Log analysis for a web server

-
what is a log file for a server?
  • Every server contain some basic details of their client in from of a file
  • That file is called a “Server Log File”.
  •  It automatically saves the information about IP address, time, HTTP status code and some other details.
  • They are stored under /var/log/Apache2/access.log directory for a Linux based server.

How to check a log file?
  • To inspect a log file there are two ways
    • Manual inspection
    • Tool base inspection
  •   In most of the cases cyber expert, prefer manual inspection.

How to apply manual inspection on a log file?
  • First of open log file using cat command to inspect it.
  • You may find different data into that file.
  •  Now there is always a reason why you are applying that inspection. The answer is that there was an attack happened on your server. Now to investigate that attack you are applying inspection.
  •  Now you may find that the data are lengthy to investigate. For faster investigate you can find some words related to that attack. Suppose there is SQL-Injection attack than you can search for word “Select” or “from” etc. If there are a directory traversal attack than you have to search for word “/../” and if there is web shell or backdoor attack then you may search for word “upload”.
  • For this process follow bellowing steps:
    1. Open the log file using command : cat /var/log/apache2/access.log
    2. To find some special word use command: cat access.log | grep “word”
    3. From that output, you can easily find the attackers IP address.

How to apply automated or tool based inspection on a log file?
  • First, download any log file inspection tool.
  • Here we are using “scalp” for log analysis.
  • Scalp is a log analyse for the Apache web server that aims to look for security problems. The main idea is to look through huge log files and extract the possible attacks that have been sent through HTTP/GET.
  • For the analysis of log file follow below steps:
    1. Install scalp in Linux using command: git-clone https://github.com/neuroo/apache-scalp.git
    2. Open log file using command: ./scalp.py –l “log file” –f “filter file”  -o ”output file ”.
    3. The output will store into an output file.
    4.  After completion of scalp you need to just review output file.

How to identify that your server is under DOS or DDOS attack?
  • Now a day’s dos and ddos became famous attack to down the server. With the help of some abnormal behavior of server or website, you can easily detect that your server is under dos or ddos attack.
  • To ensure that you are under attack just ping your server if the round trip time is more than usual your server is running for a highly weighted traffic.
  • The another clue is your servers HTTP response code if the server is returning 5XX code than it means that server have some issue
In most of the case the server returns 503 error which means “Server Unavailable”
  • Now you can investigate the netstat to identifies the connection with command : Netstat -a

  • You can see that the different IP are connected to some specific port.
  • A heavy traffic can slow down the server but if an action is not going to take at that time than server may be crashed.
  • To avoid DDOS attack for a server there are multiple tools available which secure the server from the real attack. For ddos protection cloud flair is one of the most famous tool
 

Comments

Post a Comment

Popular posts from this blog

"Coot" Ransomware

-
Image
What is Ransomware? Ransomware is a malicious program which will encrypt your data and make a barrier between you and your files After successful implementation of ransomware on your network or your machine it will stating encrypting the data with advance level of encryption which is really difficult to crack Now after encryption you have to purchase a tool called "Cypter" tool from attack and related decryption key too In some cases it is possible to retried the data without paying ransom to bad guy. What is Coot Ransomware attack? From ending of July 2020 the number of coot ransomware is increasing frequently. coot is from "DJVU" family of ransomware. In this type of attack the file will be encrypted with some high level encryption techniques and the file extension will be ".coot" at the end of the file. Suppose there is a file on your machine called "a.txt" than the encrypted file will be "a.txt.coot" Also you can see the other
Read more

Data Recovery Tools (Disk Drill)

-
Image
There are many tools available for data recovery in the market . Some of the tools are as follow Encase FTK manager Manager RAM capture  X-ways forensic Sleuth kit (+autopsy) Paladin Disk Drill Restoration (Window) Disk Drill . Disk Drill is an undeniable leader among data recovery software, it can recover deleted files from your device even if it is failing, unreadable, or has lost a partition. Features : You can recover up to 500MB of data free with Disk Drill for Windows. Unlike any other, the app has two important additional data loss prevention functionalities. The first, Recovery Vault, adds a layer to the Recycle Bin and keeps a backup reference to all deleted files. The second, Guaranteed Recovery, keeps a copy of each file moved to a previously selected folder, as for example the Recycle Bin. In addition, Disk Drill allows users to create image files in the form of ISO, IMG or DMG files. Therefore in practice, enables the user to conduct the data search in a clone, without ta
Read more

Ransomeware Malware

-
Image
What is ransomware? Ransomware is a part of a Malware It looks like a simple executable file, but whenever it executed on a machine . it will automatically encrypt all of your file with advanced encryption algorithm.  Ransomware is on trending on cyber-war. What is ransomware attack? First of all an attacker try to infect your machine with ransomware. Now the ransomware malware will encrypt your machine and you can not access your data, For decryption you required a software called "Crypter" as well as a key for decryption, which can only be with attacker only.  Now attacker ask for some money in form of Bit-coins to hide its identity, this money is called ransom.After you pay to attacker.he/she will give you software and a key.. This is called a ransomware attack. Why it is difficult to decrypt the files without payment? First of all we don't know from which encryption system did the attacker use it can be.... RSA DSA AES etc Now if we get the idea regarding the encrypti
Read more