1

I'm just wondering is it there some module which can detect certain event in access/error log and if it matches it, to send an email with information.

example: I want to detect when someone makes requests like this : www.mysite.com/../../../etc/passwd or similar. I want to be informed via email when it happens.

Thanks in advance.

Daniel Stoinov
  • 11
  • 4

3 Answers3

2

It's not impossible, but I wouldn't recommend doing it with a module.

Instead, use something like apache-scalp to continuously parse the logfile and generate alarm mails.

(If you do want to do it with an apache module, you'd need to redirect those requests to an error page consisting of a script which will send the mail. Look for the Redirect and Location directives. But it'd be a big hassle to keep it up to date.)

Jenny D
  • 27,780
  • 21
  • 75
  • 114
1

Usually such things not needed. On one of my LAMP, I've configured fail2ban to detect a lot of 404\503\etc and ban httpd access from user ip for a 10 minutes. I've made this caused old hardware to prevent overloading server due a lot of simultaneous requests.

Next idea, you could write a parser for logs :)

dr-evil
  • 377
  • 1
  • 5
  • fail2ban - Hmm interesting. I will check this if it is going to fit my needs . Thanks. – Daniel Stoinov Jan 11 '13 at 12:07
  • +1 fail2ban -- you can use it to check for any regular expression in the logs, so you could block on HTTP status codes as mentioned, or on specific strings e.g. `/etc/passwd/` or `/../` – xofer Jan 12 '13 at 22:14
  • But what if I don't want to automatically ban but only to mark them as potential security threat. – Daniel Stoinov Feb 04 '13 at 09:36
  • I have an "experimental" rules :) 1. For create a log with "potential security threat" 2. For parse this log and ban a repeating threats – dr-evil Feb 04 '13 at 12:43
0

Create a script called log_monitor.sh:

#!/usr/bin/perl -w

use strict;

my $cachefile="/var/cache/lastpos-apache2-scan4maxclntOrSigKill";
my $logfile="/var/log/httpd/error_log";
my $searchstr="sigkill|reached maxclients|apply process slot|read data timeout|Premature end of script headers";

my $lastpos=0;
if (-f $cachefile) {
    open FH,"<".$cachefile;
    $lastpos=<FH>;
    close FH;
};

my $newpos=(stat $logfile)[7];

open FH,"<".$logfile;
seek FH,$lastpos,0;
while (<FH>) {
    print if m/$searchstr/i;
};
close FH;

open FH,">".$cachefile;
print FH $newpos;
close FH;

modify $searchstr as needed.

configure the script to run every X minutes via cron. the greater the value of X, the less emails you will get (only 1 email every X minutes for all the errors that match the strings you supply). the results of the cron job will get emailed to you automatically (if cron is setup properly)

Gaia
  • 1,855
  • 5
  • 34
  • 60