Earlier we discussed about the HTTP POST method. Technically We Should Log HTTP Request Methods. Here is How to Apache Module to Log HTTP POST Method, As Example For WordPress Installation. After examination of few weeks log, we can block the malicious HTTP POST requests. This guide is for those who have installed Apache HTTPD server using our method.
apache2 instead of
apache to remind that some of the commands are with
apache2 since first version of Apache 2.x. We are talking about Debian (Ubuntu) system. CentOS, REHL will have different commands.
How to Install Apache Module to Log HTTP POST Method
We have few modules for consideration. Two of them are official and has some documentation. First is
Second is forensic log module (for other needs in depth) :
mod_security, we already discussed about mod_security with fail2ban. With
mod_security mudule we can use this format of config to catch POST :
# Enable the module.
# Setup logging in a dedicated file.
# Allow it to access requests body.
# Setup default action.
# Define the rule that will log the content of POST requests.
SecRule REQUEST_METHOD "^POST$" "chain,allow,phase:2,id:123"
SecRule REQUEST_URI ".*" "auditlog
Forth is this module on GitHub :
mod_dumpio. But it may conflict with other modules. Be careful for obvious reasons.
mod_dumpio stops logging binary payloads at the first null character. For a multipart/form-data upload of a gzip’d file will probably only show the first few bytes with
mod_dumpio. Also note that Apache might not mention this module even when it’s present in the modules folder. Just manually adding
LoadModule will work fine.
SSH to your server. You can list, get info of the modules with these commands :
sudo apache2ctl -M | sort
# Enabled modules
# Available modules
We can install the official modules with the below format of command :
sudo apt-get install [module-name]
To enable the
mod_dumpio module, it should be loaded in to your running Apache configuration. Logging can then be enabled or disabled separately for input and output via the officially written directives.
mod_dumpio needs to be configured to LogLevel trace7 (commonly used is default warn), here is info on LogLevel :
Our directive will be :
We can enable module with the command :
sudo a2enmod [module-name]
We can disble module with the command :
sudo a2dismod [module-name]
a2 enable and a2 diable. Easy to remember.
Our directives for config are :
This is all about logging HTTP POST request. The
mod_dumpio module infamously disturb and you must carefully test on dev server.