ModSecurity Nagios NRPE Check

less than 1 minute read

modesecurity

Even with our best efforts web servers/applications security are always vulnerable to 0 day exploits, poorly written code or even a bad configuration. Introducing ModSecurity, a web application firewall or layer 7 firewall (but I truly despise this denomination), it works inspecting web traffic looking for suspicions patterns and, for example, stopping a malicious attempt with a http 403 forbidden.

But even with a very impressive success rate on preventing exploits, there’s still the need to audit its logs and get notifications of the evil attempts. AuditConsole has the best auditing capabilities I’ve tested so far and for the notification component there’s nothing like cooking a quick and dirty NRPE script:

 #!/bin/bash

######################
# blog.kintoandar.com
######################

# vhost(s) logs
LOGS="/vhost/logs/*log"

# 24h notification
DATE=`date |awk {'print $1" "$2" "$3'}`

# count number of criticals
COUNT=`grep CRITICAL $LOGS | grep -c "$DATE"`

# OK
if [ $COUNT -eq 0 ] ; then
  echo "0 hits found"
  exit 0 
fi

# CRITICAL
echo "$COUNT hits found"
exit 2

Get it on Github

Share on

Twitter Reddit LinkedIn

Joel Bastos

ModSecurity Nagios NRPE Check

Share on

Leave a comment

You may also enjoy

Building healthier containers

Baking delicious cloud instances

Survival guide to tech conferences

fwd - The little forwarder that could