[opensuse] Monitoring Apache2 webserver
I'm running a webserver (apache2). I've set it up so that there is a public area with some static html info pages, and a private area requiring a username password. This all works fine... but I'd like to know if there is some way to monitor the access on the webserver. I know I can go look at /var/log/apache2/access, but I'd like to have some kind of live/realtime monitor so I can see who is logging in (to the secure area) and what they are accessing (all info in the access log). Does anyone know of any app/applet that can do this? apachetop is OK, but... limited, and command line - I want a solution. Something like a plug-in for SuperKaramba would be perfect... but haven't yet found anything. Any suggestions? C. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Clayton escribió:
I know I can go look at /var/log/apache2/access, but I'd like to have some kind of live/realtime monitor so I can see who is logging in (to the secure area) and what they are accessing (all info in the access log).
What is your real concern eh ? sound a bit excessive worring to me, maybe you are walking the wrong way...
I know I can go look at /var/log/apache2/access, but I'd like to have some kind of live/realtime monitor so I can see who is logging in (to the secure area) and what they are accessing (all info in the access log).
What is your real concern eh ? sound a bit excessive worring to me, maybe you are walking the wrong way...
Walking the wrong way? On my personal webserver, I know exactly who is logging in... I created their accounts. I see when they log in when I check the webserver logs... I'm simply curious what monitoring tools are out there for Linux based webservers beyond the most primitive - which is the logfile itself, and maybe... apachetop. Are there any real-time GUI based web access monitoring tools available? The webserver gets blasted by people looking for primarily php exploits, although I see probes for my cgi-bin, ruby, MySQL and a few others. None of which are installed/available on this webserver. I also see random attempts from unknown IPs to log into the secured area. I'm interested in seeing this stuff when it happens... not 2 or 3 days later when I happen to remember to look at the logs. This has to be information that web admins are interested in... and they must monitor it somehow... but since I'm not a web admin, I don't know how it's done (beyond browsing weblogs)... thus the question. I have this private webserver that I can play with under controlled conditions. I own the hardware and the information on the webserver... I figure it's a good opportunity to learn something. C. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Clayton escribió:
The webserver gets blasted by people looking for primarily php exploits, although I see probes for my cgi-bin, ruby, MySQL and a few others. None of which are installed/available on this webserver. I also see random attempts from unknown IPs to log into the secured area. I'm interested in seeing this stuff when it happens... not 2 or 3 days later when I happen to remember to look at the logs.
Those are automated bots , very frecuently seen in the wild, those bots generally attempts to exploit 1. Mambo/joomla vulnerabilites that abuses a hole in PHP itself (GLOBALS overwrite). no SUSE packages are actually affected by this problem and even more, in 10.2 attempting to exploit any variation or a possible unknown vuln in the same routines is forbidden by suhosin, so cannot happend anymore ;-) 2. innumerable phpbb holes, messy code. no hope of improvement. 3. buggy mail forms to find a way to send spam/black mail... 4. PHP remote code execution ad nauseum, abusing include() or require() PHP statements, not possible to exploit this by default in php 5.2.0, even more restrictive in 5.2.1. SUSE 10.2 packages wont let the attacker to use this trick either ;-)
This has to be information that web admins are interested in...
admins may be interested on this information when they actually have vulnerable code installed, although nice for graphs/stats you are much better spending your time improving the secuirty of your system rather than seeing logs =) but anyway..a good real time log analyzer is http://www.splunk.com/ (commercial software though)
participants (2)
-
Clayton -
Cristian Rodriguez R.