitninja/SenseLog/config.ini .

Disabling rules

BitNinja has several supervisors, each of these are responsible to recognise a specific attack and ban the origin IP

On the code snippet below, you can see how to disable supervisors.

;
; Example: Enable/Disable Supervisors
;
[supervisor]

disabled[] = 'ApacheNoscript'
disabled[] = 'FtpVsftpd'

The list of available supervisors

  • ApacheAbdul protects against attacks with abdullkarem in the request string. For further information, see our blog post .
  • ApacheE107 finds directory traversal attacks for vulnerable E107 installations.
  • ApacheGooglemap2 prevents reflective DDoS attacks via plugin_googlemap2.
  • ApacheJoomla recognises and prevents Autoshell upload attempts.
  • ApacheJoomlaLogin prevents brute-force attacks against Joomla sites.
  • ApacheMagento protects against Magento vulnerabilities including directory traversal using magmi.php.
  • ApacheParentDenied gives protection agains a broad range of directory traversal attacks.
  • ApacheRecommendedSite prevents spamming attempts of a known botnet.
  • ApacheShellshockFilter protects against code injection over Shellshock.
  • ApacheSuspiciousUserAgent finds requests from well-known tools based on the user agent.
  • ApacheWpConfig is used against directory traversal attacks targeting wp-config.php.
  • ApacheWpEnumeration prevents Wordpress user enumeration attacks.
  • ApacheWpLogin prevents brute-force attacks against Wordpress-based sites.
  • ApacheWpXmlrpc prevents reflective DDoS attacks via xmlrpc.php.
  • ApacheWpXmlrpcSuspiciousUserAgent quickly prevents brute-force attacks from a known bot.
  • CpanelLogin protects cPanel accounts from brute-force attacks.
  • FtpProftpd prevents brute-force attacks against ProFTP servers.
  • FtpPureftpd prevents brute-force attacks against PureFTP servers.
  • FtpVsftpd prevents brute-force attacks against VsFTP servers.
  • MysqlLogin prevents brute-force attacks against MySQL servers.
  • NginxHttpAuth protects sites with basic HTTP authentication against brute-force attacks.
  • PostfixLogin prevents brute-force attacks against Postfix servers.
  • SshdLoginfail prevents brute-force attacks against OpenSSH servers.

Specifying custom log paths

Custom log paths can be added to every available log detector via these lines. Please don’t add rotated log files to paths, because it will duplicate incidents, which causes anomalies in your statistics. Please also note that SenseLog is only able to handle 3000 - 4000 log files for the time being. Above this number SenseLog might crash and retry to detect log files. This issue and limitation will be solved shortly.

;
; Custom log paths for LogDetectors
; The ini array 'logpathes' can be path to a file or a pattern, like: /var/log/vhost_*/*_access.log .
; This pattern will load all matching logfiles to the monitored list.
;

[ApacheAccess]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'


[ApacheError]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[Auth]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[CpanelLogin]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[Exim]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[FtpProftpd]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[FtpPureftpd]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[FtpVsftpd]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[MysqlError]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[NginxError]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[PostfixLogin]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

SenseLog configurations can be reloaded via BitNinja CLI, without restarting BitNinja. This will make your changes applied instantly.

bitninjacli --module=SenseLog --reload