Page tree
Skip to end of metadata
Go to start of metadata

Overview

This document explains how to install and configure Apache's httpd-guardian script, which allows you to use ModSecurity's™ SecGuardianLog directive. This script monitors web server requests via the piped log mechanism to detect Denial-of-Service (DoS) attacks. It tracks of the number of requests that IP address sends and calculates request speed at one minute and five minute intervals. After the requests reach a specified threshold, the httpd-guardian script either emits a warning or blocks the IP address. Error messages from the http-guardian script reside in the /var/log/apache2/error_log file.

After you download and configure the httpd-guardian script, you can specify the path to the script in the Guardian Log section of WHM's ModSecurity Configuration interface (WHM >> Home >> Security Center >> Modsecurity Configuration).

Note:

The httpd-guardian script ships with a version of The Spread toolkit, an open source toolkit, that you can configure. However, the script does not require this toolkit to function correctly.

Install and configure the http-guardian script

To install and configure the http-guardian script, perform the following steps:

  1. Download the apache-tools repository from the sourceforge.net website. To do this, run the following command as the root user:

    cvs -z3 -d:pserver:anonymous@a.cvs.sourceforge.net:/cvsroot/apache-tools co -P apache-tools

    Note:

    If the Concurrent Versioning System (CVS) does not exist on your server, install it via the yum install cvs command.
  2. Open the /root/apache-tools/http-guardian file with a text editor and make any desired configuration changes. For example, to enable the system to log data that it receives from Apache, set the COPY_LOG variable's value to the log file's filepath. This will resemble the following example:

    # $COPY_LOG = "/var/lib/http-guardian.log";
    my $COPY_LOG;
  3. Log in to the WHM interface as the root user and navigate to WHM's ModSecurity Configuration interface (WHM >> Home >> Security Center >> Modsecurity Configuration).
  4. Enter the http-guardian script's path in the Guardian Log setting's text box, for example:

    /root/apache-tools/httpd-guardian
  5. After you save your changes in WHM's ModSecurity Configuration interface (WHM >> Home >> Security Center >> Modsecurity Configuration), restart Apache and check the process list for the httpd-guardian script. To do this, run the following command:

    ps faux | grep httpd-guardian | grep -v grep

    The output will resemble the following example:

    root 24722 0.0 0.3 28872 3272 ? S 19:31 0:00 \_ /usr/bin/perl -w /root/apache-tools/httpd-guardian

For more information about ModSecurity directives, read github.com's ModSecurity Reference Manual documentation.

Additional Documentation