Select Page

Server security monitoring – Why do it, and what to monitor

Server monitoring services are a dime a dozen. You get an alert when a service (HTTP, SMTP, etc.) goes down. But is that enough for you to keep your server safe and secure?

What if your server is vulnerable to a new software bug, or what if someone is trying to brute force your password? Wouldn’t you want to know, and take action?

That is why Server Security Monitoring is important.

By monitoring your server for security events you’ll be able to prevent security issues, and not merely react to it when something bad happens.

Even if something bad happens, you can control how it goes down, rather than be a spectator while all hell breaks loose.

[ Need your servers secured?. Click here to get started at $69.99/month]

 

What should you monitor?

So, what should you monitor in your server?

Broadly, you’d want to know 3 things:

  1. Is your website or server vulnerable? – To answer this, you’ll need to check if there are any pending security updates in your server, and if there are any new vulnerabilities reported in the applications you are using.
  2. Is your server under attack right now? – Attackers use automated tools to defeat login screens or to exploit vulnerabilities. So, if an attack such as Brute forcing or port scanning is taking place, you need to know, and block the attackers.
  3. Is it compromised? – If none of your defenses worked and your site or server was indeed hacked, you should be the first one to know – not your customers or the search engines. For that you should monitor malware uploads, file changes, and more.

Here at Bobcares, we provide Server Management Services to all kinds of online businesses. Server Security Monitoring is a part of that service, and here’s what we look for in our customer’s servers:

 

1. Pending security updates

Application and Operating system vendors release security updates almost every week (Microsoft releases patches every Tuesday – called “patch Tuesday”).

Once the vendors release these patches, details of the vulnerabilities become accessible to the general public – including hackers.

So, it is important to apply security patches as soon as they are available. Or chances are that attackers will use the now-public vulnerability to break into your server.

That is why we monitor all our customer servers for new security releases, and apply them within 24 hours. This includes:

  • Operating system updates
  • Service package updates
  • Web application updates
  • ..and any other special software our customers use.

[ Are your servers updated and patched?. We can do it for you. Click here to know more]

 

2. New un-patched vulnerabilities

A vast majority of new vulnerabilities are found out by ethical Security Researchers who wait for the application developer to release a patch before the vulnerability is made public.

However, there are cases where a vulnerability will be made public before official patches are available. These vulnerabilities are called Zero-day vulnerabilities, and are virtually in-defensible.

That is why New vulnerability monitoring is an essential part of our server management services. If we find a new threat, we protect our customers it in 3 ways:

  • Using official or unofficial patches.
  • Blocking a common exploit methods using server or web application firewalls.
  • Disabling the vulnerable function until the official patch comes in – that is, trading a small lack of feature to protect the whole server.

In this way, the server will always be protected against attacks.

 

3. Attacks against the server

Attackers use automated tools to run a variety of exploits to try and break into a server. It is important to detect these attacks and block them before one of them gets lucky.

In our Server Management Services, we combat automated attacks in two ways:

  • Preventive server hardening – Many attacks use standard ports or common patterns to unload their attack payload. We configure our customer servers in such a way that these common attacks are foiled.
  • Active attack monitoring and defense – Some exploits can make it past the firewalls. In such cases, we are alerted to “unusual” activity in the servers, and we promptly block the attacker IPs. We then use the attack signatures to further harden the firewall.

 

4. Server intrusions or website infections

What if the worst happens? What if all your defenses are breached and someone did indeed get into the server?

You should be in a position to kick out the intruder, lock down the website or server, asses the damage, clean out the mess, and get the server back online – all the while not letting your customers and search engines know something is amiss.

Here at Bobcares, our last line of monitoring in our customers servers is intrusion detection. It includes:

  • File system monitoring – When a new file is created in the server (uploaded or edited), a malware scanner checks for virus contents, and alerts us.
  • Network monitoring – If an IP or group of IPs behave in an unusual way (eg. many open connections, brute forcing, etc.), we login to the server and block the attacker IPs.
  • Authentication monitoring – We look for successful logins for admin accounts. If we see an unfamiliar IP login to the server, we immediately get into the server, kick out the intruder and alert the server owner (because it usually indicates someone stole the password).
  • Critical file change monitoring – Attackers often replace system files with infected files. So, we monitor critical system files, and if it changes without our knowledge, we login to the server and investigate.
  • Process monitoring – Attackers often disguise their malicious processes as system services. So, if we notice a process that’s referring to unusual files, or binds to non-standard ports, we take action.
  • Protected directory monitoring – There’s really no reason for a legitimate program to go into administrator folders. We setup tripwires in the system (much like burglar alarms), and if we see an unusual folder access, we know something is afoot.
  • Rootkit and virus monitoring – Attackers might leave backdoors to the system in various system locations. That’s why we periodically scan the whole server for kernel rootkits and hidden viruses.

Quick reaction is important in such monitoring. In many cases, we’ve been able to prevent a successful server breach by blocking ongoing attacks.

That is why an automated monitoring is not enough. You’ll need a 24/7 emergency support team, who can go into the server within minutes, and protect your data and customers. You can get it for as low as $69.99/month.

 

Conclusion

Server owners often overlook the importance of security monitoring. Timely server updates, patches and event response can prevent server or website breaches. Today we’ve detailed the top 4 ways in which Bobcares monitors our customer servers for security events, and how it can help protect the server.


NEED TO SECURE YOUR SERVER?

Get started at just $69.99/month!

Our server engineers monitor your server 24/7, update & patch your server, and respond to security issues.

GET EXPERT HELP

Submit a Comment

Your email address will not be published. Required fields are marked *

Bobcares
Bobcares is a server management company that helps businesses deliver uninterrupted and secure online services. Our engineers manage close to 51,500 servers that include virtualized servers, cloud infrastructure, physical server clusters, and more.
MORE ABOUT BOBCARES

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID

Close your account?

Your account will be closed and all data will be permanently deleted and cannot be recovered. Are you sure?