Server security monitoring – Why do it, and what to monitor
Server monitoring services are a dime a dozen. You get an alert when a service (HTTP, SMTP, etc.) goes down. But is that enough for you to keep your server safe and secure?
What if your server is vulnerable to a new software bug, or what if someone is trying to brute force your password? Wouldn’t you want to know, and take action?
That is why Server Security Monitoring is important.
By monitoring your server for security events you’ll be able to prevent security issues, and not merely react to it when something bad happens.
Even if something bad happens, you can control how it goes down, rather than be a spectator while all hell breaks loose.
[ Need your servers secured?. Click here to get started at $69.99/month. ]
What should you monitor?
So, what should you monitor in your server?
Broadly, you’d want to know 3 things:
- Is your website or server vulnerable? – To answer this, you’ll need to check if there are any pending security updates in your server, and if there are any new vulnerabilities reported in the applications you are using.
- Is your server under attack right now? – Attackers use automated tools to defeat login screens or to exploit vulnerabilities. So, if an attack such as Brute forcing or port scanning is taking place, you need to know, and block the attackers.
- Is it compromised? – If none of your defenses worked and your site or server was indeed hacked, you should be the first one to know – not your customers or the search engines. For that you should monitor malware uploads, file changes, and more.
Here at Bobcares, we provide Server Management Services to all kinds of online businesses. Server Security Monitoring is a part of that service, and here’s what we look for in our customer’s servers:
1. Pending security updates
Application and Operating system vendors release security updates almost every week (Microsoft releases patches every Tuesday – called “patch Tuesday”).
Once the vendors release these patches, details of the vulnerabilities become accessible to the general public – including hackers.
So, it is important to apply security patches as soon as they are available. Or chances are that attackers will use the now-public vulnerability to break into your server.
That is why we monitor all our customer servers for new security releases, and apply them within 24 hours. This includes:
- Operating system updates
- Service package updates
- Web application updates
- ..and any other special software our customers use.
[ Are your servers updated and patched?. We can do it for you. Click here to know more. ]
2. New un-patched vulnerabilities
A vast majority of new vulnerabilities are found out by ethical Security Researchers who wait for the application developer to release a patch before the vulnerability is made public.
However, there are cases where a vulnerability will be made public before official patches are available. These vulnerabilities are called Zero-day vulnerabilities, and are virtually in-defensible.
That is why New vulnerability monitoring is an essential part of our server management services. If we find a new threat, we protect our customers it in 3 ways:
- Using official or unofficial patches.
- Blocking a common exploit methods using server or web application firewalls.
- Disabling the vulnerable function until the official patch comes in – that is, trading a small lack of feature to protect the whole server.
In this way, the server will always be protected against attacks.
3. Attacks against the server
Attackers use automated tools to run a variety of exploits to try and break into a server. It is important to detect these attacks and block them before one of them gets lucky.
In our Server Management Services, we combat automated attacks in two ways:
- Preventive server hardening – Many attacks use standard ports or common patterns to unload their attack payload. We configure our customer servers in such a way that these common attacks are foiled.
- Active attack monitoring and defense – Some exploits can make it past the firewalls. In such cases, we are alerted to “unusual” activity in the servers, and we promptly block the attacker IPs. We then use the attack signatures to further harden the firewall.
4. Server intrusions or website infections
What if the worst happens? What if all your defenses are breached and someone did indeed get into the server?
You should be in a position to kick out the intruder, lock down the website or server, asses the damage, clean out the mess, and get the server back online – all the while not letting your customers and search engines know something is amiss.
Here at Bobcares, our last line of monitoring in our customers servers is intrusion detection. It includes:
- File system monitoring – When a new file is created in the server (uploaded or edited), a malware scanner checks for virus contents, and alerts us.
- Network monitoring – If an IP or group of IPs behave in an unusual way (eg. many open connections, brute forcing, etc.), we login to the server and block the attacker IPs.
- Authentication monitoring – We look for successful logins for admin accounts. If we see an unfamiliar IP login to the server, we immediately get into the server, kick out the intruder and alert the server owner (because it usually indicates someone stole the password).
- Critical file change monitoring – Attackers often replace system files with infected files. So, we monitor critical system files, and if it changes without our knowledge, we login to the server and investigate.
- Process monitoring – Attackers often disguise their malicious processes as system services. So, if we notice a process that’s referring to unusual files, or binds to non-standard ports, we take action.
- Protected directory monitoring – There’s really no reason for a legitimate program to go into administrator folders. We setup tripwires in the system (much like burglar alarms), and if we see an unusual folder access, we know something is afoot.
- Rootkit and virus monitoring – Attackers might leave backdoors to the system in various system locations. That’s why we periodically scan the whole server for kernel rootkits and hidden viruses.
Quick reaction is important in such monitoring. In many cases, we’ve been able to prevent a successful server breach by blocking ongoing attacks.
That is why an automated monitoring is not enough. You’ll need a 24/7 emergency support team, who can go into the server within minutes, and protect your data and customers. You can get it for as low as $69.99/month.
Server owners often overlook the importance of security monitoring. Timely server updates, patches and event response can prevent server or website breaches. Today we’ve detailed the top 4 ways in which Bobcares monitors our customer servers for security events, and how it can help protect the server.