Closed Githopp192 closed 6 years ago
The question is more .. is the new behave of NC13 as "to be designed" ?
That always worked like that. The behavior is designed like that and we don't plan to change it. So I will close this as a "works as expected". The reason for more logs is maybe due to that a scanning service somehow found your instance/IP and thus scans it more often than before.
Hey Morris .. i'm very glad yo don't want to change this .. 👍 :-)
I can work perfectly with this (run together with IDS/IPS System) ..
The questions related were more .. in NC 12 i did see also the HTTP/PHP error (Attacks) in the NC-log .. Now i do not .. (Log-Level on 1 = Info) .. so, may be there is something new, that those messages will not be reported anymore into the NC-Log !? .. (or has this to do maybe something with my settings ? -> config.php .. )?
The questions related were more .. in NC 12 i did see also the HTTP/PHP error (Attacks) in the NC-log .. Now i do not .. (Log-Level on 1 = Info) .. so, may be there is something new, that those messages will not be reported anymore into the NC-Log !? .. (or has this to do maybe something with my settings ? -> config.php .. )?
Ah - it could be that we changed the level, because it usually is a client error and an admin can do very little against this and thus it's better to not spam the log.
yes .. i think you did change this level of http-messages 👍, i do agree .. good decision not to spam the log with http-errors, better writing "Trusted Domain Error" and the admin could decide for himself to check the http_access.log for futhter information. I did decide to do something against .. this log now is the perfect prereq. for fail2ban. Next stept would be ..going to install some IDS/IPS (pfsense..) appliances. I don't want, that those ip-packets will reach the web server; of course i'm using https .. & http redirection to https .. but you never know :-)
Thx Morris .. your answer helped me better to understand, what is going on.
Steps to reproduce
Expected behaviour
this is more a question; is the current behave of NC13, logging bot-events as trusted domain errors
Actual behaviour
After upgrading from NC 12.0.6 to NC 13.0.2 i recognized, that there are a lot of "Trusted domain errors" into the nextcloud.log
In NC version 12.0.6. many HTTP-Scan/Attacks were reported as HPTT/PHP error into the log with the full details about the origin HTTP-Request .. like -->
xxxxxx- - [20/May/2018:22:51:28 +0200] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 400 4066 "-" "ZmEu" xxxxx- - [20/May/2018:22:51:28 +0200] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 400 4066 "-" "ZmEu" xxxxx- - [20/May/2018:22:51:28 +0200] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 400 4066 "-" "ZmEu" xxxxx- - [20/May/2018:22:51:28 +0200] "GET /pma/scripts/setup.php HTTP/1.1" 400 4066 "-" "ZmEu" xxxx- - [20/May/2018:22:51:28 +0200] "GET /myadmin/scripts/setup.php HTTP/1.1" 400 4066 "-" "ZmEu" xxxxxx- - [20/May/2018:22:51:29 +0200] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 400 4066 "-" "ZmEu"
Now all those attacks will reported as "Trusted domain errors" into the nextcloud.log
Not a bad idea/behave i think .. because it's easier to track all those things into one log and being better prepapred for any attack prevention technique.
The question is more .. is the new behave of NC13 as "to be designed" ?
Server configuration detail
Operating system: Linux 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64
Webserver: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.16 (apache2handler)
Database: mysql 5.5.56
PHP version: 7.1.16 Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, apache2handler, apcu, bcmath, bz2, calendar, ctype, curl, dba, dom, mbstring, fileinfo, ftp, gd, gettext, gmp, iconv, igbinary, imagick, imap, intl, json, ldap, exif, mcrypt, mysqli, PDO, pdo_mysql, pdo_sqlite, Phar, posix, redis, shmop, SimpleXML, soap, sockets, sqlite3, sysvmsg, sysvsem, sysvshm, tokenizer, xml, wddx, xmlreader, xmlwriter, xsl, memcached, zip, Zend OPcache
Nextcloud version: 13.0.2 - 13.0.2.1
Updated from an older Nextcloud/ownCloud or fresh install:
Updatd from NC 12.0.6
Where did you install Nextcloud from: nextcloud.com
Enabled:
{ "memcache.local": "\OC\Memcache\APCu", "filelocking.enabled": true, "redis": { "host": "REMOVED SENSITIVE VALUE", "port": 0, "dbindex": 0, "timeout": 1.5 }, "instanceid": "REMOVED SENSITIVE VALUE", "passwordsalt": "REMOVED SENSITIVE VALUE", "secret": "REMOVED SENSITIVE VALUE", "trusteddomains": [ "xxxx", "xxxx" ], "datadirectory": "REMOVED SENSITIVE VALUE", "overwrite.cli.url": "https:\/\/xxxxxxx", "htaccess.RewriteBase": "\/", "overwriteprotocol": "https", "dbtype": "mysql", "version": "13.0.2.1", "dbname": "REMOVED SENSITIVE VALUE", "dbhost": "REMOVED SENSITIVE VALUE", "dbport": "", "dbtableprefix": "oc", "mysql.utf8mb4": true, "dbuser": "REMOVED SENSITIVE VALUE", "dbpassword": "REMOVED SENSITIVE VALUE", "installed": true, "maintenance": false, "theme": "", "loglevel": 1, "updater.release.channel": "production", "auth.bruteforce.protection.enabled": true, "check_for_working_htaccess": true, "data-fingerprint": "xxxxxx", "mail_from_address": "REMOVED SENSITIVE VALUE", "mail_smtpmode": "smtp", "mail_smtpauthtype": "LOGIN", "mail_domain": "REMOVED SENSITIVE VALUE", "mail_smtpsecure": "xxx", "mail_smtpauth": 1, "mail_smtpname": "REMOVED SENSITIVE VALUE", "mail_smtppassword": "REMOVED SENSITIVE VALUE", "mail_smtphost": "REMOVED SENSITIVE VALUE", "mail_smtpport": "xxxx", "session_lifetime": xxxx, "session_keepalive": false, "logtimezone": "xxxxx", "logfile": "\/media\/log\/nextcloud.log", "knowledgebaseenabled": false }