Monitoring security issues: quick start

Security incidents plague the majority of Internet resources. It is still possible to notice most security issues, both actual and possible, before any damage is caused. The list below gives general impression of how this could be done, for various types of security problems.

1. Web applications

Example 1. Nowadays, using HTTPS is a must; the majority of modern browsers will mark HTTP connections as insecure. Any Web resource on the Net should have a valid SSL certificate; although in most cases certificate renewal and replacement can be fully automated, it’s still possible to have the certificate expired. When it expires, the Web resource will immediately be marked as insecure; certain actions with it (such as attempt to submit forms data, performing online payments etc) will be warned about as highly suspicious.

To prevent that, set up monitors to check SSL certificate expiration. When warning state is defined appropriately (say, 10-14 days prior to actual expiration), site owner should begin getting regular notifications, to prevent service disruption.

Example 2. A number of sites uses hosting controlled by management software, such as CPanel. In most cases, every site (Web application) hosted has certain limits (bandwidth usage, disk space allocated and so on). In case of CPanel, there are daily notifications sent to hosting account owner, and it can result in certain limit overrun and site deactivated between two subsequent notifications.

However, most Web management software has HTTPS-based API allowing inquiring certain stats or limits at any moment. By means of custom monitor (“Script or Program” or “Python script”) one can get the limits and notify the site user as soon as possible, before the Web resource gets suspended. Hint: using “Send HTTP(S) request” simple action, same API can be used to handle the issue: for example, temporarily increase exhausted disk quota, before more permanent solution is found).

Note: please contact us if you plan to monitor WHM/CPanel accounts; we’ll provide you with instructions and script samples, to do the task.

2. Windows systems

On Windows system, apart from checking for important event log entries (suitable for monitoring system resources, down to individual file changes), one could check for presence of certain processes and for pending (not yet installed) security updates, and whether system reboot is required to apply the update(s).

Event log monitor can also be used to detect security-type events (such as logon attempts, credentials change etc); the exact set of such monitors depends on what security-level events are considered important (for example, failed logon attempts under accounts with administrative rights).

There could be services and processes that should be automatically started at boot time and running under normal circumstances. Windows service monitors can track their presence; for example, if an anti-malware service isn’t running, it can pose a security threat to the whole system. Note: since IPHost can’t monitor its own service, we recommend setting up a second IPHost installation which will only monitor the presence of your main IPHost monitoring service.

3. Linux systems

All the cases mentioned above for Windows systems, are in effect for Unix-like systems (including Linux), with its own specifics. You will most probably be using SSH-based monitors, to access remote Linux systems securely.

In case of Unix-like systems, system log monitors allow getting notified in real time when corresponding event occurs. Compatible logging facilities, such as rsyslog, can be used to send a monitoring event for any type of system event (including access to individual files). Care should be taken to set up and test Syslog monitors, to ensure they all are handled in timely manner. That generic means to send real-time notifications should be used for events of critical nature (i.e., system resources getting scarce – RAM, free disk space, sockets and so on).

4. External monitoring data

Time series databases (TSDB, such as InfluxDB, ClickHouse, Graphite and others) are often used to collect miscellaneous data from many a source (to draw graphs, perform monitoring tasks, do analytics of various kinds etc).

IPHost can be used to interact with such database instances, to get the monitoring (performance) data from single source; in case the time series database instance is in the same network, it can significantly reduce time required to gather performance data.

Low overhead and quick response of such databases can be used to reduce monitoring latency (it would allow polling more frequently without overloading the actual performance data sources). Please contact us if you would need building a monitor capable of interacting with a TSDB.

External analytics services, such as Google Tag Manager (successor to Google Analytics), as well as on-premises services like Matomo (formerly Piwik) can provide data directly related to security issues with Web resources (e.g., sudden drop in visitors count should better be investigated as soon as possible).

Last but not least – results of anti-malware scans (such as Sophos, AI-Bolit), intrusion detection systems (IDS) scans – including Aide, logwatch, Snort, to name a few – can provide important information on possible breach attempts and attack vectors in general, to notify corresponding security-related personnel immediately.

Every report by every possible security-related service or software piece can be reported by IPHost – our product can serve as security notifications aggregator.

5. Network devices

Various network devices (network switches, routers, hardware firewall appliances, WiFi access points etc) are used, as out-of-the-box solutions for typical networking and security tasks.

It’s naturally required to control how such network devices are operating (that includes every aspect of their functions – traffic speed, available resources, certain ports and interfaces state etc). The majority of such devices provide SNMP interface, to get state variables and, optionally, to control the device.

IPHost supports all major SNMP versions (v1, v2c, v3), and both passive (“SNMP Custom”) and active (“SNMP Generic Trap”) types of monitors, to interact with SNMP-enabled devices. Apart from that, in response to a monitoring event, IPHost can set SNMP variables of a remote device (example: enable a certain network interface of network device if another interface goes down).

Using SNMP-based monitors and simple actions might be a challenge; we would be glad to assist you in that.

Conclusion

When planning monitoring setup, enumerate all the vital types of services and resources that should be watched; IPHost is capable of using GSM modems to send SMS notifications (as emergency notification means), in case network it is installed within loses Internet connection.

By checking for presence of IPHost monitoring service (from another IPHost installation), you can efficiently create a monitoring setup without the single point of failure.