Dummy Question about Firewall Log Activity

SudsMixer

New Member
So, I'm a complete greenhorn to the world of VPS.

I've finally managed to set up my firewall so that it works--on setting high, with a few tweaks allowing for just a little more leniency. Brute Force is also on; and WordFence on WP. Updated, patched, and so forth.

The logs are MASSIVE. Well, I think they are anyway. I'm fine with them being verbose, have gmail rules to take care of the deluge; and as long as it does not degrade server performance I'm A-OK with it.

The question is; how much door knocking (number of log-lines in ModSecurity Tools per day) should there be before I should get nervous? I feel like a cow in a swarm of mosquitoes. Swat one, and ten others bite.

So; how much is too much in terms of attempted attacks? --As in when do I call support and say help; they're trying to hack me?
And for you budget-conscious pros; what tools to you use to help automate your management of the vermin? (Note: I can barely code my way out of a paper bag...)

Thank you all so so very much! :)

Nina ~ AKA Sudsmixer
 
>and as long as it does not degrade server performance I'm A-OK with it.

No, this should be fine. As long as gmail is happy with your emails (SPF, DKIM (in version 78 of WHM / cPanel) and DMARC) it shouldn't ratelimit / block the emails.

>how much door knocking (number of log-lines in ModSecurity Tools per day) should there be before I should get nervous?

Yum, information overload. modsec is looking out for exploits in urls and blocking them so you should be good there. Best to be concerned with what you can control... that is keeping your WordPress install updated along with the plugins and themes.

>So; how much is too much in terms of attempted attacks? --As in when do I call support and say help; they're trying to hack me?

If you're worried you can always contact us and we'll take a look for you. Generally you want to be concerned when you STOP receiving reports.

>And for you budget-conscious pros; what tools to you use to help automate your management of the vermin?

WordFence is good; wp-cerber is good as well.

Let us know if you have any further questions! :)
 
Thank you so much Riley! :) I have WordFence, and I'll take a look at WP-cerber. I also have CloudFlare on one site. That said, I'd love to learn about as many tools as possible.

It is good to know that I should get worried when it gets quiet instead. That makes me feel good.

I also forgot to mention; the logs are all set up to cycle on the server, so they should not pile up.

Questions, I have many. :p Just getting warmed up!

Right now I'm looking for a way to export the ModSec logs. I want to get them into excel on my desktop, so that I can perma-block unique IP's according to level of infraction, and do it in one operation; say per week.

Grateful for any good tips. :)

PS: I got FTP set up, but am a weakling in Terminal so scripts need to be fed me via teaspoon.
 
Hey there SudsMixer!

Right now I'm looking for a way to export the ModSec logs. I want to get them into excel on my desktop, so that I can perma-block unique IP's according to level of infraction, and do it in one operation; say per week.

I have Mod-security log to a file rather than to the SQL database myself but in your WHM you'll find PHPMyAdmin, once you go in there locate the Mod-security database and just export it.

There's actually more to it than just the Mod-security logs though. There's also cPanel logs (/usr/local/cpanel/logs/access_log), ssh logs (/var/log/secure), ftp logs (/var/log/messages), and smtp logs (/var/log/maillog).

The good news is that CSF can manage that for you. In the options for CSF (in WHM) you can set the number of infractions to trigger a block and you can even set it to be a temporary or permanent block.

Not that I'm trying to throw fuel on the fire for you...I'm just trying to point out that you can very quickly become completely buried in log files and IP numbers if you go too far down that rabbit hole.

Hope that helps!
 
I have Mod-security log to a file rather than to the SQL database myself but in your WHM you'll find PHPMyAdmin, once you go in there locate the Mod-security database and just export it.

Thank you thank you thank you! :)

There's actually more to it than just the Mod-security logs though. There's also cPanel logs (/usr/local/cpanel/logs/access_log), ssh logs (/var/log/secure), ftp logs (/var/log/messages), and smtp logs (/var/log/maillog).

The good news is that CSF can manage that for you. In the options for CSF (in WHM) you can set the number of infractions to trigger a block and you can even set it to be a temporary or permanent block.

I have those delivered to e-mail; and the triggers set up on WHM. For right now, as I have the firewall set to high (with some tweaks), I have a higher number before perma-ban, as I am still trying to figure out how much legitimate traffic is not being perma-blocked.

Exporting the database will be perfect for now, thank you so much! :) It will also help me tune the CSF.


Not that I'm trying to throw fuel on the fire for you...I'm just trying to point out that you can very quickly become completely buried in log files and IP numbers if you go too far down that rabbit hole.

Totally agree.

Thank you so much for all your help (again) Dan, you rock!! :)
 
Top