Skip to content

haway/httpd_parser_block

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
.gitignore
.gitignore
 
 
PATTEN
PATTEN
 
 
README
README
 
 
config-example
config-example
 
 
main.pl
main.pl
 
 

Repository files navigation

httpd_parser_block for phorum.study-area.org
============================================

This is apache log check in http://phorum.study-area.org.
This perl scipt can parser httpd log to found some malware activity, and parser ip to apache block file.

Require
=======
1.sed

Check item
==========
1.Client request too many 4xx web.


Usage
=====

[haway@asus-srv4 httpd_parser_block]$ perl main.pl -h
Usage:
    main.pl [options] [log_file]

    options:

     --config               config file location.
     --debug                turn on debug message.
     --reset                Reset seek of log file and clean block list.
     --blockclean   Clean block list of apache file.

    log_file:

     /var/log/httpd/access_log

    example:

     ]# perl main.pl -c /root/config /var/log/httpd/access_log
     ]# perl main.pl -c /root/config --debug /var/log/httpd/access_log
     ]# perl main.pl -c /root/config --reset
     ]# perl main.pl -c /root/config --blockclean


INSTALL
=======

1. Create config file
	- vi config(create new) or `cp config-example config`, format see below.
2. Make sure you "apacheblockfile" location is correct in config.
3. Reset 
	- perl main.pl -c /root/config --reset
4. Exec this perl script in crontab, and reload apache.
	- */15 * * * * perl main.pl -c /root/config /var/log/httpd/access_log && /sbin/service httpd reload > /dev/null 2>/dev/null
5. Reset it everyday, or put it in /etc/logrotate.d/httpd
	5.1 Crontab
		- 01 0 * * * perl main.pl -c /root/config --reset
	5.2 Logrotate
    	postrotate
        	/usr/bin/perl /root/httpd_block/main.pl -c /root/httpd_block/config --reset
    	endscript
6. Clean block list( if you need ).
	- 00 7,19 * * * perl main.pl -c /root/config --blockclean


config file options
===================

arraylimit:1000
 - Read 1000 line to check.
status4xxlimit:20
 - Limit of 4xx status in Read line, Block Rule.
apacheblockfile:/etc/httpd/conf.d/phorum-block.conf
 - Apache configure file location.
seek:23456
 - Save File seek, do NOT modify this line.

config file example
===================
arraylimit:10000
status4xxlimit:10
apacheblockfile:/etc/httpd/conf.d/phorum-block.conf


Output of Apache configure file
================================

#Do not edit this file, this is config by httpd_parser_block, you maybe found it in crontab.
<Directory /var/www/html/phorum.study-area.org>
	SetEnvIF X-Forwarded-For "(,| |^)1\.11\.22\.33(,| |$)" DenyIP
	SetEnvIF X-Forwarded-For "(,| |^)55\.66\.77\.88(,| |$)" DenyIP
	## insert rule ##
    Order allow,deny
    Deny from env=DenyIP
    Allow from all
</Directory>




Study-Area, Open Source Group in Taiwan
http://phorum.study-area.org
haway@study-area.org

About

phorum.study-area.org

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

8 tags

Packages

No packages published

Languages