Too long of string allowed in securitycheckpro_logs

More
2 days 2 hours ago #9384 by axiom
The original_string within the securitycheckpro_logs table is a MEDIUMTEXT string allowing over 16M characters to be stored.  As a result that table has grown unreasonably for us:  It currently is over 5GB in size with 9,266 rows!  It has also drastically slowed down our access to the admin area.  I am currently truncating that table and excepts to see our performance issue resolved, but it would be good to restrict that original_string URL so we don't run into this again.

Please Log in or Create an account to join the conversation.

More
1 day 17 hours ago - 1 day 17 hours ago #9385 by Jose
Hi axiom,

The idea with logs is checking them every day, take actions (add ips to blacklist mainly) and then delete them or keep those of intererest for you. Unless you suffered a brutal campaing of attacks in a short period of time generating that amount of logs, it has no sense to keep 9266 rows.

The extension allows you to delete logs older than certain days; you can configure it from Waf configuration -> Logs tab -> Days to delete logs after field. I good value for this field is 60.

Regards,
Jose
Last edit: 1 day 17 hours ago by Jose. Reason: Fix a typo

Please Log in or Create an account to join the conversation.

More
1 day 11 hours ago #9386 by axiom
Thank you.  60 days is the current value and as mentioned it had grown to 5GB so that is not a good value.  After truncating yesterday, it grew to 86MB overnight with 112 records.  It seems we have one particular agent / IP responsible for 50 entries, making very large posts which trigger FORBIDDEN_WORDS entries in the log.  Is there a way to adjust the auto blacklist to blacklist them after too many attempts?  Thanks again

Please Log in or Create an account to join the conversation.

More
1 day 10 hours ago #9387 by Jose
Hi axiom,

If this is a false positive, then you can avoid new logs adding the component as exception (there is a button to do that on top of the logs page).

If this is a real attack, then add the IP to blacklist. This way the offensive IP will not be able to access to the site nor generating new logs.

Anyway there is a setting to limit the number of log entries per IP and day. You can find it into Waf configuration -> Logs tab -> Maximum number of logs per IP and day field.

Regards,
Jose

Please Log in or Create an account to join the conversation.

Time to create page: 0.167 seconds