Guidelines on Securing Public Web Servers


9.1.2  Identifying Additional Logging Requirements 


If a public Web server supports the execution of programs, scripts, or plug ins, the Web 


administrator should determine whether specific logging data should be captured regarding the 


performance of these features.  If a Webmaster develops special programs, scripts, or plug ins, 


it is strongly recommended that they define and implement a comprehensive and easy to 


understand logging approach based on the logging mechanisms provided by the Web server 


host operating system.  Log information associated with programs, scripts, and plug ins can 


add significantly to the typical information logged by the Web server. 


9.1.3  Recommended Generic Logging Configuration  


The following configuration is a good starting point for logging on public Web servers 


[CERT00]: 


    


Use the Combined Log Format for storing the Transfer Log or manually configure the 


information described by the Combined Log Format to be the standard format for the 


Transfer Log.  


    


Enable the Referrer Log or Agent Log if the Combined Log Format is unavailable.  


    


Establish different log file names for different virtual Web sites that may be 


implemented as part of a single physical Web server.  


    


Use the Remote User Identity as specified in RFC 1413.  


    


Ensure procedures or mechanisms are in place so that log files do not fill up the hard 


drive.    


Some Web server software provides a capability to enforce or disable the checking of specified 


access controls during program startup.  This level of control may be helpful in avoiding 


inadvertent alteration of log files as a result of errors in file access administration.  Web 


administrators should determine the circumstances under which they may want to enable such 


checks (assuming the Web server software supports this feature). 


9.1.4  Reviewing and Retaining Log Files  


Reviewing log files can be time consuming and laborious.  Log files are an inherently reactive 


security measure; they inform of events that have already occurred.  Accordingly, they are 


often useful for corroborating other evidence, whether it is a central processing unit (CPU) 


utilization spike or anomalous network traffic reported by an IDS.  When a log is used to 


corroborate other evidence, a focused review is in order.  For example, if an IDS reported an 


outbound FTP connection from the Web server at 8:17 a.m., then a review of the logs 


generated just before 8:17 a.m. is appropriate.  Web server logs should also be reviewed for 


indications of attacks.  The frequency of the review will depend on the following factors: 


    


Traffic the server receives 


    


General threat level (the Federal Government and certain commercial institutions 


receive many more attacks than other sites and thus should review their logs more 


frequently) 


80






  

    

      

    
    
Home

    
    About
    
    Services
    
    Network
    
    Support
    
    FAQ
    
    Order
    
    Contact
    

    

     
    Web Hosting SSH



    

    

    

      Our partners:Jsp 
      Web Hosting
      Unlimited Web Hosting 
      Cheapest Web Hosting  Java 
      Web Hosting
      Web Templates
      Best Web Templates PHP Mysql Web Hosting
      
      Interland Web Hosting
      Cheap Web Hosting 
      PHP Web Hosting
      Tomcat Web Hosting
      Quality Web Hosting
      Best Web Hosting  Mac 
      Web Hosting  
      

      Lunarwebhost.net  Business web hosting 
      division of Vision Web Hosting Inc. All rights reserved