ossec · alex-front · Jan 27, 2017 · Jan 30, 2017 · Jan 30, 2017 · Jan 30, 2017
diff --git a/etc/decoder.xml b/etc/decoder.xml
@@ -2907,7 +2907,6 @@ Jul 26 13:57:56 mx1.example.org outbound/smtp: 127.0.0.1 1406297159-06f4a35b4df2
   <order>srcip,url</order>
 </decoder>
 
-
 <!-- Exim
   - Examples:
   - 2017-01-23 03:44:14 dovecot_login authenticator failed for (hydra) [10.101.1.18]:35686: 535 Incorrect authentication data (set_id=user)
@@ -2945,4 +2944,81 @@ Jul 26 13:57:56 mx1.example.org outbound/smtp: 127.0.0.1 1406297159-06f4a35b4df2
   <order>srcip</order>
 </decoder>
 
+
+<!-- cPanel decoder.
+  - Examples:
+  - [2016-11-18 09:32:19 +0000] info [cpsrvd] 46.118.10.79 - admin "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password hash is missing from system (user probably does not exist)
+-->
+<decoder name="cpanel-login-failed">
+  <prematch>^[\S+ \S+ \S+] info [cpsrvd] \.+FAILED LOGIN</prematch>
+  <regex>info [cpsrvd] (\S+) - (\S+)</regex>
+  <order>srcip,user</order>
+</decoder>
+
+<!-- cPanel decoder.
+     Because of default postgresql decoder overwrites cpanel-login-log rule in case time offset with minus (-0500). This rule is necessary to cover all cases of logs
+  - Examples:
+  - [2016-11-21 04:14:58 -0500] info [cpsrvd] 37.130.227.133 - admin "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password hash is missing from system (user probably does not exist)
+  - [2017-01-25 03:16:27 -0500] info [cpsrvd] 10.101.1.14 - root "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
+  - [2017-01-25 05:37:47 -0500] info [cpsrvd] 172.20.93.26 - root "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: root login is not permitted to cpaneld
+  - [2017-01-25 06:01:10 -0500] info [cpsrvd] 172.20.93.26 - test "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user test (loadcpdata failed)
+  - [2017-01-25 06:08:58 -0500] info [cpsrvd] 172.20.93.26 - [email protected] "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: login attempt to whm by a non-reseller/root
+-->
+
+<decoder name="cpanel-login-failed2">
+  <parent>postgresql_log</parent>
+  <prematch offset="after_parent">^info [cpsrvd] \.+FAILED LOGIN</prematch>
+  <regex>info [cpsrvd] (\S+) - (\S+)</regex>
+  <order>srcip,user</order>
+</decoder>
+
+<!-- cPanel decoder.
+  - Examples:
+  - 46.118.10.79 - paul [11/18/2016:09:35:43 -0000] "GET" FAILED LOGIN cpdavd: Could not fetch system home directory for paul
+-->
+
+<decoder name="cpanel-access-failed">
+  <parent>web-accesslog</parent>
+  <prematch offset="after_parent">FAILED LOGIN</prematch>
+  <regex>^(\S+) \S+ (\S+)</regex>
+  <order>srcip,user</order>
+</decoder>
+
+
+<!-- cPanel decoder.
+  - Examples:
+  - [2017-02-03 01:21:31 +0500] info [cpsrvd] 10.101.1.18 NEW testuser:XImQi9d3anWMNSc9 address=10.101.1.18,app=cpaneld,creator=pupkin,method=handle_form_login,path=form,possessed=0
+  - [2017-02-03 01:21:31 -0500] info [cpsrvd] 10.101.1.18 NEW testuser:XImQi9d3anWMNSc9 address=10.101.1.18,app=cpaneld,creator=pupkin,method=handle_form_login,path=form,possessed=0
+-->
+<decoder name="cpanel-login-success">
+  <prematch>^[\S+ \S+ \S+] info [cpsrvd] \S+ NEW</prematch>
+  <regex>info [cpsrvd] (\S+) \S+ (\w+):</regex>
+  <order>srcip,user</order>
+</decoder>
+
+<decoder name="cpanel-login-success2">
+  <parent>postgresql_log</parent>
+  <prematch offset="after_parent">^info [cpsrvd] \S+ NEW</prematch>
+  <regex>info [cpsrvd] (\S+) \S+ (\w+):</regex>
+  <order>srcip,user</order>
+</decoder>
+
+<!-- cPanel decoder.
+  - Examples:
+  - [2017-01-25 06:15:38 -0500] info [cpsrvd] 172.20.93.26 PURGE root:Nmm4xzhSpA2Sddv3 logout
+  - [2017-01-25 06:15:38 +0000] info [cpsrvd] 172.20.93.26 PURGE root:Nmm4xzhSpA2Sddv3 logout
+-->
+<decoder name="cpanel-session-logout">
+  <prematch>^[\S+ \S+ \S+] info [cpsrvd] \S+ PURGE \S+ logout$</prematch>
+  <regex>info [cpsrvd] (\S+) \S+ (\w+):</regex>
+  <order>srcip,user</order>
+</decoder>
+
+<decoder name="cpanel-session-logout2">
+  <parent>postgresql_log</parent>
+  <prematch offset="after_parent">^info [cpsrvd] \S+ PURGE \S+ logout$</prematch>
+  <regex>info [cpsrvd] (\S+) \S+ (\w+):</regex>
+  <order>srcip,user</order>
+</decoder>
+
 <!-- EOF -->
diff --git a/etc/ossec-agent.conf b/etc/ossec-agent.conf
@@ -65,4 +65,20 @@
     <log_format>apache</log_format>
     <location>/var/www/logs/error_log</location>
   </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/usr/local/cpanel/logs/login_log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/usr/local/cpanel/logs/access_log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/usr/local/cpanel/logs/session_log</location>
+  </localfile>
+
 </ossec_config>
diff --git a/etc/ossec-local.conf b/etc/ossec-local.conf
@@ -74,6 +74,7 @@
     <include>sysmon_rules.xml</include>
     <include>opensmtpd_rules.xml</include>
     <include>local_rules.xml</include>
+    <include>cpanel_rules.xml</include>
   </rules>
 
   <syscheck>
@@ -197,4 +198,20 @@
     <log_format>apache</log_format>
     <location>/var/www/logs/error_log</location>
   </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/usr/local/cpanel/logs/login_log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/usr/local/cpanel/logs/access_log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/usr/local/cpanel/logs/session_log</location>
+  </localfile>
+
 </ossec_config>
diff --git a/etc/ossec-server.conf b/etc/ossec-server.conf
@@ -73,6 +73,7 @@
     <include>opensmtpd_rules.xml</include>
     <include>local_rules.xml</include>
     <include>exim_rules.xml</include>
+    <include>cpanel_rules.xml</include>
   </rules>
 
 
@@ -208,4 +209,19 @@
     <location>/var/log/exim_mainlog</location>
   </localfile>
 
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/usr/local/cpanel/logs/login_log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/usr/local/cpanel/logs/access_log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/usr/local/cpanel/logs/session_log</location>
+  </localfile>
+
 </ossec_config>
diff --git a/etc/ossec.conf b/etc/ossec.conf
@@ -32,7 +32,8 @@
     <include>dropbear_rules.xml</include>
     <include>sysmon_rules.xml</include>
     <include>opensmtpd_rules.xml</include>
-  </rules>  
+    <include>cpanel_rules.xml</include>
+  </rules>
 
   <syscheck>
     <!-- Frequency that syscheck is executed -- default every 2 hours -->
@@ -160,4 +161,20 @@
     <log_format>apache</log_format>
     <location>/var/www/logs/error_log</location>
   </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/usr/local/cpanel/logs/login_log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/usr/local/cpanel/logs/access_log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/usr/local/cpanel/logs/session_log</location>
+  </localfile>
+
 </ossec_config>
diff --git a/etc/rules/cpanel_rules.xml b/etc/rules/cpanel_rules.xml
@@ -0,0 +1,78 @@
+<!-- Authors: Alexandr Garaga, Paul Klymenko
+-
+-  This program is a free software; you can redistribute it
+-  and/or modify it under the terms of the GNU General Public
+-  License (version 2) as published by the FSF - Free Software
+-  Foundation.
+-
+-  License details: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
+-->
+
+<!-- cPanel messages -->
+<group name="syslog,">
+
+<!-- Two same rules but with different decoders because logs have different format -->
+  <rule id="11000" level="5">
+    <if_sid>2501</if_sid>
+    <decoded_as>cpanel-login-failed</decoded_as>
+    <regex>FAILED LOGIN</regex>
+    <description>Possible attack on the cpanel services</description>
+  </rule>
+
+  <rule id="11001" level="5">
+    <if_sid>50500</if_sid>
+    <decoded_as>postgresql_log</decoded_as>
+    <regex>FAILED LOGIN</regex>
+    <description>Possible attack on the cpanel services</description>
+  </rule>
+
+  <rule id="11002" level="5">
+    <if_sid>2501</if_sid>
+    <decoded_as>cpanel-access-failed</decoded_as>
+    <regex>FAILED LOGIN</regex>
+    <description>Possible attack on the cpanel services</description>
+  </rule>
+
+<!-- We raise level to send alert considering frequency (6 see doc why) and timeframe (6 minutes) -->
+  <rule id="11003" level="10" frequency="4" timeframe="360">
+    <if_matched_sid>11001</if_matched_sid>
+    <description>Possible breakin attempt</description>
+  </rule>
+
+  <rule id="11004" level="10" frequency="4" timeframe="360">
+    <if_matched_sid>11000</if_matched_sid>
+    <description>Possible breakin attempt</description>
+  </rule>
+
+  <rule id="11005" level="10" frequency="4" timeframe="360">
+    <if_matched_sid>11002</if_matched_sid>
+    <description>Possible breakin attempt</description>
+  </rule>
+
+  <rule id="11006" level="3">
+    <decoded_as>cpanel-login-success</decoded_as>
+    <match>NEW</match>
+    <description>Cpanel login success</description>
+  </rule>
+
+  <rule id="11007" level="3">
+    <if_sid>50500</if_sid>
+    <decoded_as>postgresql_log</decoded_as>
+    <match>NEW</match>
+    <description>Cpanel login success</description>
+  </rule>
+
+  <rule id="11008" level="3">
+    <decoded_as>cpanel-session-logout</decoded_as>
+    <regex>PURGE \S+ logout</regex>
+    <description>Cpanel session logout</description>
+  </rule>
+
+  <rule id="11009" level="3">
+    <if_sid>50500</if_sid>
+    <decoded_as>postgresql_log</decoded_as>
+    <regex>PURGE \S+ logout</regex>
+    <description>Cpanel session logout</description>
+  </rule>
+
+  </group> <!-- SYSLOG -->