Joel Bastos bio photo

Joel Bastos

Automation engineer with a keen interest on devops culture, geek by definition and curious by nature

Email Twitter LinkedIn Github
Even with our best efforts web servers/applications security are always vulnerable to 0 day exploits, poorly written code or even a bad configuration. Introducing ModSecurity, a web application firewall or layer 7 firewall (but I truly despise this denomination), it works inspecting web traffic looking for suspicions patterns and, for example, stopping a malicious attempt with a http 403 forbidden.

But even with a very impressive success rate on preventing exploits, there's still the need to audit its logs and get notifications of the evil attempts. AuditConsole has the best auditing capabilities I've tested so far and for the notification component there's nothing like cooking a quick and dirty NRPE script:
 #!/bin/bash

######################
# blog.kintoandar.com
######################

# vhost(s) logs
LOGS="/vhost/logs/*log"

# 24h notification
DATE=`date |awk {'print $1" "$2" "$3'}`

# count number of criticals
COUNT=`grep CRITICAL $LOGS | grep -c "$DATE"`

# OK
if [ $COUNT -eq 0 ] ; then
                echo "0 hits found"
                exit 0
fi

# CRITICAL
echo "$COUNT hits found"
exit 2

github link