Skip to main content

SenseLog

This module is responsible for analyzing log files on your server and responding with the appropriate actions upon any malicious activity found. New log files are added constantly for auto-detecting. We first apply new log analyzer rules in test mode. All test incidents generated this way will be analyzed for false positives, so we can keep the rate low. These incidents will not show up on the dashboard.

BitNinja can find log files in the following paths at the moment:

Apache access logs

  • Debian / Ubuntu default path: /var/log/apache2/access.log
  • RHEL / Red Hat / CentOS / Fedora Linux default: /var/log/httpd/access_log
  • FreeBSD default: /var/log/httpd-access.log
  • /home/accesslog/access.log
  • Plesk vhosts: /var/www/vhosts/[domain]/statistics/log/access_log
  • /var/www/vhosts/[domain]/system/log/access_log
  • Virtualmin vhost logs: /var/log/virtualmin/\*access_log
  • cPanel logs: /usr/local/apache/logs/access_log
  • cPanel per user logs: /usr/local/apache/domlogs/
  • DirectAdmin vhost logs
  • /var/log/httpd/domains/

Apache error logs

  • Debian: /var/log/apache2/error.log
  • CentOS: /var/log/httpd/error_log
  • FreeBSD: /var/log/httpd-error.log
  • Plesk vhosts error logs: /var/www/vhosts/[domain]/statistics/log/error_log
  • /var/www/vhosts/[domain]/system/log/error_log
  • Virtualmin vhosts error logs
  • cPanel error logs: /usr/local/apache/logs/error_log

NginX access logs

  • /var/log/nginx/access.log

NginX error logs

  • /var/log/nginx/error.log

System-wide logs

  • Debian: /var/log/auth.log
  • CentOS: /var/log/secure
  • /var/log/messages

cPanel logs

  • /usr/local/cpanel/logs/login_log

Exim4 logs

  • Debian: /var/log/exim4/mainlog
  • CentOS: /var/log/exim/main.log
  • cPanel, Plesk: /var/log/exim_mainlog

Postfix logs

tip

The anti-brute-force rule in SenseLog for Postfix is disbaled, as it caused too many false positives in the past.

  • /var/log/maillog
  • /var/log/mail.log

Dovecot logs

tip
The anti-brute-force rule in SenseLog for Dovecot is disabled, however, it can be enabled from the config file of the SenseLog module. 
Available from version 2.28.16 and above.
Uncomment this line :code:`enadbled[] = '25_1_002'`
  • /var/log/dovecot.log

ProFTP logs

  • /var/log/proftpd/proftpd.log

VsFtp logs

  • /var/log/vsftpd.log

MySQL logs

  • Based on the files opened by the MySQL processes; its name should end with .err.

Configuration

You can find the configuration file for this module at /etc/bitninja/SenseLog/config.ini.

Disabling rules

BitNinja has several supervisors, each of these are responsible to recognise a specific attack and ban the origin IP

We should write the details later, when we include the patterns to the patterns to the documentation. Every applications with log analyzer rules have one or more supervisors, which control the following components:

  • a set of log paths in which the module should search for the given patterns

  • an action which defines what to do with the IPs found

  • a set of patterns and thresholds which triggers the supervisor's action

    You can completely disable a supervisor if you would like to skip analyzing application's log files belong to it.

On the code snippet below, you can see how to disable supervisors.

;
; Example: Enable/Disable Supervisors
;
[supervisor]

disabled[] = 'ApacheNoscript'
disabled[] = 'FtpVsftpd'

The list of available supervisors

* **ApacheAbdul** protects against attacks with abdullkarem in the request string. For further information, see `our blog post <https://bitninja.io/blog/2015/10/25/abdullkarem-attack-hack-against-sysadmins-bad-practice>`_ .
* **ApacheE107** finds directory traversal attacks for vulnerable E107 installations.
* **ApacheGooglemap2** prevents reflective DDoS attacks via plugin_googlemap2.
* **ApacheJoomla** recognises and prevents Autoshell upload attempts.
* **ApacheJoomlaLogin** prevents brute-force attacks against Joomla sites.
* **ApacheMagento** protects against Magento vulnerabilities including directory traversal using magmi.php.
* **ApacheParentDenied** gives protection agains a broad range of directory traversal attacks.
* **ApacheRecommendedSite** prevents spamming attempts of a known botnet.
* **ApacheShellshockFilter** protects against code injection over Shellshock.
* **ApacheSuspiciousUserAgent** finds requests from well-known tools based on the user agent.
* **ApacheWpConfig** is used against directory traversal attacks targeting `wp-config.php`.
* **ApacheWpEnumeration** prevents Wordpress user enumeration attacks.
* **ApacheWpLogin** prevents brute-force attacks against Wordpress-based sites.
* **ApacheWpXmlrpc** prevents reflective DDoS attacks via `xmlrpc.php`.
* **ApacheWpXmlrpcSuspiciousUserAgent** quickly prevents brute-force attacks from a known bot.
* **CpanelLogin** protects cPanel accounts from brute-force attacks.
* **FtpProftpd** prevents brute-force attacks against ProFTP servers.
* **FtpPureftpd** prevents brute-force attacks against PureFTP servers.
* **FtpVsftpd** prevents brute-force attacks against VsFTP servers.
* **MysqlLogin** prevents brute-force attacks against MySQL servers.
* **NginxHttpAuth** protects sites with basic HTTP authentication against brute-force attacks.
* **PostfixLogin** prevents brute-force attacks against Postfix servers.
* **SshdLoginfail** prevents brute-force attacks against OpenSSH servers.

Specifying custom log paths

Custom log paths can be added to every available log detector via these lines. Please don't add rotated log files to paths, because it will duplicate incidents, which causes anomalies in your statistics. Please also note that SenseLog is only able to handle 3000 - 4000 log files for the time being. Above this number SenseLog might crash and retry to detect log files. This issue and limitation will be solved shortly.

;
; Custom log paths for LogDetectors
; The ini array 'logpathes' can be path to a file or a pattern, like: /var/log/vhost_*/*_access.log .
; This pattern will load all matching logfiles to the monitored list.
;

[ApacheAccess]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'


[ApacheError]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[Auth]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[CpanelLogin]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[Exim]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[FtpProftpd]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[FtpPureftpd]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[FtpVsftpd]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[MysqlError]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[NginxError]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

[PostfixLogin]
;logpathes[] = '/path/to/your/log'
;logpathes[] = '/path/to/your/log2'

SenseLog configurations can be reloaded via BitNinja CLI, without restarting BitNinja. This will make your changes applied instantly.

bitninjacli --module=SenseLog --reload