Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If you are simply trying to monitor & proactively block attempted web-server intrusions then as descendant_command indicates then fail2ban is probably what you are after: http://www.fail2ban.org/wiki/index.php/Main_Page You will probably by default find the package in your distro's repository.
If you wish to analyse your website activity in terms of the pages visited,etc.then awstats is the tool for you: http://awstats.sourceforge.net/ It's a great tool that I personally use on my webserver. It provides you with information such as the following:
1. The IP address of the visitor
2. The pages accessed by the visitor
3. The operating system /browser / search engine used by the visitor
4. HTTP status codes
If either of the above is not what you are after then please provide my details.
Thanks Rawcous and descendant_command for your reply.
My task is that I should define a condition and if that particular condition is matched in Apache log then it should generate an alert.(For e.g. if a particular word is match in the Apache log then it should generate an alert)
So for this purpose which log viewer can I use which will generate an alert also if particular match is found in the Apache log.
My task is that I should define a condition and if that particular condition is matched in Apache log then it should generate an alert.(For e.g. if a particular word is match in the Apache log then it should generate an alert)
Fail2ban should be able to do that (Monit or Hobbit probably are overkill unless you need to monitor "service health" or system resources too) or SEC (the Security Event Correllator). Note you basically stated your question again using different words, still that doesn't explain the reason why you need this...
1. Please be clearer about what you are trying to achieve - you are forgiven if there is a language barrier issue.
2. When people respond and post links - please read them.
I read your earlier post but I was expecting some more links from you all linux experts as am new to linux.
What people repond and post links I obviously read and thenafter reply ...
Initially you need to research Fail2ban yourself, establish if it will meet your requirements, etc. The best way to do this is to research it yourself via the internet. It's easy enough to use internet search engines for Fail2ban Apache configuration examples. For example: https://www.google.co.uk/#q=fail2ban+apache+example
So perhaps your best plan of action is to combine the resources available on the Fail2ban homepage with search engine examples.
Once you've played around with Fail2ban for a while, and you require assistance with resolving config issues etc. then you will find people more willing to assist - BUT you have to show that you made some effort yourself. People will be more than willing to assist but will not do the work for you.
the default install from repos on most OSs will start working with ssh log scanning.
I suggest doing this in a Virtual Machine or VM.
You will need to install it and see that it works. Use a Search Engine to find example of how to test your fail2ban install using ssh,
something like
Code:
ssh fakeuser@virtual_machine_ip
3 times should get your IP banned in a default fail2ban install/setup.
You can modify any filter provided by the install to suit your needs and you'll need to focus on the filter.d/<my_filter.conf> contents to see if the filter is valid and my blog entry shows you how to test it using "fail2ban-regex".
The /etc/fail2ban/filter.d/w00tw00t.conf example filter in my blog entry is just a copy of another stock provided /etc/fail2ban/filter.d/*.conf that has been modified.
I can't stress enough doing this in a Virtual environment while you become acclimated to the software.
If you don't have the resources for a Virtual Machine, the default install and config is safe enough Out of the Box to use on any system for ssh protection and can easily be modified as a copy to scan Apache Logs for matching criteria.
The /etc/fail2ban/action.d/<my_action.conf> is also just a copy of another stock provided /etc/fail2ban/acion.d/*.conf that you will need to modify to only mail you the results.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.