The Internet keeps growing continuously, and that brings new vulnerabilities and flaws against attacks every day. Thus, the implementation of security plugins like ModSecurity became very important. ModSecurity, also known as ModSec, is an open-source web application firewall (WAF). Considering most of the attacks made over the web application level, ModSecurity is a handy tool to secure the server and the data.
Table of Contents
ModSecurity Core Rule Set
ModSecurity was developed and released by Ivan Ristić in 2002. The main purpose of the first version of ModSecurity was to monitor application traffic on the Apache HTTP Server. As a result of that, porting ModSecurity to other platforms required a lot of time, and maintenance costs were high. So a new process started to rewrite ModSecurity in 2015 entirely. In this new version, ModSecurity is separated into a standalone engine that can communicate with the server with an API. This latest version is called ModSecurity 3.0 and can support connectors for NGINX, IIS, and Apache.
ModSecurity works as a real-time filter against incoming attacks to web applications. ModSecurity comes with a Core Rule Set (CRS) but also supports a flexible rule engine to handle more complicated tasks. OWASP ModSecurity Core Rule Set is the most popular free ruleset and updated regularly, which can block multiple generic attacks such as cross-website scripting, lousy user agents, SQL injection, trojans, session hijacking, and some other exploits.
Monitoring ModSecurity rules
ModSecurity working principle depends on scanning and testing all the requests coming to the server. If the request passes the tests, it is directed to the website; if not, request will be blocked. During this process, ModSecurity gives you access to real-time monitoring and inspection of the traffic. Instead of scheduled security measures, ModSecurity serves as a continuous security assessment that helps you hardening web applications. ModSecurity can also log the traffic for further inspection in case of a data breach.
Although ModSecurity comes with handy rule sets, there may be false-positive limitations. As an administrator, you should keep an eye on the traffic, monitor the blocked traffic to check if they are legitimate traffic or not. Also ensure the ruleset is up to date, so ModSecurity can detect and block the latest malicious web attacks.
How to enable ModSecurity in cPanel
You can enable and use ModSecurity with a few simple clicks on cPanel. For enabling ModSecurity in your cPanel interface, follow the steps below:
1. Login to your cPanel account.
2. Scroll to the ‘Security’ section.
3. Click the ‘ModSecurity icon. The list of all domains is listed.
4. Check whether ModSecurity is Enabled or not.
5. If ModSecurity is disabled, simply click the ‘Enable’ button.
6. A message, which informs ModSecurity is enabled is displayed.
How to Install ModSecurity on your server?
You even can install ModSecurity directly to your VPS. Before installing ModSecurity, you need to have Apache installed.
Ubuntu
Install ModSecurity on your Ubuntu VPS
sudo apt-get install libapache2-mod-security2
Restart Apache
/etc/init.d/apache2 restart
Check the version of ModSecurity
apt-cache show libapache2-mod-security2
CentOS
Install ModSecurity on your CentOS VPS
yum install mod_security
Restart Apache
/etc/init.d/httpd restart
Check the version of ModSecurity
yum info mod_security
Debian
Install ModSecurity on your Debian VPS
sudo apt install libapache2-modsecurity
Restart Apache
/etc/init.d/apache2 restart
Check the version of ModSecurity
apt-cache show libapache2-modsecurity