This article on logs and web server security continues the Infosec Skills series on web server protection. While there are many active and passive defenses that can be employed to attempt to secure a web server and mitigate risk of an attack to it, one of the most powerful methods involves understanding and utilizing web server logs. The web server log is, quite simply, a guest book or sign-in sheet that captures visitors as they visit your organization’s website, including some basic information about them.
In the event of a security incident, one must remember that all cyber attackers leave a trace of their work; the difficulty is knowing where to look and what to look for. Logs, therefore, are often the best first place to look.
What are web server logs?
Web server logs capture a range of data about the requests handled by the web server on your network. These logs files are often configured to be recorded, by default, in a text file in a Common Log Format and can be customized to collect a range of information that passes through your web server.
While this will be covered in more detail later in this article, some of the data that can be collected, stored, and analyzed for incident remediation include: client IP addresses, user agent strings, date, time, server name, server IP and services running, among many others.
The log can also capture requests from other computers that request data from the web server and internal actions completed by the server itself, such as updates. With this information, you can see who is visiting your website, where do they go within your website and what types of actions are they taking.
Types of logs
A web server’s access log captures information about (Read more...)
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Patrick Mallory. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/gnvNlF-myLw/