Earlier we discussed about the HTTP POST method. Technically We Should Log HTTP Request Methods. Here is How to Apache Module to Log HTTP POST Method, As Example For WordPress Installation. After examination of few weeks log, we can block the malicious HTTP POST requests. This guide is for those who have installed Apache HTTPD server using our method.
We say apache2 instead of apache to remind that some of the commands are with apache2 since first version of Apache 2.x. We are talking about Debian (Ubuntu) system. CentOS, REHL will have different commands.
How to Install Apache Module to Log HTTP POST Method
We have few modules for consideration. Two of them are official and has some documentation. First is mod_dumpio :
---
1 | https://httpd.apache.org/docs/2.4/en/mod/mod_dumpio.html |
Second is forensic log module (for other needs in depth) :
1 | https://httpd.apache.org/docs/2.4/mod/mod_log_forensic.html |
Third is mod_security, we already discussed about mod_security with fail2ban. With mod_security mudule we can use this format of config to catch POST :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | # Enable the module. SecRuleEngine On SecAuditEngine on # Setup logging in a dedicated file. SecAuditLog /var/log/httpd/website-audit.log # Allow it to access requests body. SecRequestBodyAccess on SecAuditLogParts ABIFHZ # Setup default action. SecDefaultAction "nolog,noauditlog,allow,phase:2" # Define the rule that will log the content of POST requests. SecRule REQUEST_METHOD "^POST$" "chain,allow,phase:2,id:123" SecRule REQUEST_URI ".*" "auditlog |
Forth is this module on GitHub :
1 | https://github.com/danghvu/mod_dumpost |
Normally Apache’s mod_dumpio. But it may conflict with other modules. Be careful for obvious reasons.
Note that mod_dumpio stops logging binary payloads at the first null character. For a multipart/form-data upload of a gzip’d file will probably only show the first few bytes with mod_dumpio. Also note that Apache might not mention this module even when it’s present in the modules folder. Just manually adding LoadModule will work fine.
SSH to your server. You can list, get info of the modules with these commands :
1 2 3 4 5 6 7 8 | # apache2ctl -M # sudo apache2ctl -M | sort # Enabled modules ls /etc/apache2/mods-enabled/ # Available modules ls /etc/apache2/mods-available/ |
We can install the official modules with the below format of command :
1 2 3 | # sudo apt-get install [module-name] # |
To enable the mod_dumpio module, it should be loaded in to your running Apache configuration. Logging can then be enabled or disabled separately for input and output via the officially written directives. mod_dumpio needs to be configured to LogLevel trace7 (commonly used is default warn), here is info on LogLevel :
1 | https://httpd.apache.org/docs/2.4/en/mod/core.html#loglevel |
Our directive will be :
1 | LogLevel dumpio:trace7 |
We can enable module with the command :
1 | sudo a2enmod [module-name] |
We can disble module with the command :
1 | sudo a2dismod [module-name] |
a2 enable and a2 diable. Easy to remember.
Our directives for config are :
1 2 | DumpIOInput On DumpIOOutput On |
This is all about logging HTTP POST request. The mod_dumpio module infamously disturb and you must carefully test on dev server.
