Enabling logging for lighttpd web server

EDIT: Please ignore the below instructions as these have now been rendered obsolete with the switch from lighttpd to a different webserver (Apache) with the release of firmware version 1.05.21 on 10/27/14. I may create another post with updated instructions for http logging using Apache, IF I have the time in future.

This is a followup post to my recent post titled ’ Share your files with friends using http links’. I wanted to share how you can enable logging on, if you chose to turn the web server on your My Cloud EX2 (or EX4 or Mirror) on using Dashboard Cloud Access setting, as outlined in that previous post…or if you were to use the Web File Viewer functionality from outside your network (ie.outisde of the network where the EX2 is plugged in).

I had enabled logging myself on my EX2 several days ago for my personal use but hadn’t really closely examined the logs until today. In the meantime, I had also implemented a mechanism to archive the web server logs daily into a directory of my choice (I had created a directory to store these logs in a persistent location at /mnt/HD/HD_a2/logs and every night at midnight a job runs that moves previous day’s log file into this location and renames it with today’s date so I know at a glance which log file is for which date). I won’t be detailing that daily archiving process here - you can write your own shell scripts to do so and google if you need specific help with that. But I will say that archiving the http log or removing them and starting afresh every few days, if not everyday, is crucial - because that log file captures every HTTP request so even for just one page with multiple pictures, etc. there are multiple entries and so the log grows very quickly and the /var/log location has limited space (you can see how much by running ‘df -h /var/log’). In this post, I will only detail just the steps required to setup logging for the EX2’s built-in webserver (lighttpd).

Normally, I wouldn’t even have posted the instructions for setting up logging - however, my reason to do this is primarily so that people are aware of their network security implications when they do enable the web server access from outside their network (i.e. enabling Dashboard Cloud Acess) following my aforementioned post. It is because today, when I finally got a chance to take acloser look at just today’s log files, I noticed multiple attempts to sniff and hack into my EX2’s webserver. So if people followed my instructions in the previous post and enabled web access from outside, it is a good idea to enable logging and look at them occassionally to get an idea if and what is going on about the hacks to one’s server from nefarious sources outside. See more details of my experience near the end of this post.

Fortunately, most of these kinds of simple sniffing are protected by the default lighttpd config (yes, I had closely examined the related configs for a couple days and came to the conclusion that it is relatively safe from simple hack attacks to run the web server before I opened my web server to the outside world). And it helps that WD includes a not too ancient version of lighttpd in the frmware, though unfortunately not the latest. The latest lighttpd version, 1.4.35, has been out since March 2014 (when EX2 was launched) but despite that the version that IS now included is version 1.4.33, which came out in September 2013, almost a year old. But at least it is not the ancient 1.4.28 that the firmware was including in a couple firmware releases ago. It is very important to try to incorporate the latest possible version of lighttpd, because security vulnerabilities are contstantly being found and those holes are always being patched in each version - so the more current the web server is, the less vulnerable to known exploits it is.

Anyway, onto the fun part - but the obvious disclaimer first. You are solely responsible for implementing any changes highlighted here and though it is very safe and perfectly tested, you may void your warranty if you implement these changes. But keep in mind the changes outlined below are perfectly reversible and are lost simply by rebooting - which will bring your device back to the normal configured state.

Ok - to implement logging for lighttpd web server, you just have to do two simple things:

  1. Change lighttpd’s config file to add logging

  2. Restart lighttpd

  3. To change lighttpd’s config file to add logging do the following (do not type the stuff in parenthesis - they are just explanatory notes) :

  • SSH into EX2
  • cd /etc/lighttpd/
  • cp -p lighttpd.conf lighttpd.conf.bak (this step just backs up the default config file so that you have it as a backup - also note this backup file along with the modified config file will all be wiped off after a reboot - so you might want to save the modified file into a persstent location like /usr/local/config/ if you want to bring logging back quickly after a reboot)
  • vi lighttpd.conf
  • Then insert the following two lines at the top of the file:
    accesslog.filename = “/var/log/http.log”
    accesslog.format = “%h %U %t “%{Referer}i” “%{User-Agent}i””
  • Save file and exit vi

Note: The accesslog.format setting contains only details I am interested in - you can skip that second line and then you’ll capture the default list details in the log OR you can choose to customize the details to your liking - more on lighttpd’s logging format is available here ->  http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModAccessLog

  1. To restart lighttpd while SSHd in to EX2, just run the following and then wait for a couple minutes - lighttpd will restart on its own:
    killall lighttpd

After couple minutes have passed, you can simply test if the web server has come up by accessing the EX2 dashboard from a browser - OR run the following command from the SSH terminal:
ps -ef | grep lighttpd | grep -v “grep lighttpd”

If any lines come up as a result of the above command (or if the dashboard login page comes up in a browser), then lighttpd has been restarted. At this point you are done - web logging has been enabled - not just for the dashboard app but ANY attempt to access the web server, including hacking and sniffing attempts, will be captured and logged along with the source IPs.

___________________________________________________________________________________________

Some log entries I observed in the log this morning, which prompted me to write this post for the benefit of anyone who may have turned Dashboard Cloud Access on:

115.29.8.90 /render/hoteldiv.jsp [30/Aug/2014:07:12:52 -0400] "hotel.qunar.com/ “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36”
187.171.69.189 /cncn/cnc/cn.php [30/Aug/2014:10:12:58 -0400] “-” “-”
187.171.69.189 /phpMyAdmin/scripts/setup.php [30/Aug/2014:10:12:59 -0400] “-” "-"
187.171.69.189 /pma/scripts/setup.php [30/Aug/2014:10:13:00 -0400] “-” “-”
187.171.69.189 /myadmin/scripts/setup.php [30/Aug/2014:10:13:00 -0400] “-” “-”
185.25.150.40 /httptest.php [30/Aug/2014:11:05:41 -0400] “-” “-”
185.25.150.40 /search [30/Aug/2014:11:21:16 -0400] “-” “-”
117.21.225.168 /manager/html [30/Aug/2014:12:04:55 -0400] “-” “Mozilla/3.0 (compatible; Indy Library)”
184.75.214.234 /back.css [30/Aug/2014:13:11:03 -0400] “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0”
184.75.214.234 /Panel/back.css [30/Aug/2014:13:11:03 -0400] “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0”
184.75.214.234 /andro/back.css [30/Aug/2014:13:11:03 -0400] “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0”
184.75.214.234 /root/back.css [30/Aug/2014:13:11:04 -0400] “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0”

To get the log entries of only outside access, you can run the following command (after you have done the above steps to enable logging and several hours or a day or two has passed):
grep -v -e “^10.” -e “^192.” -e “^127.0.0.1” /var/log/http.log

The above command displays log entries excluding any local access entries and shows just the external accesses - and if you haven’t given out your IP address to friends and family yet, you are almost certainly looking at people trying to sniff their way into your server. I particularly want to draw attention to the bolded line above - AND why I prefer not to use the included phpMyAdmin app to manage the built-in MySQL database. I prefer instead to use the MySQL Workbench tool available for free from http://dev.mysql.com/downloads/workbench and is the official MySQL tool - and to connect to the mysql db, I simply setup the connection like in the pic below (adjust the IP according to your EX2’s internal IP and leave the rest as-is and save your sshd and mysql password in the password vault by clicking “Store in Vault” where it is kept encrypted):

Anyway, as you can see from the log entries above, my server is getting hits from unknown strangers. I have looked up the first entry and it’s IP is in China. The other IPs are originating in Mexico but based on the IP’s TTL of 3 or 4 hours, I suspect they might not even really be coming from Mexico but are possibly coming from elsewhere but being spoofed to look as if they are coming from there - after the TTL period of 3-4 hour elapses, I suspect those IPs will disappear. But based on the script checks done by lighttpd, the server is relatively secure from more insidous hack attacks like SQLinjection, etc. but obviously if you have something like phpMyAdmin installed you’d have a vulnerability there - and hence, my reluctance to rely on a web based app/tool like phpMyAdmin.

Good luck and if this post helps you, please click on the star under my username to the left of this post to give me a kudo. And feel free to ask me any question if you have any about this post.

Hello,

Thank you for sharing this.

My pleasure…and felt sort of my duty especially after I posted about how to open up the web server in my other post.

The instructions in the original post have now been deprecated due to switch of web server from lighttpd to Apache starting with firmware release 1.05.21. Don’t know if or when I will post updated logging instructions for the Apache web server.

Preferrably when:) but hoping that google help me discover in the mean time!

Instead of commenting on this old thread, I am more interested in seeing your response on your own post about the SSH and ftp access issues you were having. Did my answers there help you? That’s what’s more important. If you did, please don’t forget to give me a kudo on that post.