As a server admin, you regulary should check the logfiles of your server. One tool to help you analyzing your server´s logfiles is Logwatch, which can send reports by e-mail with a summary of the logfile analysis. Sadly Logwatch was´nt able to analyze ModSecurity 2 audit logfiles and I could´nt find a filter for Logwatch, which fullfilled my needs.
So I wrote a filter for Logwatch, which analyzes a ModSecurity 2 audit logfile for blocked attacks and collects those information for a given time period as a report. The report is seperated by vhost, so you can have a quick overview on which attacks have been blocked on which vhost. Also the reports contains a top 10 summary of blocked IP addresses.
Here is a sample output from the filter:
--------------------- ModSecurity2 (mod_security2) Begin ------------------------ ATTACKS BLOCKED ON VHOSTS: subdomain.domain.tld - 2 time(s) [ip: xxx.xxx.xxx.xxx] [id: 981231 ] [msg: SQL Comment Sequence Detected.] - 1 time(s) [ip: xxx.xxx.xxx.xxx] [id: 981231 ] [msg: SQL Comment Sequence Detected.] - 1 time(s) www.site.tld - 1 time(s) [ip: xxx.xxx.xxx.xxx] [id: 990012 ] [msg: Rogue web site crawler] - 1 time(s) [ip: xxx.xxx.xxx.xx] [id: 981318 ] [msg: SQL Injection Attack: Common Injection Testing Detected] - 5 time(s) [ip: xxx.xxx.xxx.xx] [id: 950901 ] [msg: SQL Injection Attack: SQL Tautology Detected.] - 2 time(s) www.anothersite.tld - 1 time(s) [ip: xxx.xxx.xxx.xxx] [id: 958291 ] [msg: Range: field exists and begins with 0.] - 1 time(s) TOP 10 BLOCKED IPS: xxx.xxx.xxx.xxx - 2 time(s) xx.xxx.xxx.xxx - 1 time(s) xxx.xxx.xx.xx - 1 time(s) xxx.xxx.xxx.xx - 1 time(s) xxx.xxx.xxx.xxx - 1 time(s) ---------------------- ModSecurity2 (mod_security2) End -------------------------
The filter has been tested with ModSecurity 2 version 2.6.0 (CRS 2.2.0) and version 2.7.1 (CRS 2.2.6)
I published the Logwatch filter for Mod Security 2 on Github, so feel free to submit change requests or bug reports.
