Real-time Log Monitoring with Security Focus

2 min read Web Security Fundamentals

Real-time Log Monitoring with Security Focus

Implement real-time monitoring for immediate threat detection:

#!/bin/bash
# /usr/local/bin/realtime-security-monitor.sh

# Configuration
APACHE_LOG="/var/log/apache2/access.log"
NGINX_LOG="/var/log/nginx/access.log"
ALERT_EMAIL="[email protected]"
BLOCK_THRESHOLD=50
TIME_WINDOW=60

# Detection patterns
declare -A ATTACK_PATTERNS=(
    ["SQL_INJECTION"]="(union.*select|select.*from|insert.*into|delete.*from|drop.*table|update.*set)"
    ["XSS"]="(<script|javascript:|onerror=|onload=|onclick=|<iframe|<embed)"
    ["PATH_TRAVERSAL"]="(\.\./|\.\.\\\\|%2e%2e%2f|%252e%252e%252f)"
    ["COMMAND_INJECTION"]="(;|&&|\|\||`|\$\(|\${|<\(|>\()"
    ["XXE"]="(!ENTITY|SYSTEM|PUBLIC|file:///|expect://|php://)"
    ["SCANNER"]="(nikto|sqlmap|nmap|masscan|wpscan|burp|zap)"
)

# Function to analyze log line
analyze_log_line() {
    local line="$1"
    local source="$2"
    
    for pattern_name in "${!ATTACK_PATTERNS[@]}"; do
        if echo "$line" | grep -qiE "${ATTACK_PATTERNS[$pattern_name]}"; then
            alert_security_event "$pattern_name" "$line" "$source"
            
            # Extract IP and block if necessary
            local ip=$(echo "$line" | grep -oE '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
            if [[ -n "$ip" ]]; then
                increment_threat_counter "$ip" "$pattern_name"
            fi
        fi
    done
}

# Function to send security alerts
alert_security_event() {
    local attack_type="$1"
    local log_line="$2"
    local source="$3"
    
    # Log to security event file
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] [$source] [$attack_type] $log_line" >> /var/log/security-events.log
    
    # Send email alert for critical events
    if [[ "$attack_type" =~ ^(SQL_INJECTION|COMMAND_INJECTION|XXE)$ ]]; then
        echo "Security Alert: $attack_type detected from $source" | mail -s "CRITICAL: Security Alert on $(hostname)" "$ALERT_EMAIL"
    fi
    
    # Send to SIEM/logging system
    logger -t security-monitor -p auth.warning "Attack detected: $attack_type from $source"
}

# Function to track and block repeat offenders
increment_threat_counter() {
    local ip="$1"
    local attack_type="$2"
    
    # Increment counter in Redis or file
    local count_file="/tmp/threat_counter_${ip}"
    local current_count=0
    
    if [[ -f "$count_file" ]]; then
        current_count=$(cat "$count_file")
    fi
    
    ((current_count++))
    echo "$current_count" > "$count_file"
    
    # Block if threshold exceeded
    if [[ $current_count -ge $BLOCK_THRESHOLD ]]; then
        block_ip "$ip" "$attack_type"
        rm -f "$count_file"
    fi
    
    # Set expiration for counter
    (sleep $TIME_WINDOW && rm -f "$count_file" 2>/dev/null) &
}

# Function to block IP
block_ip() {
    local ip="$1"
    local reason="$2"
    
    # Add to firewall
    sudo ufw insert 1 deny from "$ip" to any comment "Auto-blocked: $reason"
    
    # Add to Fail2ban
    sudo fail2ban-client set apache-security banip "$ip"
    
    # Log blocking action
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] Blocked IP $ip for $reason" >> /var/log/security-blocks.log
    
    # Alert
    echo "IP $ip has been blocked for $reason" | mail -s "Security: IP Blocked on $(hostname)" "$ALERT_EMAIL"
}

# Main monitoring loop
monitor_logs() {
    # Monitor Apache logs
    if [[ -f "$APACHE_LOG" ]]; then
        tail -F "$APACHE_LOG" 2>/dev/null | while read -r line; do
            analyze_log_line "$line" "Apache"
        done &
    fi
    
    # Monitor Nginx logs
    if [[ -f "$NGINX_LOG" ]]; then
        tail -F "$NGINX_LOG" 2>/dev/null | while read -r line; do
            analyze_log_line "$line" "Nginx"
        done &
    fi
    
    # Keep script running
    wait
}

# Start monitoring
monitor_logs