• We did not send an email asking for donations - please read this post.

Can someone help me with some Web Server logs?

AlexBe

New Member
Joined
Apr 18, 2022
Messages
1
Reaction score
0
Credits
50
Hello, I am having some serious anxiety problems with my web server, when I open my server logs. I hope someone can help me out, or at least blast me with some clarification of what some of the records I see mean. So basically I have a VPS server CentOS with Cyberpanel on it running Open litespeed and Wordpress website. I have followed all the steps provided by Cyberpanel and Litespeed and my website is running great for the past 5-6 months. But when I go in my logs section I see all kinds of records and I am just not able to understand them all. Tried googling most of them but still not found an explanation for most of them.

1. I will start with my Access Logs section - From time to time I see records such as
185.254.196.223 - - [18/Apr/2022:23:20:01 +0200] "GET /.env HTTP/1.1" 404 705 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
185.254.196.223 - - [18/Apr/2022:23:20:02 +0200] "POST / HTTP/1.1" 404 705 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
45.155.204.146 - - [18/Apr/2022:23:43:58 +0200] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 705 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

I see that all of them return 404 but is this normal?

2. Error logs - Constantly I see records such as:
2022-04-18 23:23:12.665080 [INFO] [3813936] Invalid rewrite directive: Deny from all
2022-04-18 23:23:12.665082 [INFO] [3813936] Rewrite directive: </IfModule> bypassed.
2022-04-18 23:23:12.665085 [INFO] [3813936] Rewrite directive: <IfModule mod_authz_core.c> bypassed.
2022-04-18 23:23:12.665087 [INFO] [3813936] Invalid rewrite directive: Require all denied
2022-04-18 23:23:12.665089 [INFO] [3813936] Rewrite directive: </IfModule> bypassed.
2022-04-18 23:23:12.665091 [INFO] [3813936] Invalid rewrite directive: </FilesMatch>

Honestly I am not sure what this is all about. Tried to google them and I understood that they are coming from openlitespeed

3. Email Logs - This part is buzzing me so much as like non stop I see records such as:
Apr 18 23:56:10 vmi725483 postfix/smtpd[3815242]: connect from unknown[117.66.241.77]
Apr 18 23:56:12 vmi725483 postfix/smtpd[3815242]: warning: unknown[117.66.241.77]: SASL LOGIN authentication failed: Invalid authentication mechanism
Apr 18 23:56:12 vmi725483 postfix/smtpd[3815242]: disconnect from unknown[117.66.241.77] ehlo=1 auth=0/1 quit=1 commands=2/3
Apr 18 23:56:48 vmi725483 postfix/smtpd[3815242]: warning: hostname liferson.de does not resolve to address 141.98.10.84: No address associated with hostname
Apr 18 23:56:48 vmi725483 postfix/smtpd[3815242]: connect from unknown[141.98.10.84]
Apr 18 23:56:50 vmi725483 postfix/smtpd[3815242]: warning: unknown[141.98.10.84]: SASL PLAIN authentication failed:
Apr 18 23:56:50 vmi725483 postfix/smtpd[3815242]: disconnect from unknown[141.98.10.84] ehlo=1 auth=0/1 quit=1 commands=2/3

As far as I understood all of these are attempts to send email from my server and I see that all of them are failing ( I hope ) but what can I do about all this? Is this normal and is this dangerous too?

4. FTP Logs - This part looks pretty similar to the Email logs:
Apr 18 23:57:57 vmi725483 postfix/smtpd[3815242]: connect from unknown[141.98.10.24]
Apr 18 23:57:59 vmi725483 postfix/smtpd[3815242]: warning: unknown[141.98.10.24]: SASL PLAIN authentication failed:
Apr 18 23:57:59 vmi725483 postfix/smtpd[3815242]: disconnect from unknown[141.98.10.24] ehlo=1 auth=0/1 quit=1 commands=2/3
Apr 18 23:58:15 vmi725483 postfix/smtpd[3815242]: warning: hostname marries.angerenhanc.com does not resolve to address 141.98.10.27: Name or service not known
Apr 18 23:58:15 vmi725483 postfix/smtpd[3815242]: connect from unknown[141.98.10.27]
Apr 18 23:58:17 vmi725483 postfix/smtpd[3815242]: warning: unknown[141.98.10.27]: SASL PLAIN authentication failed:
Apr 18 23:58:17 vmi725483 postfix/smtpd[3815242]: disconnect from unknown[141.98.10.27] ehlo=1 auth=0/1 quit=1 commands=2/3

So essentially that's all. I just hope that someone can explain to me what is all this and if there is a way to stop these spams or attacks on my website. I am for real not a system administrator but I am trying to learn as much as I can. Also if you see something suspicious as well please let me know. Thanks in advance for any help!

PS currently I do not have an additional firewall installed on the server. Cyberpanel comes with a Firewall but also I have some other options available: Modsecurity, CSF and Imunify360 or ImunifyAV
PS PS My website is always updated to the latest Wordpress version and plugins and themes are updated as well.
 


KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
7,413
Reaction score
6,395
Credits
60,119
Your error logs are likely some mod rewrite rule that's broken. That'd likely be in .htaccess.

The rest look fairly normal for a WordPress site. You should make sure to secure it within WP itself.
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Linux.org Hosting Donations
Consider making a donation

Staff online

Members online


Top