Security & Privacy

Everything You Need To Know About ModSecurity

  1. What is ModSecurity?
  2. Usage of ModSecurity
  3. What Doesn’t ModSecurity Protect Against?
  4. How to Install?
  5. Compatibility & Firewall
  6. Most common errors

What is ModSecurity?

ModSecurity (also known as ‘mod_security’ or ‘modsec’) is an open-source web-based firewall application (or WAF) supported by different web servers: Apache, Nginx, and IIS.

A toolkit for real-time web application monitoring, logging, and access control. I like to think about it as an enabler: there are no hard rules telling you what to do; instead, it is up to you to choose your own path through the available features. That’s why the title of this section asks what ModSecurity can do, not what it does.

Quoted from

With over 70% of all attacks now carried out over the web application level, organizations need every help they can get in making their systems secure.

Web application firewalls are deployed to establish an external security layer that increases the protection level, detects and prevents attacks before they reach web-based software programs.

Usage of ModSecurity

The module is configured to protect web applications from various attacks. ModSecurity supports flexible rule engine to perform both simple and complex operations. It comes with a Core Rule Set (CRS) which has various rules for:

  • cross website scripting
  • bad user agents
  • SQL injection
  • trojans
  • session hijacking
  • other exploits

What Doesn’t ModSecurity Protect Against?

It won’t protect you against:

  • Out of date plugins or content management systems
  • Weak passwords
  • Poor code with security flaws
  • Already compromised sites with malicious code
  • Every variation of code injection and XSS
  • Zero-Day exploits

How to Install?

The tools that configure the ModSecurity cannot do anything unless the module is installed in apache. Now if you find that the ModSecurity is not installed, then you can do it in another way through an interface called EasyApache. Before starting the build process you have to make sure that you have selected ModSecurity. After the build process is completed, the first step is to add a ruleset. The easy way to add a ruleset is instructed in WHM at Home >> Security Center >> ModSecurity™ Vendors. There is a cPanel-curated OWASP ruleset available as default. If you prefer to use a different ruleset instead of OWASP then check with the developer and if they make it available as a vendor you can add that preferred ruleset through WHM.

Tools and Troubleshooting provided by ModSecurity

The modifications which are needed to the installed in ruleset, can be done on WHM at Home >> Security Center >> ModSecurity™ Tools.

Now if the applied ruleset is not suitable for a specific site then you can disable those specific rules or report the negatives to the developer of the ruleset. By reporting the negatives you’ll allow the developer to change the ruleset and will be updated automatically by cPanel/WHM at the time of daily maintenance. ModSecurity also provides a list of rules which makes easy to enable or disable those but can only be applied on the manually added rules. Vendor rules can be enabled or disabled individually when needed.

Compatibility & Firewall

Few rules are not compatible with Mod_ruid2. Due to the interactions between the permissions and owners/users, the file containing values will not work with Mod_ruid2. Rules that do not work with Mod_ruid2 will mostly tend to be incompatible with mpm-itk.

On confusion, whether the ruleset is containing rules that need to be store values in files, you can check with the developer before trying to use on the server using mod_ruid2 or mpm-itk.

If you install ConfigServer security & firewall in the server, you will be able to enable a feature called LF_MODSEC. On enabling this feature the IP Address will be blocked which triggers the modsec rules repeatedly in a certain time period. Before enabling this firewall feature you’ll have to be sure that modsec is appropriate for that particular server.

Most common errors

The most common error triggered by a mod_security rule on our shared servers is 403 Forbidden one

It simply states that you do not have permission to access / on the server. Depending on the exact link where you get the error, the path may vary.

ModSecurity works in the background, and every page request is being checked against various rules to filter out those requests which seem malicious. These can be the ones that have been run to exploit vulnerabilities in your website software with the only goal to hack the site.

Sometimes, due to poor website coding, mod_security may incorrectly determine that a certain request is malicious, while it is actually legitimate. When it happens, you still get a 403 error.

NOTE: Besides the 403 Forbidden error, you may also receive 404 Not Found or 500 Internal Server Error errors.


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button