Website Security Monitoring
Security monitoring is continuous observation for signs of attacks, vulnerabilities, and unauthorized changes. It consists of several layers, each catching different classes of threats.
Security Monitoring Layers
1. WAF (Web Application Firewall) — filtering malicious requests before they reach the application.
- Cloudflare WAF, AWS WAF, ModSecurity (self-hosted)
- Blocks SQL injection, XSS, CSRF, path traversal
2. Log Analysis — analyzing access logs for suspicious patterns.
3. File Integrity Monitoring (FIM) — detecting file changes.
4. Dependency Scanning — monitoring CVEs in used libraries.
5. Uptime + Error Rate — indirect signs of attack (DDoS, brute force).
Cloudflare WAF + Security Events
// Retrieving security events via Cloudflare API
const events = await fetch(
`https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/security/events?per_page=50`,
{
headers: {
'Authorization': `Bearer ${CF_API_TOKEN}`,
'Content-Type': 'application/json',
},
}
).then(r => r.json());
// Analysis: top attacking IPs
const ipCounts = events.result.reduce((acc, e) => {
acc[e.clientIP] = (acc[e.clientIP] || 0) + 1;
return acc;
}, {});
ModSecurity + Nginx
# /etc/nginx/modsec/modsecurity.conf
SecRuleEngine On
SecRequestBodyAccess On
SecRule ARGS "@detectSQLi" "id:1000,deny,status:403,msg:'SQL Injection'"
SecRule ARGS "@detectXSS" "id:1001,deny,status:403,msg:'XSS Attack'"
File Integrity Monitoring with AIDE
# Install AIDE
sudo apt install aide
# Initialize database (after installation, before expected changes)
sudo aide --init
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# Daily check (cron)
sudo aide --check | mail -s "AIDE Report" [email protected]
Monitoring via Fail2ban
# /etc/fail2ban/jail.local
[nginx-botsearch]
enabled = true
port = http,https
filter = nginx-botsearch
logpath = /var/log/nginx/access.log
maxretry = 5
findtime = 60
bantime = 3600
[nginx-http-auth]
enabled = true
port = http,https
logpath = /var/log/nginx/error.log
maxretry = 5
bantime = 86400
Dependency Scanning
# GitHub Actions: weekly dependency audit
name: Security Audit
on:
schedule:
- cron: '0 9 * * 1' # Every Monday
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: npm audit --audit-level=high
- run: npx snyk test --severity-threshold=high
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
Alerting on Anomalies
# Script for log analysis on brute force
import re
from collections import defaultdict
def detect_brute_force(log_file, threshold=50):
ip_attempts = defaultdict(int)
with open(log_file) as f:
for line in f:
if '/wp-login.php' in line or '/admin/login' in line:
ip = re.search(r'(\d+\.\d+\.\d+\.\d+)', line)
if ip:
ip_attempts[ip.group(1)] += 1
return {ip: count for ip, count in ip_attempts.items() if count >= threshold}
Setting up basic security monitoring (Cloudflare WAF + Fail2ban + dependency alerts) — 1–2 days.