The ModSecurity® Guardian Log

Last modified: April 26, 2024


This document explains how to install and configure Apache’s httpd-guardian script, which allows you to use ModSecurity’s SecGuardianLog directive. This script monitors web server requests via the piped log mechanism to detect Denial-of-Service (DoS) attacks. It tracks of the number of requests that IP address sends and calculates request speed at one minute and five minute intervals. After the requests reach a specified threshold, the httpd-guardian script either emits a warning or blocks the IP address. Error messages from the http-guardian script reside in the /var/log/apache2/error_log file.

After you download and configure the httpd-guardian script, you can specify the path to the script in the Guardian Log section of WHM’s ModSecurity® Configuration interface (WHM » Home » Security Center » ModSecurity® Configuration).

The httpd-guardian script ships with a version of The Spread toolkit, an open source toolkit, that you can configure. However, the script does not require this toolkit to function correctly.

Install and configure the http-guardian script

To install and configure the http-guardian script, perform the following steps:

  1. Download the apache-tools repository from the website. To do this, run the following command as the root user:
    cvs -z3 co -P apache-tools

    If the Concurrent Versioning System (CVS) does not exist on your server, install it via the yum install cvs command.

  2. Open the /root/apache-tools/http-guardian file with a text editor and make any desired configuration changes. For example, to enable the system to log data that it receives from Apache, set the COPY_LOG variable’s value to the log file’s filepath. This will resemble the following example:
    /# $COPY_LOG = "/var/lib/http-guardian.log";
    my $COPY_LOG;
  3. Log in to the WHM interface as the root user and navigate to WHM’s ModSecurity® Configuration interface (WHM » Home » Security Center » Modsecurity® Configuration).
  4. Enter the http-guardian script’s path in the Guardian Log setting’s text box, for example:
  5. After you save your changes in WHM’s ModSecurity® Configuration interface (WHM » Home » Security Center » Modsecurity® Configuration), restart Apache and check the process list for the httpd-guardian script. To do this, run the following command:
    ps faux | grep httpd-guardian | grep -v grep
    The output will resemble the following example:
    root 24722 0.0 0.3 28872 3272 ? S 19:31 0:00 \_ /usr/bin/perl -w /root/apache-tools/httpd-guardian

For more information about ModSecurity directives, read’s ModSecurity Reference Manual documentation.

Additional Documentation