WordPress Security : Apache2 Module to Log HTTP POST Method

Earlier we discussed about the HTTP POST method. Technically We Should Log HTTP Request Methods. Here is How to Apache Module to Log HTTP POST Method, As Example For WordPress Installation. After examination of few weeks log, we can block the malicious HTTP POST requests. This guide is for those who have installed Apache HTTPD server using our method.

We say `apache2` instead of `apache` to remind that some of the commands are with `apache2` since first version of Apache 2.x. We are talking about Debian (Ubuntu) system. CentOS, REHL will have different commands.

 

How to Install Apache Module to Log HTTP POST Method

 

We have few modules for consideration. Two of them are official and has some documentation. First is `mod_dumpio` :

https://httpd.apache.org/docs/2.4/en/mod/mod_dumpio.html

Second is forensic log module (for other needs in depth) :

https://httpd.apache.org/docs/2.4/mod/mod_log_forensic.html

Third is `mod_security`, we already discussed about mod_security with fail2ban. With `mod_security` mudule we can use this format of config to catch POST :

# Enable the module.
SecRuleEngine On
SecAuditEngine on

# Setup logging in a dedicated file.
SecAuditLog /var/log/httpd/website-audit.log
# Allow it to access requests body.
SecRequestBodyAccess on
SecAuditLogParts ABIFHZ

# Setup default action.
SecDefaultAction "nolog,noauditlog,allow,phase:2"

# Define the rule that will log the content of POST requests.
SecRule REQUEST_METHOD "^POST$" "chain,allow,phase:2,id:123"
SecRule REQUEST_URI ".*" "auditlog

Forth is this module on GitHub :

https://github.com/danghvu/mod_dumpost

Normally Apache’s `mod_dumpio`. But it may conflict with other modules. Be careful for obvious reasons.
Note that `mod_dumpio` stops logging binary payloads at the first null character. For a multipart/form-data upload of a gzip’d file will probably only show the first few bytes with `mod_dumpio`. Also note that Apache might not mention this module even when it’s present in the modules folder. Just manually adding `LoadModule` will work fine.

SSH to your server. You can list, get info of the modules with these commands :

#
apache2ctl -M 
#
sudo apache2ctl -M | sort
# Enabled modules
ls /etc/apache2/mods-enabled/
#  Available modules
ls /etc/apache2/mods-available/

We can install the official modules with the below format of command :

#
sudo apt-get install [module-name]
#

To enable the `mod_dumpio` module, it should be loaded in to your running Apache configuration. Logging can then be enabled or disabled separately for input and output via the officially written directives. `mod_dumpio` needs to be configured to LogLevel trace7 (commonly used is default warn), here is info on LogLevel :

https://httpd.apache.org/docs/2.4/en/mod/core.html#loglevel

Our directive will be :

LogLevel dumpio:trace7

We can enable module with the command :

sudo a2enmod [module-name]

We can disble module with the command :

sudo a2dismod [module-name]

a2 enable and a2 diable. Easy to remember.

Our directives for config are :

DumpIOInput On
DumpIOOutput On

This is all about logging HTTP POST request. The `mod_dumpio` module infamously disturb and you must carefully test on dev server.

This Article Has Been Shared 6325 Times!

Facebook Twitter Google+ Pinterest