AWStats is a log analyzer that can run as CGI/static reports. Hardening is mostly about protecting log files, CGI access restrictions, and avoiding browser-triggered updates.
- Require HTTP authentication or SSO in front of
/cgi-bin/awstats.pl.
- Disable public internet access to AWStats admin/report endpoints when possible.
- Enforce HTTPS only.
- Restrict allowed source IPs for admin access.
- Keep
AllowToUpdateStatsFromBrowser=0 in awstats.*.conf.
- Run updates from cron/systemd as dedicated low-privilege user.
- Restrict write permission to AWStats data directory.
- Validate log file path permissions to prevent tampering.
- Mask or redact query parameters containing secrets in logs upstream.
- Set
DNSLookup=0 unless strictly required.
- Keep raw logs outside web-root.
- Define retention period for old reports and logs.
¶ Verification commands
grep -E 'AllowToUpdateStatsFromBrowser|DNSLookup|DirData|LogFile' /etc/awstats/awstats.*.conf
sudo find /var/lib/awstats -maxdepth 1 -type f -ls | head
sudo apachectl -M 2>/dev/null | grep -Ei 'auth|ssl'
- AWStats official docs: https://awstats.sourceforge.io/docs/
- AWStats config reference: https://awstats.sourceforge.io/docs/awstats_config.html
- AWStats source repository: https://github.com/eldy/awstats