🧱 Apache Log Security Monitor (Perl) Version: 2.3 Language: Perl Purpose: Automated intrusion detection and firewall banning tool for Apache web servers.

📜 Overview

This Perl-based security monitoring tool analyzes Apache access logs in real time (or retrospectively) to detect and automatically block suspicious or malicious IP addresses. It identifies a wide variety of attack attempts — such as SQL injection, XSS, remote code execution, path traversal, and brute-force activity — and adds offenders to the system firewall using iptables.

The script also logs all banned IPs in a CSV file (banned_ips_abuseipdb.csv), formatted for easy submission to security platforms like AbuseIPDB.

⚙️ Features

🧩 Pattern-Based Intrusion Detection: Over 150+ signature patterns for exploits, scans, and injection attempts. Includes detection of:

SQLi, XSS, RCE, LFI/RFI

Directory traversal

WordPress, PHPMyAdmin, Docker, and SSH access attempts

Automated scanners (Nmap, Nikto, WPScan, SQLmap, etc.)

☁️ Cloudflare IP Bypass: Automatically skips Cloudflare proxy IP ranges to avoid false positives.

🔒 Firewall Integration: Suspicious IPs are automatically banned via iptables with a single rule insertion.

📊 AbuseIPDB-Ready Logging: Logs banned IPs with timestamps, threat category, and description to banned_ips_abuseipdb.csv.

💾 Exemption List: Easily whitelist trusted IPs (e.g., your own) to prevent accidental bans.

🎨 Terminal UI: Includes colorful ASCII banner and color-coded alerts for readability.

📂 Output Files

banned_ips_abuseipdb.csv – CSV log of all blocked IPs including:

IP,ReportDate,Comment,Categories 192.168.1.100,2025-10-18 14:55:32,"SQL injection attempt",19 Categories follow AbuseIPDB’s category codes, e.g.:

18 – Web App Attack

19 – SQL Injection

21 – Scanning Attempt

22 – Brute-force

🚀 Usage perl apache_monitor.pl /var/log/apache2/access.log The script reads the provided Apache access log, matches lines against known exploit patterns, and issues automatic iptables bans where appropriate.

🧰 Requirements Perl 5+ Root or sudo privileges (for iptables)

Modules: Term::ANSIColor Time::HiRes Config POSIX

⚠️ Disclaimer Use with caution on production systems. Always review the banned IPs before applying automated firewall changes. This tool is designed for security monitoring, not offensive use.