Securing Your Web Server

After syslog is configured, you should also enable process accounting. Process accounting is good for recording all commands users execute on the system. On my Ubuntu install I use apt-get to install the base process accounting (acct) package.

  apt-get install acct

  Selecting previously deselected package acct.
  (Reading database ... 16507 files and directories currently installed.)
  Unpacking acct (from .../acct_6.3.99+6.4pre1-4ubuntu1_i386.deb) ...
  Setting up acct (6.3.99+6.4pre1-4ubuntu1) ...
  Starting process accounting: Turning on process accounting, file set to '/var/log/
  account/pacct'.

After downloading and installing acct, you need to create an accounting database.

  touch /var/log/account/pacct
  chown root /var/account/pacct
  chmod 0644 /var/log/account/pacct

The acct database is stored in binary as a single file /var/log/account/pacct, so it is not easily editable. This forces an attacker to delete the whole file to cover her tracks. The deletion of the file, however, by itself confirms that something suspicious happened.

Now, if you ever want to audit what a particular user has done, you can do so by running:

  lastcomm [user-name]

Windows

Many have complained about Windows and how it handles logs. The complaints stem from the fact that most logging is disabled by default, and that the locations for the log files can be problematic for some situations. Even with these limitations, some prudent steps can be taken to help ensure that the system retains some valuable log information.

You should enable security auditing. Windows does not enable security auditing by default. To do so, two configuration changes are required.

On Windows you can enable audit logging by changing the policy settings located at Start -> Settings -> Control Panel -> Administrative Tools -> Local Security Policy.

Minimally, you should enable auditing for the following events:

1. Logon and logoff
   
2. User and group management
   
3. Security policy changes
   
4. Restart, shutdown, and system

You can also enable auditing of any file or directory structure by setting its properties (Security -> Advanced Settings -> Auditing).

A logging server

The best idea is to dedicate a server on your network, harden it, and send log messages to it from all your other machines. This way, the logs do not get compromised when the server does.

Having a centralized, hardened, logging server is ideal for log management. You can harden the server to allow only logging from specific IP addresses and to lock down all the listening ports except for the one for syslog. Having the logs stored in a different location than the web server means an attacker may be able to add false messages, but he won’t be able to destroy any logged messages.

Syslogd will accept logging messages remotely if it is instructed to do so on startup with the –r (for remote) startup option.