Mod Security Web Application Firewall

What is a WAF

A WAF is a web application firewall. A Web Application Firewall protects HTTP applications (eg websites) using a set of rules to protect against various common attacks, such as SQL Injection and Cross site scripting (XSS).

Mod Security Web Application Firewall

Mod_Security is an apache (and IIS) module which provides an interface to apply rules to protect your HTTP applications. There are various providers of ModSecurity rules, both free and paid. Mod Security Web Application Firewall is open source.

Mod Security in plesk

Installing Mod Security Web Application Firewall in Plesk is very easy:
Tools & Settings > Updates and Upgrades > Add/Remove Components > Web hosting group
Check the box for ‘ModSecurity
Once installed, go to
Tools & Settings > Web Application Firewall (ModSecurity)
You can choose between On, Off and Detection Only

On: The rules are enforced and connections will be terminated when matching rules are found.
Detect Only: The rules are enforced and connections will be logged when matching rules are found. Not traffic will be dropped.
Off: Rules are not enforced.

Mod Security in Apache

Install mod security (assuming centos and EPEL repo)

yum install mod_security mod_security_crs

edit the /etc/httpd/conf.d/mod_security.conf and change the SecRuleEngine option. You can choose between On, Off and Detection Only.

On: The rules are enforced and connections will be terminated when matching rules are found.
Detect Only: The rules are enforced and connections will be logged when matching rules are found. Not traffic will be dropped.
Off: Rules are not enforced.

Restart apache

service httpd restart

Mod Security Rulesets

Atomic Basic ModSecurity
OWASP ModSecurity Core Rule Set (CRS)
Advanced ModSecurity Rules by Atomicorp
Comodo ModSecurity Rule Set (Linux)

Centos Mod Security file locations

Mod Security Config File – /etc/httpd/conf.d/mod_security.conf
Debug Log – /var/log/httpd/modsec_debug.log
Audit log – /var/log/httpd/modsec_audit.log
Rules – /etc/httpd/modsecurity.d/activated_rules

CloudFlare WAF

Cloudflare is a SAAS provider who offer a free tier, which includes a WAF as standard. Cloudflare is configured by setting the DNS for your site (you use cloudflare as name-servers and all traffic is then proxied through cloudflare servers, where it is checked and blocked if needed)

Sources:
https://www.modsecurity.org/
https://docs.plesk.com/en-US/onyx/administrator-guide/server-administration/web-application-firewall-modsecurity.73383/
https://tecadmin.net/install-modsecurity-with-apache-on-centos-rhel/

Leave a Reply