Just change the location of your open command to point to your Apache error_log like this –


open STDERR, ">>/path/to/apache/logs/error_log";


Now, once httpd-guardian takes action, you will see entries like this in your error_log file –


httpd-guardian: IP address HASH(0x92e08d0) reached the 1 min threshold (speed = 2.76712328767123 req/sec, threshold = 0.01 req/sec)

httpd-guardian: Executing: /usr/bin/logger DoS Attack Identified from


The 2nd line above is from my own “test” configuration where I am just using logger to create a Syslog alert and not actually blackholing the client on the firewall.


# If defined, execute this command when a threshold is reached

# block the IP address for one hour.

# $PROTECT_EXEC = "/sbin/blacklist block %s 3600";

# $PROTECT_EXEC = "/sbin/samtool -block -ip %s -dur 3600";



# For testing only:

# $PROTECT_EXEC = "/sbin/blacklist-webclient %s 3600";

$PROTECT_EXEC = "/usr/bin/logger DoS Attack Identified from %s";


The point is that a message will be generated when httpd-guardian identifies a client that has gone over your defined threshold of requests/time interval and when it executes a responsive action.


Hope this helps.


Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache



Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)

Learn More About the Breach Webinar Series:



From: [] On Behalf Of Miles Crawford
Sent: Friday, March 30, 2007 5:52 PM
Subject: [mod-security-users] httpd-guardian errors not in error_log?


Hey folks, I'm playing with using mod_security and httpd-guardian to protect against scripting and automation.

httpd-guardian is configured like:

SecGuardianLog "|/usr/local/bin/httpd-guardian"

I think I'm off to a great start, the alerts are being triggered and so forth, but I get no httpd-guardian messages in the apache error_log.

Added the line:

open STDERR, ">>/tmp/hg_log";

at the top of the httpd-guardian script, and the messages all show up just fine in hg_log.  I was hoping to have them show alongside the rest of the Apache error_log, and that seems to be what the documentation suggests will happen.  Any advice?

I'm using:

ModSecurity for Apache 2.1.0
Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.8b DAV/2 mod_apreq2-20051231/2.6.0 mod_perl/2.0.3 Perl/v5.8.8
Rev 1.6 of httpd-guardian from the sourceforge CVS site

Thanks, and let me know if I can provide any other info that might help.