Web server protection: Web server security monitoring

Introduction

Web server security is important in ensuring the correct operation of your websites. It allows you to identify vulnerabilities and any other security issues found to exist within the web server before an attacker can use them to cause a compromise. 

In this article, we shall take a look at how to generally monitor any web server for security issues. We will also discuss the various considerations that should be taken during web server security monitoring.

Learn Web Server Protection

Get hands-on web server security skills with nine courses covering infrastructure, hardening, command-line utilities, web application firewalls, active defense and more.

Start Learning

Overview

During the monitoring of your web server security, there are some general things which you must look out for. You should be able to answer the following questions:

• Is your web server vulnerable? You need to determine whether the web server is vulnerable to any vulnerabilities that have been recently released. In order to do this, you need to perform a vulnerability assessment of your web server to identify any existing vulnerabilities
• Is your web server under attack right now? You need to be able to determine whether you are undergoing an attack by assessing requests to web server resources
• Is your web server compromised? You will need to discover any file changes to the file system that have either resulted in file additions or deletions, as a result of malware

You should always be able to answer the questions above. You should also take into consideration the following things as you monitor the security of your web servers:

1. Pending security updates

Security updates are always released by solution vendors, and you should always ensure that you are running up-to-date software. This is important since software updates are regularly being released and details of patches published. If hackers access this information before you can patch your servers, they can be able to compromise the servers.

2. New and unpatched vulnerabilities

Sometimes, exploits to vulnerabilities can be made public before these are patched. These exploits are known as zero-day exploits and have the capability to leave your web servers compromised in case they fall into malicious hackers’ possession. You must ensure that you are running the latest patches and have security measures in place, such as web application firewalls.

3. Attacks against the web server

In many instances, hackers will run exploits that will circumvent the existing security measures. These exploits may end up bypassing firewalls and many other defenses. You must ensure that your web server is properly hardened against any attacks, and that you are constantly performing monitoring of incoming traffic to prevent malicious actions.

4. Server intrusions and malicious infections

Unfortunately, sometimes a breach might be successful. This may end up allowing unauthorized access into the web server. In the event of a breach, you might want to perform the following actions:

1. File system monitoring in order to determine new files created on the file system
2. Network monitoring in order to identify rogue IP addresses which may be performing malicious activities such as brute-forcing or fuzzing
3. Authentication monitoring to identify unusual logins or login attempts
4. File change monitoring in order to identify changes to sensitive files within the file system
5. Process monitoring in order to identify rogue processes that might be malicious

What are the considerations to take during web server security monitoring?

There are some considerations that must be taken while monitoring the security of your web servers:

1. Web server log operational processes

The standard procedure of log management should be followed by system administrators to ensure that they are able to collect and manage the correct and required logs from your web servers. The following are some of the operational steps that must be followed:

1. Configuring of log sources: It is important for you to properly categorize web requests to ensure that each request to a service is effectively logged
2. Analyzing log data: Once you have collected the logs, you will want to filter out the important data from the rest of the logs. This can be done by searching through using key words or timestamps
3. Appropriately map to identified incidents: You will then want to map out the desired incidents as they occurred within the logs
4. Manage long term storage of log data: You will finally want to ensure that there are proper measures in place to store your log files for future reference

You should also have log management infrastructure in place that can be audited in order to ensure the effectiveness of your log management.

Learn Web Server Protection

Get hands-on web server security skills with nine courses covering infrastructure, hardening, command-line utilities, web application firewalls, active defense and more.

Start Learning

2. Collecting web server logs

You must ensure that you adequately prioritize the logs you are collecting from your web servers. The following things should help you prioritize as you collect and categorize logs:

• Entry type: The entry type of the log files allows you to determine which logs contain what content according to what severity. Entries could be labelled as High, Medium or Low
• Log source: The source IP address within the log file is key in identifying the criticality of the log. Log sources might point towards a compromised system in the network that is being leveraged to perform the attack
• Time stamp: The time the log came in is important in identifying what actions were performed at that particular moment. Attackers are fond of performing logins at odd hours
• Frequency: The frequency of the log entry might help determine the priority of the logs. An attacker might make multiple login attempts to a certain web service through a brute-force attack. Identifying these attempts may help point towards the successful login

Once you have collected your web server logs, you can then prepare to search through them for vital information.

3. Role of timestamps in web server protection

Time stamps are useful in securing web servers for a couple of reasons:

• Labelling events: Time stamps are used to label events as they are logged by the system. It is only by timestamping events that we can be able to identify specific important events
• Searching through events: You might decide to locate certain occurrences that took place at a specific time. To do this, time stamps are used
• Determining outdated events: When log events are long overdue, time stamps can be used to locate and delete them

Time stamps must reflect the correct time so as to allow for an accurate depiction of historical events.

4. Understanding web server status codes

Web server status codes or (HTTP status codes) are server responses to client requests to resources on the web server. These can be understood as shown in the table below:

HTTP status code Description of status code

1xx (Informational) These mean that information has been received and the process is continuing

2xx (Success) These mean that the actions performed were successful, understood and accepted

3xx (Redirection) These mean that further actions are required for the request to be completed

4xx (Client Error) These mean that the requests contain incorrect syntax or cannot be fulfilled

5xx (Server Error) These mean that the server failed to fulfil a request

You should be able to determine the response to client requests, especially when analyzing your log files. Some requests will be made to sensitive files and these should be determined and prevented.

5. Profiling the web server

Profiling refers to the process of benchmarking your web server and/or web applications. There are a couple of tools that you can use to profile your web applications under different web servers. 

This is due to the way the web server applications work. The difference comes in that web server applications might generate dynamic content that can be requested in one manner by an IIS server and differently by a .NET server.

• To profile ASP.NET web applications, you can follow the steps given here
• To profile ASP.NET web applications using AQTime, follow the steps given here
• To profile IIS web applications, you can follow the steps given here
• To profile IIS web server using dotTrace, follow the steps given here
• To profile Apache web server, you can use the tool known as ab, found here

Profiling can either be done locally, remotely or using console tools, each of which have their own advantages and disadvantages. Let us consider some below:

Profiling mode Advantages Disadvantages

Local profiling It is easy to install tools locally to run the benchmark Local installation of these tools might not be possible due to security configurations

Remote profiling No physical/geographical access to the server is required Network communication is required to run the tools

Console-tools profiling No network communication is required Console tools must be locally copied to the server and run on the server

6. Security Onion for web server security

Security Onion is one of the many security based operating systems available today. It is particularly intended for intrusion detection, enterprise security monitoring and log management, and is free and open source. It incorporates different technologies such as ElasticSearch, Logstash, Kibana, Suricata, Zeek and so on.

Security Onion is also both a host-based Intrusion Detection System (HIDS) and Network Intrusion Detection System (NIDS). You can use Security Onion to monitor the security of your infrastructure by making use of the three main core components that it is built around. These are:

• Full packet capture: This allows you to capture all the traffic that your Security Onion sensors see. The captured traffic can be useful during forensics where you can be able to pinpoint which traffic came into or exited the network
• Network-based and host-based intrusion detection systems: Using the network-based and host-based intrusion detection system (IDS), you can be able to monitor security events within your infrastructure. Security Onion enables you to use the NIDS and HIDS to collect logs and issue alerts for detected activities
• Powerful analysis tools: You will need to analyze all of the collected data once you are convinced that the collected data is enough. Security Onion provides you with a huge variety of tools that you can use for analysis. These are as follows:
• Sguil: Provides a GUI where you can be able to view Snort, Suricata and Wazuh alerts. You can also pivot directly from an alert and into a packet capture either via WireShark or NetworkMiner or a transcript of the full session that triggered the alert. One thing that makes Sguil desirable is the way it supports collaboration among analysts
• Squert: This is a web application interface to the Sguil database. Using Squert you can be able to view several representations such as time series, weighted and logically grouped result sets and geo-IP mapping
• Kibana: Using this you can be able to analyze and pivot between the different data types, all the way from HIDS and NIDS alerts, to Zeek logs and system logs collected by syslog, to full packet capture using CapMe
• CapMe: This allows you to download PCAP files, achieve packet capture and send packets to Squert and Kibana

You can access the full documentation of Security Onion and see its capabilities here.

7. Anomaly detection for web server security

You should have a means in place to detect various anomalies within your infrastructure, especially within log files. One such system is known as the Anomaly Detection Engine for Linux Logs (ADE).

The ADE can analyze a huge number of logs from multiple Linux servers and proceed to create a summary of those logs. This summary provides crucial information such as whether the issued IDs to reported messages are being issued when expected, whether they are being issued at the expected rate during a time slice and how frequently the IDs are being issued (whether different IDs are being issued or the same message is appearing multiple times).

This information is important in allowing you to examine multiple logs to identify anomalies, which you can use to identify the root cause of a problem or examine the currently generated logs to identify anomalies on an ongoing incident.

The installation, configuration and entire documentation for the ADE can be found here.

8. Web server security alerts

Monitoring the security of all your infrastructure can be challenging, and so you require a solution or means to collect and issue alerts as they happen. It is important to have such a system in place, in order to prevent an attack from advancing. The following are some of the things that you can monitor:

• Uptime monitoring: You will want your website to always be accessible whenever it is needed, so that the services you are providing through it remain accessible
• Page loading speed monitoring: The optimum performance of your web application ensures that visitors loading the web page do not take too much time loading a resource
• Real user monitoring: You might want to monitor the visitors that make it to your website for statistics and logistics purposes. You want to differentiate between bots and actual users
• Transaction monitoring: It is important to ensure that website interactions that are most vital to you are taking place

One of the best solutions that you can have in place for performing such kind of monitoring is Solarwinds pingdom. Using Solarwinds pingdom, you are able to:

• Get notified when your website goes down via SMS, monitor your website’s availability from different locations and identify the root cause of an outage
• Examine how fast HTML, CSS and JavaScript load in whichever order. This information can help you make informed optimization decisions concerning your websites

An alternative you can consider to Solarwinds is Cloudways.

Learn Web Server Protection

Get hands-on web server security skills with nine courses covering infrastructure, hardening, command-line utilities, web application firewalls, active defense and more.

Start Learning

Conclusion

Web server security monitoring is a continuous process and should never be regarded as complete. You should always be in a position to monitor the security of your web infrastructure due to the increasing attacks and prevalence of web-based vulnerabilities today. The basics are the same: always ensure that you are running up-to-date software and that you have solutions in place that allow you to monitor the security of your web infrastructure.

 

Sources

1. Server security monitoring – Why do it, and what to monitor, Bobcares
2. HTTP - Status Codes, Tutorialspoint
3. Profile Web Application on IIS Server, dotTrace
4. Security Onion Documentation, Security Onion
5. Anomaly detection Engine for Linux Logs (ADE), openmainframeproject.github.io