Simplifying security auditing, Part 4: Securing web servers
General usage. General server usage includes things like site visitors, queries, pages being accessed, FTP server logins, file uploads and downloads, and more. This will give you an overview of exactly what is going on in your web server.
Errors. Errors are not only important for understanding user experience, but also for detecting anomalous activity that is indicative of an ongoing attack. A spike in a particular HTTP error code like Error 200 for example, could indicate a potential attack on your web server.
Known threats: It goes without saying that you need instant alerts for known attack patterns such as SQL injection, cross-site scripting (XSS), malicious file executions, DoS, and more.
Additionally, you'll want to run top and trend reports as well. These will help you quickly review whether everything is running smoothly or if something requires your attention.
Stay tuned for part five of this series, which will talk about auditing your network perimeter devices' logs. In the meantime, download our free handbook on auditing network devices.
Comments