Guidelines on Securing Public Web Servers

compromised, it may be used to attack other networks potentially making the 

honeypot host organization liable for damages.

33

File Integrity Checker

   computes and stores a checksum for every guarded file and 

establishes a database of file checksums.  It provides a tool for the system 

administrator to recognize changes to files, particularly unauthorized changes (see 

Section 5.3).  These are often included with host based IDSs.  See Appendix E for a 

listing of commonly available file integrity checkers.   

To successfully protect a Web server using an IDS, ensure that it is capable of and configured 

to accomplish the following tasks: 

Monitor network traffic before any firewall or filter router (network based) 

Monitor traffic network traffic to and from the Web server  

Monitor changes to critical files on Web server (host based or file integrity checker) 

Monitor the system resources available on the Web server (host based) 

Block (in conjunction with the firewall) IP addresses or subnets that are attacking the 

organizational network 

Notify the network or Web administrator of attacks through appropriate means   

Detect port scanning probes 

Detect DoS attacks 

Detect malformed URL requests 

Log events including the following details: 

Time and date 

Sensor IP address 

Vendor specific attack name 

Standard attack name (if one exists) 

Source and destination IP address 

Source and destination port numbers 

33

 Honey pots and related technologies should be used conservatively and only by organizations with a highly skilled 

technical staff that are willing to experiment with leading edge technology.  Furthermore, such techniques should be 

used only after seeking guidance from legal counsel given the possible liability issues.  For more information see 

NIST Special Publication 800 31

 Intrusion Detection Systems

 (

http://csrc.nist.gov/publications/

).  

74