Topic : Security week: Login Logs and Logorate

Posted By: peopleinside on August 21, 2017, 9:22 am
since more than two year I AM reporting security issue to Webuzo Team and all the time the Security Issue was fixed: this is good.

Also this forum has a security issue because there are log-in on top not secured by SSL. If you want log-in in security you have to click on the link "login" and not login from the forum. This is not the top of the security also because my forum credentials are the same of the Scrofulous license so login should be more secure and always protected but is not.

For me security is very important also in the Webuzo Panel.

There are a new issue introduced with the Logorate function used for reduce the use of the space from the Webuzo Panel.

Reduce the use of the space by the panel is a very great feature but this should not create issues or security weakness.

Logorate seems to be active for all user and from some month also login logs are elaborated once a week, once a week seems the login log file is zipped so all logs will be not visible anymore from the Webuzo Interface... this mean if this job is planned to be on Saturday and you login into Webuzo Sunday or check login logs you will see a empty list or just the login of the day so you feel safe as no one has tried, from the log, to login into the panel... but this is not true... previous logs are only hidden because zip file are not read by the panel.

I have discussed this in private with the support as since a month or more I start to see issue on the login log page because no all log are here.

I think strongly that login log should be excluded from to be zipped or the option to be zipped should be optional and not active by default.

This because:
  • for security reason login log should not be erased in a week or without admin know this is done in automatic or you can login on Sunday and see all is ok you think no new login needs to be cheked when this is not true because logorate has deleted the day before.
  • no one will check the login log zip file except some hacking has been happen but is too late so I think is much better do the best prevention by keeping log into Webuzo panel. User should really check this page once a week or a month (always better to never check), once the page are checked record should be removed manually.
  • if user want save space also on login logs should have options in the panel (optional) to disable this feature (bad idea) or decide to not exlude from logorate (not really a good idea)
The login log is a text file, I do not think this will take much space. Can be maybe erased automatically after 12 month but not in a week also one month will be not enough, auto delete this log or zip as no one will read it is a bad idea.
I think there are no many users that care about login logs page. Webuzo does not provide two step authentication or alert by email so it's a very bad idea decide now to auto delete or archive logs after a week or a month by default for all users.
Since this issue (who seems to be not an issue for Webuzo) has been introduced I loosed the possibility to check Security of login of my VPS because I never goes into zip ... now I AM on mobility and I have issue to connect by SSH SFTP or FTP with mobile connection: port are not allowed so ... I AM very deluded to see this issue and cannot check logs into Webuzo.
I really hope a solution can come, edit just a file into Webuzo will be not the fix because on first update all edits can be loosed and issue come back again.
Also ths file can be edited in the future and if this happen from Webuzo the removed line for the fix will come back again and start to create issue again.
I really hope a solution will be found or developers will re-consider this.It's ok to logorate Webuzo error log and all other elements but not login logs.

I AM asking if WebStats have the same issue... loose statistics because file are logarated zip.

PeopleInside  :angel:
Passionate Webuzo User

Posted By: peopleinside on August 21, 2017, 9:37 am | Post: 1
Security of my server is very important.
Know that the login log are automatically hidden, deleted or just archived in a way that cannot be anymore consulted from Webuzo cannot made me happy.

Also telling me that I should login every day to check this page before will be erased, archived from the automatic process seems to me not a good reply. People are busy. Also if you have the time to login every day you can connect after the cleaning has been done and you loose some important logs.

Webuzo has not currently big issue or security know issue except this.
You have also to consider that there are no mail alert if someone log in there is no check in if some suspect access is done, there is no two authenticator support so ... decide to add an auto clean process to the login log is not a good idea and create a security issue on my server where I loose control of the access.

I cannot connect by SFTP in mobility, download the zip file and check the text log. This is very stressful and has no much sense when I was doing all check without issue from the Webuzo login logs interface. Once all log has been checked only me was able to decide when remove manually with the relative button .. now since you introduced auto clean for this ... it's a big problem. I hope a solution can be done from Webuzo Team and I really hope this can be fixed.

PeopleInside  :angel:
Passionate Webuzo User

Posted By: nikhil89 on August 23, 2017, 7:46 am | Post: 2
Hi Marco,

It seems that the above logrotate issue as reported by you has been resolved on your server by the developers. The above logrotate issue related email has been send to the higher authorities to confirm if the same needs to be done for all the users or not.

Please let us know if you need any further information. We will be happy to help you.

Posted By: peopleinside on August 23, 2017, 8:46 am | Post: 3
Fixed yes and not because the fix was edit a file that can be update by you in future ... maybe not recently but in future and if the line I deleted still be present on your side, if there is no settings available and saved into Webuzo to exclude login log than the issue can come up again ;)

Thank you for your support :) and patience.

PeopleInside  :angel:
Passionate Webuzo User

Powered By AEF 1.0.8 © 2007-2008 Electron Inc.