Earlier we discussed about the HTTP POST method. Technically We Should Log HTTP Request Methods. Here is How to Apache Module to Log HTTP POST Method, As Example For WordPress Installation. After examination of few weeks log, we can block the malicious HTTP POST requests. This guide is for those who have installed Apache HTTPD server using our method.
We say `apache2` instead of `apache` to remind that some of the commands are with `apache2` since first version of Apache 2.x. We are talking about Debian (Ubuntu) system. CentOS, REHL will have different commands.
How to Install Apache Module to Log HTTP POST Method
We have few modules for consideration. Two of them are official and has some documentation. First is `mod_dumpio` :
Second is forensic log module (for other needs in depth) :
Third is `mod_security`, we already discussed about mod_security with fail2ban. With `mod_security` mudule we can use this format of config to catch POST :
# Enable the module. SecRuleEngine On SecAuditEngine on # Setup logging in a dedicated file. SecAuditLog /var/log/httpd/website-audit.log # Allow it to access requests body. SecRequestBodyAccess on SecAuditLogParts ABIFHZ # Setup default action. SecDefaultAction "nolog,noauditlog,allow,phase:2" # Define the rule that will log the content of POST requests. SecRule REQUEST_METHOD "^POST$" "chain,allow,phase:2,id:123" SecRule REQUEST_URI ".*" "auditlog
Forth is this module on GitHub :
Normally Apache’s `mod_dumpio`. But it may conflict with other modules. Be careful for obvious reasons.
Note that `mod_dumpio` stops logging binary payloads at the first null character. For a multipart/form-data upload of a gzip’d file will probably only show the first few bytes with `mod_dumpio`. Also note that Apache might not mention this module even when it’s present in the modules folder. Just manually adding `LoadModule` will work fine.
SSH to your server. You can list, get info of the modules with these commands :
# apache2ctl -M # sudo apache2ctl -M | sort # Enabled modules ls /etc/apache2/mods-enabled/ # Available modules ls /etc/apache2/mods-available/
We can install the official modules with the below format of command :
# sudo apt-get install [module-name] #
To enable the `mod_dumpio` module, it should be loaded in to your running Apache configuration. Logging can then be enabled or disabled separately for input and output via the officially written directives. `mod_dumpio` needs to be configured to LogLevel trace7 (commonly used is default warn), here is info on LogLevel :
Our directive will be :
We can enable module with the command :
sudo a2enmod [module-name]
We can disble module with the command :
sudo a2dismod [module-name]
a2 enable and a2 diable. Easy to remember.
Our directives for config are :
DumpIOInput On DumpIOOutput On
This is all about logging HTTP POST request. The `mod_dumpio` module infamously disturb and you must carefully test on dev server.