OK – we have to admit it. We’re paranoid and we’re afraid of our own shadows, we’re also afraid of clowns (they really are scary), adult strangers talking to us in the streets, and, of course, being sucked down the bathtub drain (baths are always a nightmare). But our greatest fear is seeing a client’s website hacked, and that fear is so powerful that it forces us to be extremely proactive when it comes to website security.
Of course, proactiveness (or should it be proactivity for those grammaticians out there?) when it comes to website security manifests itself in many different ways at itoctopus, but one of them is monitoring the logs – specifically the Apache logs.
Logs, for those who don’t know (or for those who try to avoid looking at them) provide a wealth of very precious information about a website when it comes to security. For example:
- Who’s logging to the website’s backend?
One of our major clients is located in Chicago, IL. So, we examine every IP that logs in to backend of the website, and if we see an IP that is using the backend from any area outside Chicago, then we scrutinize all the activities performed by that IP and we tell our client to make sure that the login was (or was not) a false positive.
-
Which PHP files are being used?
By default, the only PHP file accessed directly by Joomla (Apache) should be the index.php file, so, if, we find in the logs that Apache is successfully accessing another PHP file, then we examine that file very thoroughly to make sure that it’s a legitimate file. If it is not, the we get the file creation data, we delete it, and then based on the creation date of file we search through the logs in order to have an idea how it got there in the first place.
-
Which IPs are draining the website’s traffic?
Examining the Apache logs allows us to find which IPs are using up the majority of the website’s bandwidth. Once we know those IPs, we can then choose to either ignore them (if they are legitimate crawlers/visitors) or block them (if they are visiting the website for malicious reasons).
-
Which pages/file are “404s”?
Google Webmaster Tools provides some in-depth information about your 404 pages – but it’s still an external tool, and it doesn’t tell you much about the 404 files (such as 404 CSS files, 404 JavaScript files, etc…). Examining the logs allows us reveal which pages/files are being accessed extensively by the visitors but do not exist. Of course, you might be wondering, “what does that have to do with security?”. Well, a lot, since many attackers scan the website for vulnerable files randomly – so this allows us to catch the attackers’ IPs and block them. Also, performance-wise, addressing 404s by either blocking the request to the page/file altogether or by redirecting to another page will lessen the load on the both the web server and the database server.
If you want to have a robust and secure Joomla website, then monitoring/examining the Apache logs can help you tremendously (this should be a full time job by the way on large websites). If you need some guidance or if you need us to do this job regularly for you, then please contact us and we’ll be certainly happy to do so. Note that our super duper affordable fees apply!