The ModSecurity Guardian Log
This document explains how to install and configure Apache’s
httpd-guardian script, which allows you to use ModSecurity’s™ SecGuardianLog directive. This script monitors web server requests via the piped log mechanism to detect Denial-of-Service (DoS) attacks. It tracks of the number of requests that IP address sends and calculates request speed at one minute and five minute intervals. After the requests reach a specified threshold, the
httpd-guardian script either emits a warning or blocks the IP address. Error messages from the
http-guardian script reside in the
After you download and configure the
httpd-guardian script, you can specify the path to the script in the Guardian Log section of WHM’s ModSecurity Configuration interface (WHM >> Home >> Security Center >> Modsecurity Configuration).
httpd-guardian script ships with a version of The Spread toolkit, an open source toolkit, that you can configure. However, the script does not require this toolkit to function correctly.
Install and configure the
To install and configure the
http-guardian script, perform the following steps:
apache-toolsrepository from the
sourceforge.netwebsite. To do this, run the following command as the
cvs -z3 -d:pserver:email@example.com:/cvsroot/apache-tools co -P apache-tools
Note:If the Concurrent Versioning System (CVS) does not exist on your server, install it via the
yum install cvscommand.
/root/apache-tools/http-guardianfile with a text editor and make any desired configuration changes. For example, to enable the system to log data that it receives from Apache, set the
COPY_LOGvariable’s value to the log file’s filepath. This will resemble the following example:12
# $COPY_LOG = "/var/lib/http-guardian.log";
- Log in to the WHM interface as the
rootuser and navigate to WHM’s ModSecurity Configuration interface (WHM >> Home >> Security Center >> Modsecurity Configuration).
http-guardianscript’s path in the Guardian Log setting’s text box, for example:
After you save your changes in WHM’s ModSecurity Configuration interface (WHM >> Home >> Security Center >> Modsecurity Configuration), restart Apache and check the process list for the
httpd-guardianscript. To do this, run the following command:
ps faux | grep httpd-guardian | grep -v grep
The output will resemble the following example:
root 24722 0.0 0.3 28872 3272 ? S 19:31 0:00 \_ /usr/bin/perl -w /root/apache-tools/httpd-guardian
For more information about ModSecurity directives, read
github.com‘s ModSecurity Reference Manual documentation.