How can I change nginx location? xtream UI panel keeps nginx and php files in its own files. | CrowdSec | Page 1

rough locust Feb 26, 2025, 2:16 PM

#

worthy joltBOT Feb 26, 2025, 2:16 PM

#

Important Information

Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.

Log Files

If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.

Guide Followed (CrowdSec Official)

If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.

Screenshots

Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.

worthy joltBOT Feb 26, 2025, 2:16 PM

#

worthy jolt

Resolving How can I change nginx location? xtream UI panel keeps nginx and php files in its own files.

#

This has now been resolved. If you think this is a mistake please run /unresolve

worthy joltBOT Feb 26, 2025, 2:16 PM

#

worthy jolt

Unresolving How can I change nginx location? xtream UI panel keeps nginx and php files in its own files.

#

This has now been unresolved.

sour brook Feb 26, 2025, 2:20 PM

#

Hey @rough locust can you elaborate how the question is relative to CrowdSec?

rough locust Feb 26, 2025, 2:24 PM

#

the problem is as follows, nginx configuration
/home/xui/bin/nginx/
Is it configured in ?

sour brook Feb 26, 2025, 2:25 PM

#

rough locust the problem is as follows, nginx configuration /home/xui/bin/nginx/ Is it config...

but how is this related to CrowdSec?

rough locust Feb 26, 2025, 2:25 PM

#

The config file of port and all processes is here
server ports coming out from here

#

I want to do nginx protection. but I have everything related to CrowdSec installed.

#

#

But when I attack, it passes easily.

sour brook Feb 26, 2025, 2:28 PM

#

Okay, so best to start to describe the problem as currently you just stating where xstream keeps it stuff which doesnt matter

rough locust Feb 26, 2025, 2:28 PM

#

I'm trying to figure out how to structure this. I couldn't find the necessary documents

sour brook Feb 26, 2025, 2:28 PM

#

okay, did you check the metrics?

rough locust Feb 26, 2025, 2:29 PM

#

yes I checked.

#

but there is no result

sour brook Feb 26, 2025, 2:29 PM

#

okay, providing us the ouput helps as we cant magically see through your eye balls

rough locust Feb 26, 2025, 2:30 PM

#

If you want, I can send you the server information so that I can explain it to you in the best way. You can understand it much more easily.

sour brook Feb 26, 2025, 2:31 PM

#

well I just need to see the metrics thats all

rough locust Feb 26, 2025, 2:31 PM

#

Please write to me privately, I would like to send you the server information. I am operating with the test server. To understand the subject much better

sour brook Feb 26, 2025, 2:31 PM

#

rough locust Please write to me privately, I would like to send you the server information. I...

we dont log on to people machines as a rule so please provide us the information we request

rough locust Feb 26, 2025, 2:32 PM

#

sour brook Feb 26, 2025, 2:33 PM

#

Okay so I see buckets for ssh, but if you run cscli metrics show acquisition do you see the nginx logs?

rough locust Feb 26, 2025, 2:33 PM

#

#

#

sour brook Feb 26, 2025, 2:35 PM

#

rough locust

Okay so I dont see the nginx logs, do you know where they are configured to log? by default this is /var/log/nginx/ but it may change depending on config

rough locust Feb 26, 2025, 2:36 PM

#

how can i change it

sour brook Feb 26, 2025, 2:36 PM

#

rough locust how can i change it

Well firstly where is nginx logging too?

rough locust Feb 26, 2025, 2:36 PM

#

sour brook Feb 26, 2025, 2:37 PM

#

rough locust

that just the error.log, do you know where the access.log is?

rough locust Feb 26, 2025, 2:37 PM

#

I'm checking

#

saves to the same location. It creates a log itself

#

#

this is for rtmp

sour brook Feb 26, 2025, 2:39 PM

#

but my guess is the rtmp is for tcp access logs?

rough locust Feb 26, 2025, 2:39 PM

#

#

in this way. users. It communicates with the url pattern. Username and password control is checked by mysql mariadb. If true, it allows. Nginx grants file access permission to the user it deems correct and the stream starts.

sour brook Feb 26, 2025, 2:42 PM

#

but what are you trying to detect as for rtmp espically on nginx access layer, there isnt much information we can derive from the logs cause typically its a tcp layer connection

rough locust Feb 26, 2025, 2:44 PM

#

I want to prevent username and password attacks.

#

#

Username, password and MAC address scraping attacks are coming

#

I could not find the necessary documentation regarding nginx and mariadb configuration.

sour brook Feb 26, 2025, 2:53 PM

#

rough locust I could not find the necessary documentation regarding nginx and mariadb configu...

well like I said depends what inside those nginx log files, cause if it just tcp layer stuff we cant really look at username / password stuff cause nginx doesnt know about them

#

but you can configure them as the documentation states https://docs.crowdsec.net/u/getting_started/post_installation/acquisition_new

Adding a new Acquisition | CrowdSec

We will be adding a file based acquisition. If you need to use a different source then alter the instructions to match your needs.

rough locust Feb 26, 2025, 2:55 PM

#

I would like to ask one more question. How can I become security for mariadb? As a result, the username is returned with a query from SQL for password scraping.

sour brook Feb 26, 2025, 2:55 PM

#

filenames:
  - "/home/xui/bin/nginx*/logs/*.log"
labels:
  type: nginx

rough locust Feb 26, 2025, 2:57 PM

#

#

sour brook Feb 26, 2025, 2:58 PM

#

👍 ye then you can run sudo systemctl restart crowdsec

#

then if you sudo grep nginx /var/log/crowdsec.log

rough locust Feb 26, 2025, 2:59 PM

#

#

sour brook Feb 26, 2025, 3:02 PM

#

Okay, and if you give it little time and check cscli metrics show acquisition

rough locust Feb 26, 2025, 3:02 PM

#

host www

#

sour brook Feb 26, 2025, 3:04 PM

#

okay and is the log files actually used?

cat /home/xui/nginx*/logs/*.log

rough locust Feb 26, 2025, 3:04 PM

#

sour brook Feb 26, 2025, 3:05 PM

#

if you run ls -la /home/xui/nginx/logs/

rough locust Feb 26, 2025, 3:06 PM

#

/home/xui/bin/nginx/

sour brook Feb 26, 2025, 3:06 PM

#

what is the file size and access times cause it doesnt seem like they are used

rough locust Feb 26, 2025, 3:06 PM

#

folder

sour brook Feb 26, 2025, 3:07 PM

#

Okay, but what are the file sizes and access times?

rough locust Feb 26, 2025, 3:07 PM

#

ls -la /home/xui/bin/nginx/logs/

#

sour brook Feb 26, 2025, 3:08 PM

#

safe to say the access.log isnt actually used

#

so do you have access to the nginx configuration?

rough locust Feb 26, 2025, 3:08 PM

#

#

sour brook Feb 26, 2025, 3:09 PM

#

if you run with ls -la it can provide us more info

rough locust Feb 26, 2025, 3:10 PM

#

sour brook Feb 26, 2025, 3:10 PM

#

rough locust

I meant the ls -la /home/xui/bin/nginx*/logs/*.log

rough locust Feb 26, 2025, 3:11 PM

#

sour brook Feb 26, 2025, 3:12 PM

#

okay and if you run grep -R "access_log" /home/xui/bin/nginx/conf/

rough locust Feb 26, 2025, 3:12 PM

#

sour brook Feb 26, 2025, 3:12 PM

#

I missed the -R flag

rough locust Feb 26, 2025, 3:12 PM

#

sour brook Feb 26, 2025, 3:13 PM

#

ahhh hence why there no access log

rough locust Feb 26, 2025, 3:13 PM

#

Since it was a ready-made pattern, I didn't pay any attention to it. So how can I add it?

sour brook Feb 26, 2025, 3:14 PM

#

so the question is do you want to log traffic that comes into the admin panel as this is configuration for the admin panel I guess

#

cause if people are streaming they are going through the rtmp no?

rough locust Feb 26, 2025, 3:15 PM

#

📎 nginx.conf

#

sample stream pattern in configuration file

#

http://94.154.32.88:80/username/pass/202853.ts

#

In this way the user monitors the stream flow m3u

sour brook Feb 26, 2025, 3:19 PM

#

so /home/xui/www/ has an auth.php?

rough locust Feb 26, 2025, 3:21 PM

#

sour brook Feb 26, 2025, 3:21 PM

#

ahhh must be within /stream/

rough locust Feb 26, 2025, 3:22 PM

#

#

When the video stream starts downloading it looks like this

sour brook Feb 26, 2025, 3:22 PM

#

yeah but the nginx configuration has a shed ton of rewrites to get to /stream/auth.php so would be useful if you can dm me that file

rough locust Feb 26, 2025, 3:23 PM

#

sour brook Feb 26, 2025, 3:23 PM

#

I want to make sure there nothing that would explode if we turn on access logs

rough locust Feb 26, 2025, 3:23 PM

#

yes

#

/home/xui/www/stream/

#

sour brook Feb 26, 2025, 3:24 PM

#

yeah if you can DM the auth.php file just want to make sure how it works before enabling the access logs

rough locust Feb 26, 2025, 3:25 PM

#

yes of course

#How can I change nginx location? xtream UI panel keeps nginx and php files in its own files.