: Best apache log file permissions on cpanel server In an effort to protect my site from bad bots including ridiculous hackers that can login to the server, I want to secure access_log and error_log

@Megan663

I basically agree with Simon Hayters statement that if they gained shell access - unless they had limited shell access by injection into say a php application that was using shell_exec - I personally would start thinking about restoring the system from trusted sources. But then the question becomes - if you don't learn how they got in that time - how can you stop them the next time? - having uncompromised log entries can help reconstruct the break in.

But to the question, here is how nginx (and from memory apache is the same) sets up log file permissions on Ubuntu 14.04.

$ls -al /var/log/
...
drwxr-s--- 2 mysql adm 4096 Nov 22 06:38 mysql
-rw-r----- 1 mysql adm 0 Nov 20 17:39 mysql.err
-rw-r----- 1 mysql adm 0 Nov 22 06:38 mysql.log
drwxr-x--- 2 www-data adm 4096 Nov 22 06:38 nginx
-rw------- 1 root root 0 Nov 22 06:38 php5-fpm.log
-rw-r----- 1 syslog adm 9734 Nov 23 00:17 syslog
...


By giving "others" no permissions on the nginx directory itself - ordinary users can't even see the files themselves - let alone read them.
If they had root permissions, they could do this

$ sudo ls -al nginx/
total 28
drwxr-x--- 2 www-data adm 4096 Nov 22 06:38 .
drwxrwxr-x 13 root syslog 4096 Nov 22 06:38 ..
-rw-r----- 1 www-data adm 2082 Nov 23 00:30 access.log
-rw-r--r-- 1 root root 9803 Nov 22 06:26 access.log.1
-rw-r----- 1 www-data adm 0 Nov 22 06:38 error.log


Now, unless you are www-data,adm or root you won't be able to read logs. access.log.1 which is not created by the webserver but the log archiving utility logrotate has read permissions - but because anyone who is not root, www-data or adm won't have permissions along every segment in the path to /var/log/nginx/access.1.log so they still can't read the file (the directory permission is still blocking them).
So you could try this permission structure - which will be annoying for you to administer as you need to elevate to su or add your user to www-data or adm groups or similar - depending on your system - just to get into the log directories and read logs.
Also - its IMPORTANT you don't break the permissions of the logrotate facility - its what cleans up your log records (archiving and deleting log entries over a certain age - usually a year).

Vote Up Vote Down

@Radia820

If they are able to login via your SHELL then its pretty much game over and as mentioned by @w3d Apache log files are least of your worries.


Apache writes to log files directly, no one can view those logs unless they are stored within the hosting path.


If security is a major concern then you should confirm that you use the following practices:


Your SSH should be secured using SSH Keys, not username or password, or even better... disabled when you are not using it, and launched it when required.
Your cPanel account should use a complex password, ideally... use something at least 12-18 digits long with numbers, capitals and symbols. cPanel is also in the process of adding two-way authentication, as soon as this is released you should enable it, same goes for every platform outside the realms of cPanel.
FTP should be disabled in favour of FTPS, or FTP TLS/SSL. The server should block brute cracking using fail2ban or similar.

Vote Up Vote Down