How to Protect and Monitor the Security of Web Servers

May 10, 2020 Matt Mills Tips and Tricks 0

Any vulnerability that can be detected, as well as identifying it in time, makes possible a high level of security for web servers. It is important that we have a secure web server, because being so, our website will be able to work as expected. On this occasion, we will explain everything you need to know about the security of web servers and what good practices you can carry out for it.

When we are going to harden a web server, it is very important that we can answer three points, these have to do with the security of one or more web servers that you have currently running:

Protect and Monitor the Security of Web Servers

  • Check if our web server is vulnerable. Basically, this tells you to determine if the servers have detected vulnerabilities or not. One of the most effective ways to do this is to have a vulnerability scanner and run it regularly. Frequency is important as there are multiple zero-day vulnerabilities that can appear. It is also recommended to use a WAF (web application firewall) to filter any possible malicious query, in addition, this can also be done via software on the web server itself by configuring advanced rules.
  • Our web server, is it being attacked? If you notice any irregularity, it is best to be able to directly test requests to the web server. If you do not respond, or do not respond as expected, the chances are high that you have been the victim of an attack. It is essential that you review the logs to see what is happening, of course, it is always recommended to have a server status monitoring system, and also a SIEM to correlate events and detect possible attacks.
  • Detect some corrupt change. In addition to vulnerabilities, we must audit any type of change that has occurred in a file or in the worst case, that one or more files have been deleted.

Actions to prevent future web server attacks

As we see above, the three points that we have mentioned are considered the most important when carrying out a security strategy for web servers. However, these activities are somewhat more reactive. We need to add a little more proactivity, so that we can count on increasing capacity to prevent attacks.

Without a doubt, the most important has to do with updates . All software that we use is updated with certain frequency, one of the reasons for which it is updated is the improvements in relation to security. These security updates work as patches that make web servers more resistant to various types of cyber attacks. Also, we must apply the updates as soon as possible. Remember that one of the reasons why cyber attacks are possible is the use of outdated software.

In addition, vulnerability scanners also need to be updated. Even more so if these scanners have the ability to detect vulnerabilities and / or zero-day exploits. The latter are much more difficult to detect on their own. If we are in charge of web applications, we must also update their firewalls with the latest patches and security features.

Attacks, intrusions and infections

Attacks on the web server are possible through the possibility that an attacker or unauthorized person can access its resources. Even if they have security measures in place. Once again, we reinforce what we have discussed above: keeping updates up-to-date, especially security updates. Do you use Linux servers ? Take a look at this comprehensive guide to hardening Linux servers to make them much more secure.

If the risk of an intrusion and / or a data breach event is perceived, we recommend the following actions:

  • Monitor file systems for new suspicious looking files
  • Have the network under control to identify malicious IP addresses that would be responsible for unusual activity such as brute force attacks or, if it is detected that there is too much traffic at unconventional times
  • Monitor logins, as well as logon attempts. Remember that if we notice many attempts to log in at times when there should be no news, it could be an intrusion attempt.
  • Control which sensitive files have undergone some type of irregular modification.
  • Verify the presence of processes in the system that could be affecting the performance, security or integrity of the web server itself.

Disregarding the control of any of these aspects could mean one or more events in which the web server is infected. Consequently, your applications or websites will not be responding to users.

Identify the different status codes of web servers

When analyzing event logs from web servers, it is good practice to know the HTTP status codes. We quote them below:

  • 1xx (Informational): The request information has been received and will be processed.
  • 2xx (Success): the actions were carried out successfully, so they are accepted and understood.
  • 3xx (Redirection): there are actions to be performed that are as conditions so that the HTTP request can be completed.
  • 4xx (Client Error) – Client HTTP request with incorrect or unable to complete syntax.
  • 5xx (Server Error): The server cannot process the request due to a failure.

It is recommended that you determine the types of responses to HTTP requests from the client side. This, with the help of the status codes. You must keep in mind that you must pay attention to those requests made to files present on the server that are sensitive. They can mean potential intrusion attempts, which lead to potential cyber attacks.

Web server security alerts

We have mentioned the act of monitoring on more than one occasion. Nothing is more important and effective than monitoring so that your web server has a robust protective shield against multiple security threats. There are tools that can help in the issuance and collection of different types of alerts as they are given. They are considered as other essential tools to prevent attacks.

  • Uptime (Operational time): Ensure that the time the web server is active meets the needs of users who use applications and websites.
  • Loading speed: An aspect that defines the success of an application or website is the time it takes to load. The need for immediacy to access some web resource has become a requirement.
  • Differentiate between real users and bots: One aspect that is used to underestimate is the number of visits your application or website receives. Both real and non-real users should be monitored. Especially those that are bots, since they could have the ability to carry out malicious actions such as SQL injection in contact or request forms or multiple requests to the web service that lead to attacks like DDoS.

A program that we have located, which is free and open source. It’s called StatusOK and it has the functionality to generate alert notifications and integrate them with applications like Slack and SMTP email clients. These alerts will contain information related to, for example, if your web server stops operating or that the response time for web requests is higher than expected. The interesting thing is that its open source nature allows the creation of integrations with more programs. How to access this tool? You can enter its official repository on Github where you will find all the necessary information to start implementing and if you need support, you will have a lot of additional information to solve common problems.