Accesslog stats for cyberpanel account

Blog Posts
1

Please note this tutorial requires that the accesslogs logformat has been updated as outlined in the below link before this will work properly.
https://forums.cyberpanel.net/discussion/3895/updating-logformat-for-better-stats-collection/

if you have already done the above please continue reading.

So I ported my cPanel version of this tool to accomodate the cyberpanel accesslogs now that they use the same standard and updated this script to handle the differences in users homedir/logs paths.

This script will need to be run with the desired cyberpanel linux user passed to it

so if this domain was “example.com” and the linux account owner of this domain was “user”

If you do not know how to see your linux user

check your ssh login information if single user.

Or login as root via ssh and stat your domain like this.
stat /home/example.com

Will look like this. Notice the uid and gid show the linux user which in this example is “user”
[root@wcloud:~]# stat /home/example.com
File: ‘/home/example.com’
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: fd01h/64769d Inode: 517820 Links: 15
Access: (0711/drwx–x–x) Uid: ( 5002/ user) Gid: ( 5002/ user)
Access: 2020-02-02 23:43:32.942081813 -0500
Modify: 2020-02-02 11:09:28.440639594 -0500
Change: 2020-02-02 11:09:28.440639594 -0500
Birth: -
[root@wcloud:~]#

You would run this.
bash <(curl -s https://gitlab.com/cyberpaneltoolsnscripts/snapshotbycyberpaneluser/raw/master/CyberpanelSnapshotByCyberpanelUser.sh || wget -qO - https://gitlab.com/cyberpaneltoolsnscripts/snapshotbycyberpaneluser/raw/master/CyberpanelSnapshotByCyberpanelUser.sh) user;

Keep in mind if you only recently changed the log format the stats might be slightly out of whack for the days in the old format. you can see an example of this in the sanitized logs below.

I’ll be adding new stuff to this and porting my server-level version of this for multi-account check.

if you have any suggestions for checks you look for Common CMS issues let me know I can mod this pretty easily if provide the regex or stuff to look for.

Weird edge case sometimes the access_log or logs folder perms are borked ownership wise and owned by “root:user” “lscpd:lscpd” when they should be nobody:user for OLS/LS to be able to write to them and for the access_log viewer to work in cyberpanel UI.

If that is the case this oneliner will fix that all up.
link=“https://gitlab.com/cyberpaneltoolsnscripts/cyberpanel-fixperms/raw/master/fixperms.sh”; bash <(curl -s $link || wget -qO - $link) -v -all

See here for explanation of how that works.

Example:
[root@wcloud:~]# bash <(curl -s https://gitlab.com/cyberpaneltoolsnscripts/snapshotbycyberpaneluser/raw/master/CyberpanelSnapshotByCyberpanelUser.sh || wget -qO - https://gitlab.com/cyberpaneltoolsnscripts/snapshotbycyberpaneluser/raw/master/CyberpanelSnapshotByCyberpanelUser.sh) user;

Web Traffic Stats Check

=============================================================
Apache Dom Logs POST Requests for 03/Feb/2020 for user
315 /home/example.com/logs/example.com.access_log
8 /home/example.com/logs/my.example.com.access_log

Apache Dom Logs GET Requests for 03/Feb/2020 for user
2369 /home/example.com/logs/example.com.access_log
1172 /home/example.com/logs/my.example.com.access_log

Apache Dom Logs Top 10 bot/crawler requests per domain name for 03/Feb/2020
132 /home/example.com/logs/example.com.access_log
82 /home/example.com/logs/my.example.com.access_log

Apache Dom Logs top ten IPs for 03/Feb/2020 for user

297 "example.com
 11 2001
  7 "my.example.com
  1 91.122.30.68
  1 73.178.82.176
  1 73.133.66.110
  1 63.155.46.5
  1 2607
  1 209.155.125.2
  1 206.190.204.88

Show unique IP’s with whois IP, Country,and ISP

91.122.30.68 | RU | ROSTELECOM-AS, RU
73.178.82.176 | US | COMCAST-7922, US
73.133.66.110 | US | COMCAST-7922, US
63.155.46.5 | US | CENTURYLINK-US-LEGACY-QWEST, US
209.155.125.2 | US | WINDSTREAM, US
206.190.204.88 | US | JOESDATACENTER, US
206.190.204.88 | US | UNITED-FIBER, US

Apache Dom Logs find the top number of uri’s being requested for 03/Feb/2020
304 "POST
6 /wp-admin/admin-ajax.php?action=hustle_module_viewed
1 /wp-cron.php?doing_wp_cron=1580742661.5405189990997314453125
1 /wp-cron.php?doing_wp_cron=1580742384.2412269115447998046875
1 /wp-cron.php?doing_wp_cron=1580742258.4729180335998535156250
1 /wp-cron.php?doing_wp_cron=1580742212.9561231136322021484375
1 /wp-cron.php?doing_wp_cron=1580742009.7250990867614746093750
1 /wp-cron.php?doing_wp_cron=1580741911.5235159397125244140625
1 /wp-cron.php?doing_wp_cron=1580741692.7411398887634277343750
1 /wp-cron.php?doing_wp_cron=1580741651.4984240531921386718750

View Apache requests per hour for Cyberpanel user
425 00:00
191 01:00
233 02:00
171 03:00
231 04:00
249 05:00
296 06:00
242 07:00
552 08:00
244 09:00
431 10:00
485 11:00
336 12:00
297 13:00
316 14:00
86 15:00

CMS Checks

Wordpress Checks
Wordpress Login Bruteforcing checks for wp-login.php for 03/Feb/2020 for user
11 /home/example.com/logs/example.com.access_log

Wordpress Cron wp-cron.php(virtual cron) checks for 03/Feb/2020 for user
233 /home/example.com/logs/example.com.access_log

Wordpress XMLRPC Attacks checks for xmlrpc.php for 03/Feb/2020 for user

Wordpress Heartbeat API checks for admin-ajax.php for 03/Feb/2020 for user
80 /home/example.com/logs/example.com.access_log

Apache Dom Logs POST Requests for 02/Feb/2020 for user
128 /home/example.com/logs/example.com.access_log
5 /home/example.com/logs/my.example.com.access_log

Apache Dom Logs GET Requests for 02/Feb/2020 for user
960 /home/example.com/logs/example.com.access_log
590 /home/example.com/logs/my.example.com.access_log

Apache Dom Logs Top 10 bot/crawler requests per domain name for 02/Feb/2020
56 /home/example.com/logs/my.example.com.access_log
55 /home/example.com/logs/example.com.access_log

Apache Dom Logs top ten IPs for 02/Feb/2020 for user

128 "example.com
  5 "my.example.com

Show unique IP’s with whois IP, Country,and ISP

Apache Dom Logs find the top number of uri’s being requested for 02/Feb/2020
133 "POST

View Apache requests per hour for Cyberpanel user
171 15:00
302 16:00
519 17:00
269 18:00
228 19:00
168 20:00
168 21:00
220 22:00
189 23:00

CMS Checks

Wordpress Checks
Wordpress Login Bruteforcing checks for wp-login.php for 02/Feb/2020 for user
16 /home/example.com/logs/example.com.access_log

Wordpress Cron wp-cron.php(virtual cron) checks for 02/Feb/2020 for user
99 /home/example.com/logs/example.com.access_log

Wordpress XMLRPC Attacks checks for xmlrpc.php for 02/Feb/2020 for user

Wordpress Heartbeat API checks for admin-ajax.php for 02/Feb/2020 for user
29 /home/example.com/logs/example.com.access_log

Apache Dom Logs POST Requests for 01/Feb/2020 for user

Apache Dom Logs GET Requests for 01/Feb/2020 for user

Apache Dom Logs Top 10 bot/crawler requests per domain name for 01/Feb/2020

Apache Dom Logs top ten IPs for 01/Feb/2020 for user

Show unique IP’s with whois IP, Country,and ISP

Apache Dom Logs find the top number of uri’s being requested for 01/Feb/2020

View Apache requests per hour for Cyberpanel user

CMS Checks

Wordpress Checks
Wordpress Login Bruteforcing checks for wp-login.php for 01/Feb/2020 for user

Wordpress Cron wp-cron.php(virtual cron) checks for 01/Feb/2020 for user

Wordpress XMLRPC Attacks checks for xmlrpc.php for 01/Feb/2020 for user

Wordpress Heartbeat API checks for admin-ajax.php for 01/Feb/2020 for user

Apache Dom Logs POST Requests for 31/Jan/2020 for user

Apache Dom Logs GET Requests for 31/Jan/2020 for user

Apache Dom Logs Top 10 bot/crawler requests per domain name for 31/Jan/2020

Apache Dom Logs top ten IPs for 31/Jan/2020 for user

Show unique IP’s with whois IP, Country,and ISP

Apache Dom Logs find the top number of uri’s being requested for 31/Jan/2020

View Apache requests per hour for Cyberpanel user

CMS Checks

Wordpress Checks
Wordpress Login Bruteforcing checks for wp-login.php for 31/Jan/2020 for user

Wordpress Cron wp-cron.php(virtual cron) checks for 31/Jan/2020 for user

Wordpress XMLRPC Attacks checks for xmlrpc.php for 31/Jan/2020 for user

Wordpress Heartbeat API checks for admin-ajax.php for 31/Jan/2020 for user

Apache Dom Logs POST Requests for 30/Jan/2020 for user

Apache Dom Logs GET Requests for 30/Jan/2020 for user

Apache Dom Logs Top 10 bot/crawler requests per domain name for 30/Jan/2020

Apache Dom Logs top ten IPs for 30/Jan/2020 for user

Show unique IP’s with whois IP, Country,and ISP

Apache Dom Logs find the top number of uri’s being requested for 30/Jan/2020

View Apache requests per hour for Cyberpanel user

CMS Checks

Wordpress Checks
Wordpress Login Bruteforcing checks for wp-login.php for 30/Jan/2020 for user

Wordpress Cron wp-cron.php(virtual cron) checks for 30/Jan/2020 for user

Wordpress XMLRPC Attacks checks for xmlrpc.php for 30/Jan/2020 for user

Wordpress Heartbeat API checks for admin-ajax.php for 30/Jan/2020 for user

Contents have been saved to user-CyberpanelSnapshot_2020-02-03_10:17:33.txt

2

@whattheserver This is a great work! Many thanks! DO you think this would be implemented with 1.9.4 ?

3

Thanks. Yeah i have messaged with usman about also looking into adding some kind of process tracking for users which would bring cyberpanel the same functionality of the dcpumon function for finding abusive heavy use stuff.

I have some atop scripts that work at the server level but nothing at the user level yet for process tracking when it comes to cyberpanel.

This is just a bash script. It’s possible in future we can come up with a way where something like this is built into the WebUI but would take some work. For now, though this is usable. once the server is using new formats which an upgrade should fix for you.

All my Cyberpanel scripts are here.

To get an idea of some of the cool stuff id like to be able to also do in Cyberpanel you can checkout my cPanel versions to see some of the cool stuff I hope to be able to port to Cyberpanel once proper logging is setup for sessions and processes