The ModSecurity Guardian Log
Last modified: August 28, 2019
This document explains how to install and configure Apache’s
httpd-guardian script, which allows you to use ModSecurity’s™ SecGuardianLog directive. This script monitors web server requests via the piped log mechanism to detect Denial-of-Service (DoS) attacks. It tracks of the number of requests that IP address sends and calculates request speed at one minute and five minute intervals. After the requests reach a specified threshold, the
httpd-guardian script either emits a warning or blocks the IP address. Error messages from the
http-guardian script reside in the
After you download and configure the
httpd-guardian script, you can specify the path to the script in the Guardian Log section of WHM’s
ModSecurity Configuration interface (WHM >> Home >> Security Center >> ModSecurity Configuration).
httpd-guardianscript ships with a version of The Spread toolkit, an open source toolkit, that you can configure. However, the script does not require this toolkit to function correctly.
Install and configure the http-guardian script
To install and configure the
http-guardian script, perform the following steps:
- Download the apache-tools repository from the sourceforge.net website. To do this, run the following command as the
vs -z3 -d:pserver:firstname.lastname@example.org:/cvsroot/apache-tools co -P apache-toolsNote:
If the Concurrent Versioning System (CVS) does not exist on your server, install it via the
yum install cvscommand.
- Open the
/root/apache-tools/http-guardianfile with a text editor and make any desired configuration changes. For example, to enable the system to log data that it receives from Apache, set the
COPY_LOGvariable’s value to the log file’s filepath. This will resemble the following example:
/# $COPY_LOG = "/var/lib/http-guardian.log"; my $COPY_LOG;
- Log in to the WHM interface as the
rootuser and navigate to WHM’s ModSecurity Configuration interface (WHM >> Home >> Security Center >> Modsecurity Configuration).
- Enter the
http-guardianscript’s path in the Guardian Log setting’s text box, for example:
- After you save your changes in WHM’s
ModSecurity Configuration interface (WHM >> Home >> Security Center >> Modsecurity Configuration), restart Apache and check the process list for the
httpd-guardianscript. To do this, run the following command:The output will resemble the following example:
ps faux | grep httpd-guardian | grep -v grep
root 24722 0.0 0.3 28872 3272 ? S 19:31 0:00 \_ /usr/bin/perl -w /root/apache-tools/httpd-guardian
For more information about ModSecurity directives, read github.com’s ModSecurity Reference Manual documentation.