Hello, I am having some serious anxiety problems with my web server, when I open my server logs. I hope someone can help me out, or at least blast me with some clarification of what some of the records I see mean. So basically I have a VPS server CentOS with Cyberpanel on it running Open litespeed and Wordpress website. I have followed all the steps provided by Cyberpanel and Litespeed and my website is running great for the past 5-6 months. But when I go in my logs section I see all kinds of records and I am just not able to understand them all. Tried googling most of them but still not found an explanation for most of them.
1. I will start with my Access Logs section - From time to time I see records such as
185.254.196.223 - - [18/Apr/2022:23:20:01 +0200] "GET /.env HTTP/1.1" 404 705 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
185.254.196.223 - - [18/Apr/2022:23:20:02 +0200] "POST / HTTP/1.1" 404 705 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
45.155.204.146 - - [18/Apr/2022:23:43:58 +0200] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 705 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
I see that all of them return 404 but is this normal?
2. Error logs - Constantly I see records such as:
2022-04-18 23:23:12.665080 [INFO] [3813936] Invalid rewrite directive: Deny from all
2022-04-18 23:23:12.665082 [INFO] [3813936] Rewrite directive: </IfModule> bypassed.
2022-04-18 23:23:12.665085 [INFO] [3813936] Rewrite directive: <IfModule mod_authz_core.c> bypassed.
2022-04-18 23:23:12.665087 [INFO] [3813936] Invalid rewrite directive: Require all denied
2022-04-18 23:23:12.665089 [INFO] [3813936] Rewrite directive: </IfModule> bypassed.
2022-04-18 23:23:12.665091 [INFO] [3813936] Invalid rewrite directive: </FilesMatch>
Honestly I am not sure what this is all about. Tried to google them and I understood that they are coming from openlitespeed
3. Email Logs - This part is buzzing me so much as like non stop I see records such as:
Apr 18 23:56:10 vmi725483 postfix/smtpd[3815242]: connect from unknown[117.66.241.77]
Apr 18 23:56:12 vmi725483 postfix/smtpd[3815242]: warning: unknown[117.66.241.77]: SASL LOGIN authentication failed: Invalid authentication mechanism
Apr 18 23:56:12 vmi725483 postfix/smtpd[3815242]: disconnect from unknown[117.66.241.77] ehlo=1 auth=0/1 quit=1 commands=2/3
Apr 18 23:56:48 vmi725483 postfix/smtpd[3815242]: warning: hostname liferson.de does not resolve to address 141.98.10.84: No address associated with hostname
Apr 18 23:56:48 vmi725483 postfix/smtpd[3815242]: connect from unknown[141.98.10.84]
Apr 18 23:56:50 vmi725483 postfix/smtpd[3815242]: warning: unknown[141.98.10.84]: SASL PLAIN authentication failed:
Apr 18 23:56:50 vmi725483 postfix/smtpd[3815242]: disconnect from unknown[141.98.10.84] ehlo=1 auth=0/1 quit=1 commands=2/3
As far as I understood all of these are attempts to send email from my server and I see that all of them are failing ( I hope ) but what can I do about all this? Is this normal and is this dangerous too?
4. FTP Logs - This part looks pretty similar to the Email logs:
Apr 18 23:57:57 vmi725483 postfix/smtpd[3815242]: connect from unknown[141.98.10.24]
Apr 18 23:57:59 vmi725483 postfix/smtpd[3815242]: warning: unknown[141.98.10.24]: SASL PLAIN authentication failed:
Apr 18 23:57:59 vmi725483 postfix/smtpd[3815242]: disconnect from unknown[141.98.10.24] ehlo=1 auth=0/1 quit=1 commands=2/3
Apr 18 23:58:15 vmi725483 postfix/smtpd[3815242]: warning: hostname marries.angerenhanc.com does not resolve to address 141.98.10.27: Name or service not known
Apr 18 23:58:15 vmi725483 postfix/smtpd[3815242]: connect from unknown[141.98.10.27]
Apr 18 23:58:17 vmi725483 postfix/smtpd[3815242]: warning: unknown[141.98.10.27]: SASL PLAIN authentication failed:
Apr 18 23:58:17 vmi725483 postfix/smtpd[3815242]: disconnect from unknown[141.98.10.27] ehlo=1 auth=0/1 quit=1 commands=2/3
So essentially that's all. I just hope that someone can explain to me what is all this and if there is a way to stop these spams or attacks on my website. I am for real not a system administrator but I am trying to learn as much as I can. Also if you see something suspicious as well please let me know. Thanks in advance for any help!
PS currently I do not have an additional firewall installed on the server. Cyberpanel comes with a Firewall but also I have some other options available: Modsecurity, CSF and Imunify360 or ImunifyAV
PS PS My website is always updated to the latest Wordpress version and plugins and themes are updated as well.
1. I will start with my Access Logs section - From time to time I see records such as
185.254.196.223 - - [18/Apr/2022:23:20:01 +0200] "GET /.env HTTP/1.1" 404 705 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
185.254.196.223 - - [18/Apr/2022:23:20:02 +0200] "POST / HTTP/1.1" 404 705 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
45.155.204.146 - - [18/Apr/2022:23:43:58 +0200] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 705 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
I see that all of them return 404 but is this normal?
2. Error logs - Constantly I see records such as:
2022-04-18 23:23:12.665080 [INFO] [3813936] Invalid rewrite directive: Deny from all
2022-04-18 23:23:12.665082 [INFO] [3813936] Rewrite directive: </IfModule> bypassed.
2022-04-18 23:23:12.665085 [INFO] [3813936] Rewrite directive: <IfModule mod_authz_core.c> bypassed.
2022-04-18 23:23:12.665087 [INFO] [3813936] Invalid rewrite directive: Require all denied
2022-04-18 23:23:12.665089 [INFO] [3813936] Rewrite directive: </IfModule> bypassed.
2022-04-18 23:23:12.665091 [INFO] [3813936] Invalid rewrite directive: </FilesMatch>
Honestly I am not sure what this is all about. Tried to google them and I understood that they are coming from openlitespeed
3. Email Logs - This part is buzzing me so much as like non stop I see records such as:
Apr 18 23:56:10 vmi725483 postfix/smtpd[3815242]: connect from unknown[117.66.241.77]
Apr 18 23:56:12 vmi725483 postfix/smtpd[3815242]: warning: unknown[117.66.241.77]: SASL LOGIN authentication failed: Invalid authentication mechanism
Apr 18 23:56:12 vmi725483 postfix/smtpd[3815242]: disconnect from unknown[117.66.241.77] ehlo=1 auth=0/1 quit=1 commands=2/3
Apr 18 23:56:48 vmi725483 postfix/smtpd[3815242]: warning: hostname liferson.de does not resolve to address 141.98.10.84: No address associated with hostname
Apr 18 23:56:48 vmi725483 postfix/smtpd[3815242]: connect from unknown[141.98.10.84]
Apr 18 23:56:50 vmi725483 postfix/smtpd[3815242]: warning: unknown[141.98.10.84]: SASL PLAIN authentication failed:
Apr 18 23:56:50 vmi725483 postfix/smtpd[3815242]: disconnect from unknown[141.98.10.84] ehlo=1 auth=0/1 quit=1 commands=2/3
As far as I understood all of these are attempts to send email from my server and I see that all of them are failing ( I hope ) but what can I do about all this? Is this normal and is this dangerous too?
4. FTP Logs - This part looks pretty similar to the Email logs:
Apr 18 23:57:57 vmi725483 postfix/smtpd[3815242]: connect from unknown[141.98.10.24]
Apr 18 23:57:59 vmi725483 postfix/smtpd[3815242]: warning: unknown[141.98.10.24]: SASL PLAIN authentication failed:
Apr 18 23:57:59 vmi725483 postfix/smtpd[3815242]: disconnect from unknown[141.98.10.24] ehlo=1 auth=0/1 quit=1 commands=2/3
Apr 18 23:58:15 vmi725483 postfix/smtpd[3815242]: warning: hostname marries.angerenhanc.com does not resolve to address 141.98.10.27: Name or service not known
Apr 18 23:58:15 vmi725483 postfix/smtpd[3815242]: connect from unknown[141.98.10.27]
Apr 18 23:58:17 vmi725483 postfix/smtpd[3815242]: warning: unknown[141.98.10.27]: SASL PLAIN authentication failed:
Apr 18 23:58:17 vmi725483 postfix/smtpd[3815242]: disconnect from unknown[141.98.10.27] ehlo=1 auth=0/1 quit=1 commands=2/3
So essentially that's all. I just hope that someone can explain to me what is all this and if there is a way to stop these spams or attacks on my website. I am for real not a system administrator but I am trying to learn as much as I can. Also if you see something suspicious as well please let me know. Thanks in advance for any help!
PS currently I do not have an additional firewall installed on the server. Cyberpanel comes with a Firewall but also I have some other options available: Modsecurity, CSF and Imunify360 or ImunifyAV
PS PS My website is always updated to the latest Wordpress version and plugins and themes are updated as well.