Block error_log file from being viewed in a Browser

Home Forums BulletProof Security Free Block error_log file from being viewed in a Browser

Tagged: 

This topic contains 9 replies, has 2 voices, and was last updated by  Johnny 1 year, 3 months ago.

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • #32688

    Johnny
    Participant

    Hi,

    My website produces error_log files sometimes and I’d like to have a way to hide them so they are not visible from any other IPs except mine. At the moment anyone can access www.example.com/wp-admin/error_log or www.example.com/error_log and read the logs. How can I do this in BPS? I notice in your root .htaccess file you have included:

    # DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # Files and folders starting with a dot: .htaccess, .htpasswd, .errordocs, .logs
    RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$

    So how would I go about blocking the error_log file for everyone except myself?

    #32692

    AITpro Admin
    Keymaster

    You would block the error_log files from being viewed in a Browser in this BPS htaccess code below and add it to BPS Root Custom Code.

    1. Copy the modified DENY BROWSER ACCESS TO THESE FILES below into this BPS Root Custom Code text box: 13. CUSTOM CODE DENY BROWSER ACCESS TO THESE FILES
    2. Click the Save Root Custom Code button.
    3. Go to the Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # DENY BROWSER ACCESS TO THESE FILES
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # wp-config.php, bb-config.php, php.ini, php5.ini, readme.html
    # To be able to view these files from a Browser, replace 127.0.0.1 with your actual
    # current IP address. Comment out: #Require all denied and Uncomment: Require ip 127.0.0.1
    # Comment out: #Deny from all and Uncomment: Allow from 127.0.0.1
    # Note: The BPS System Info page displays which modules are loaded on your server.
    
    <FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php|error_log)">
    <IfModule mod_authz_core.c>
    Require all denied
    #Require ip 127.0.0.1
    </IfModule>
    
    <IfModule !mod_authz_core.c>
    <IfModule mod_access_compat.c>
    Order Allow,Deny
    Deny from all
    #Allow from 127.0.0.1
    </IfModule>
    </IfModule>
    </FilesMatch>
    #32693

    Johnny
    Participant

    Okay I’ve tried it, but I can still access them… I’ve even cleared all my caches (browser, W3TC, Cloudflare) and switched to a different IP, and yet those error_log files still remain accessible. I can confirm that the code was updated into my root .htaccess though…

    #32694

    AITpro Admin
    Keymaster

    Very strange.  I tested this solution before posting it and it worked fine on my test site and the main ait-pro.com website:  https://www.ait-pro.com/error_log  If you click the link you will see a 403 error message since the error_log file is currently blocked on the main ait-pro.com website.  Maybe your server processes files without file extensions (ie .php, .txt, .log) differently?  The only other thing I can think of to try is to block or redirect by URI instead of by file.

    RedirectMatch 301 ^/error_log$ https://www.example.com/
    RedirectMatch 301 ^/wp-admin/error_log$ https://www.example.com/
    #32695

    Johnny
    Participant

    This one does block them though:

    # DENY BROWSER ACCESS TO THESE FILES
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # wp-config.php, bb-config.php, php.ini, php5.ini, readme.html
    # To be able to view these files from a Browser, replace 127.0.0.1 with your actual
    # current IP address. Comment out: #Deny from all and Uncomment: Allow from 127.0.0.1
    # Note: The BPS System Info page displays which modules are loaded on your server.
    
    <FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php|error_log)">
    Order Allow,Deny
    Deny from all
    #Allow from 127.0.0.1
    </FilesMatch>

    What is the difference between the two codes?

    #32696

    AITpro Admin
    Keymaster

    That means your server does allow IfModule conditions to be used, which is bizarre since IfModule conditions have been an Apache standard for decades now.  Instead of processing the IfModule conditions your particular server just ignores the IfModule conditions and will not process any code inside of the IfModule conditions.  The code works exactly the same.  And actually that is why the standard BPS htaccess files do not contain IfModule conditions. Ie compensate for Hosts that are doing wierd stuff or not doing industry standard stuff. 😉

    #32697

    Johnny
    Participant

    You mean my server doesn’t allow IfModule conditions to be used? For example, I know that this one:

    <IfModule mod_headers.c>
    # Using DENY will block all iFrames including iFrames on your own website
    # Header set X-Frame-Options DENY
    # Recommended: SAMEORIGIN - iFrames from the same site are allowed - other sites are blocked
    # Block other sites from displaying your website in iFrames
    # Protects against Clickjacking
    Header always append X-Frame-Options SAMEORIGIN
    # Protects against Drive-by Download attacks
    # Protects against MIME/Content/Data sniffing
    Header set X-Content-Type-Options nosniff
    Header set X-XSS-Protection "1; mode=block"
    </IfModule>

    Works, since the Sucuri Scanner stops picking up the X-XSS attack vulnerability for example. So why would it only not work in that case?

    #32700

    AITpro Admin
    Keymaster

    I guess I should have been absolutely specific.  What we have seen is some Hosts do stuff like they ignore this specific module name in this specific IfModule conditions below.   I have absolutely no idea why that is. It doesn’t make any logical sense so I have no idea how someone would even do that. 😉

    <IfModule mod_authz_core.c> and/or <IfModule mod_access_compat.c>
    #32701

    AITpro Admin
    Keymaster

    The BPS and BPS Pro plugins have an Apache IfModule checker that tests what works with your server or not and creates htaccess code in your BPS htaccess files that works on your particular server.  I should have had you grab your actual Root htaccess file code instead of having you use the example code I posted above, which works fine on our particular server. 😉

    #32702

    Johnny
    Participant

    Okay yes I understand! No worries, it got fixed in the end 🙂 Thanks!

Viewing 10 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.