Simplifying security auditing, Part 4: Securing web servers 

Web servers are front-end facing applications that are vital for the daily operations of businesses. They are subject to attacks such as SQL injection, malicious URL requests, and the age-old classic, denial of service (DoS) attacks. While there are specialized web application security solutions that you can (and should) deploy, auditing web server logs is just as important for ensuring your web servers are secure and always up and running. Web server logs record crucial security event information that must be quickly analyzed to detect attacks at an early stage. Additionally, FTP server logs contain valuable information about the files that are uploaded and shared by users. However, due to the sheer volume of logs generated by web servers, it's virtually impossible to audit them manually. This is where a SIEM solution comes into the picture. When you enable logging on your web server, make sure you properly pick which details are recorded in the log message, such as the date, time, and client IP address. Here are some important things you need to track on web servers by running reports and configuring alerts:

  • General usage. General server usage includes things like site visitors, queries, pages being accessed, FTP server logins, file uploads and downloads, and more. This will give you an overview of exactly what is going on in your web server.

  • Errors. Errors are not only important for understanding user experience, but also for detecting anomalous activity that is indicative of an ongoing attack. A spike in a particular HTTP error code like Error 200 for example, could indicate a potential attack on your web server.

  • Known threats: It goes without saying that you need instant alerts for known attack patterns such as SQL injection, cross-site scripting (XSS), malicious file executions, DoS, and more.

Additionally, you'll want to run top and trend reports as well. These will help you quickly review whether everything is running smoothly or if something requires your attention.

Stay tuned for part five of this series, which will talk about auditing your network perimeter devices' logs. In the meantime, download our free handbook on auditing network devices.