What is a WAF
A WAF is a web application firewall. A Web Application Firewall protects HTTP applications (eg websites) using a set of rules to protect against various common attacks, such as SQL Injection and Cross site scripting (XSS).
Mod Security Web Application Firewall
Mod_Security is an apache (and IIS) module which provides an interface to apply rules to protect your HTTP applications. There are various providers of ModSecurity rules, both free and paid. Mod Security Web Application Firewall is open source.
Mod Security in plesk
Installing Mod Security Web Application Firewall in Plesk is very easy:
Tools & Settings > Updates and Upgrades > Add/Remove Components > Web hosting group
Check the box for ‘ModSecurity‘
Once installed, go to
Tools & Settings > Web Application Firewall (ModSecurity)
You can choose between On, Off and Detection Only
On: The rules are enforced and connections will be terminated when matching rules are found.
Detect Only: The rules are enforced and connections will be logged when matching rules are found. Not traffic will be dropped.
Off: Rules are not enforced.
Mod Security in Apache
Install mod security (assuming centos and EPEL repo)
yum install mod_security mod_security_crs
edit the /etc/httpd/conf.d/mod_security.conf and change the SecRuleEngine option. You can choose between On, Off and Detection Only.
On: The rules are enforced and connections will be terminated when matching rules are found.
Detect Only: The rules are enforced and connections will be logged when matching rules are found. Not traffic will be dropped.
Off: Rules are not enforced.
Restart apache
service httpd restart
Mod Security Rulesets
Atomic Basic ModSecurity
OWASP ModSecurity Core Rule Set (CRS)
Advanced ModSecurity Rules by Atomicorp
Comodo ModSecurity Rule Set (Linux)
Centos Mod Security file locations
Mod Security Config File – /etc/httpd/conf.d/mod_security.conf
Debug Log – /var/log/httpd/modsec_debug.log
Audit log – /var/log/httpd/modsec_audit.log
Rules – /etc/httpd/modsecurity.d/activated_rules
CloudFlare WAF
Cloudflare is a SAAS provider who offer a free tier, which includes a WAF as standard. Cloudflare is configured by setting the DNS for your site (you use cloudflare as name-servers and all traffic is then proxied through cloudflare servers, where it is checked and blocked if needed)
Sources:
https://www.modsecurity.org/
https://docs.plesk.com/en-US/onyx/administrator-guide/server-administration/web-application-firewall-modsecurity.73383/
https://tecadmin.net/install-modsecurity-with-apache-on-centos-rhel/
