KNOWNHOST KNOWLEDGE BASE

Hosting Question? Find the Solution - Browse our Guides, Articles, and How-To's

What is mod_security?

Category: Common Issues
Tags: # # # # #

Keeping our websites secure is one of the most important and challenging topics of all time. This article will cover the ‘mod_security’ module and whether or not you should consider using it on your server(s)/website(s).

What is mod_security?

ModSecurity is a toolkit for real-time web application monitoring, logging, and access control. I like to think about it as an enabler: there are no hard rules telling you what to do; instead, it is up to you to choose your own path through the available features. That’s why the title of this section asks what ModSecurity can do, not what it does.

Quoted from modsecurity.org

That is a general overview. Breaking it down a little further, mod_security is an Apache module (or extension) specifically designed to protect your website(s) from malicious activity.

ModSecurity (aka mod_security, security2_module, or modsec) is an apache module designed to work similarly to a Web Application Firewall, to help protect websites from certain types of attacks. Which types of attacks the sites are then protected from would depend on which ruleset is in use. In terms of the 7-Layer OSI Model, it is only Level 7 (the Application Layer) which is affected by ModSecurity.

In general, ModSecurity looks at the incoming apache requests, compares it to patterns described in the rules in the ruleset, and takes actions on the requests based on the results of the tests.

The official mod_security reference manual can be found here: SpiderLabs ModSecurity Reference Manual

But, it is very important to note that in recent cPanel & DirectAdmin versions, it is usually not necessary to do any of the ModSecurity configuration manually.

It is useful to know which ruleset is appropriate for your server depends heavily on the specific types of sites you will be hosting, and more importantly, the specific types of Apache requests that will be needed in order for the site applications to work. If one of the types of requests being blocked by the ModSecurity ruleset installed is needed in order for one of the sites to work, then parts of that site will not work while that ruleset is installed.

Where can I find mod_security rulesets?

Rulesets are required for mod_security to function properly. SpiderLabs has teamed with OWASP Open Web Application Security Project) for developing a ‘generic’ list of rulesets for out of the box functionality from mod_security.

Their open source ruleset can be downloaded here: owasp-modsecurity-crs
More information regarding their project can be found here: OWASP ModSecurity Core Rule Set Project

You can, of course, write your own rulesets or purchase custom licensed rulesets. A quick Google search can provide relevant listings.

How can I install mod_security?

mod_security can be installed through different methods across cPanel and DirectAdmin. We’ll go over both methods within this section to ensure that it’s properly explained.

cPanel installation

The tools for configuring ModSecurity do not do anything unless the module has been installed in Apache. If ModSecurity is not yet installed, this can be done via EasyApache. Make sure that ModSecurity has been selected before beginning the build process.

Alternatively, if you’re familiar with CLI — you can login to your server as root and run the following command on a cPanel server with EasyApache 4

# [root@knownhost] yum install ea-apache24-mod_security2

This will install mod_security and it’s necessary rules in order for it to function.

Once the build process has completed, the next step is to add a ruleset. The recommended way to do this is in WHM at Home >> Security Center >> ModSecurity™ Vendors as described here. By default, there should be a cPanel-curated OWASP ruleset available to choose. If there is a different published ruleset you prefer to use instead, check with the developer of the ruleset if they make their ruleset available as a Vendor that can be added via WHM. If the ruleset is available in this format, it is the strongly preferred method of installing the ruleset.

DirectAdmin installation

mod_security for DirectAdmin gets installed over CLI through Custombuild, so it’s recommended that you’re familiar with DirectAdmin and Custombuild before continuing.

It’s important to note that DirectAdmin offers two different rulesets — OWASP and Comodo. We’ll be using ‘comodo’ for the ruleset below.

Login to your DirectAdmin server as root and perform the following:

cd /usr/local/directadmin/custombuild
./build update
./build set modsecurity yes
./build set modsecurity_ruleset "comodo"
./build modsecurity
./build modsecurity_rules
./build rewrite_confs

This will run through the compilation process of mod_security to install it onto your server and active Directadmin installation. Once it’s finished you can then login to DirectAdmin and utilize the ModSecurity Interface at Server Manager >> ModSecurity (https://hostname:2222/admin/modsecurity).

This will allow you to manage ModSecurity, check the logs, customize its rules and other various administrative tasks.

Compatibility

Some types of rules are not compatible with mod_ruid2. In particular, any ModSecurity rules that need to store values in files will not work when mod_ruid2 due to the interaction between the file permissions and ownerships, and the users the apache processes would run as. Rules that do not work with mod_ruid2 for this reason are also not likely to work with mpm-itk for the same reasons. If you are not sure whether a specific ruleset has rules in it that need to store values in files, you may want to check with the developer of the ruleset before trying to use the ruleset in a server using mod_ruid2 or mpm-itk.Edit

Firewall

If you also have ConfigServer Security&Firewall installed in the server, you may want be aware that LF_MODSEC is enabled by default. If this feature is enabled, then if the same IP address triggers modsec rules a certain number of times within a certain period of time, that IP address will be blocked in the firewall (either temporarily or permanently, depending on how related settings are configured). But, since it is possible for some rules to conflict with some web applications, it is strongly recommended to make sure the installed modsec ruleset is appropriate for the specific server before enabling this firewall feature. Otherwise, typical visitors doing typical site activities might become blocked in the firewall.

Should I use mod_security?

If uncertain, consult your developer before enabling!

Now, this is difficult question. *IF* you are able to confirm that your rulesets do not interfere with your websites functionality, there is no reason not to use mod_security. However, if your website requires numerous, custom POST requests, it’s most likely mod_security will interfere with your websites’ core functionality and should be avoided.

Conclusion

In the end mod_security can be a very beneficial Web Application Firewall for protecting your website from malicious attacks such as Cross-Site Scripting, SQL Injection, PHP Shell uploads and more. However, if you’re not utilizing up to date software this may not work in your favor. That’s why at the end of the day, it’s always best to consult the developer to ensure that the applications you utilize won’t be affected by mod_security.

KnownHost offers 365 days a year, 24 hours a day, all 7 days of the week best in class technical support. A dedicated team ready to help you with installing mod_security or general questions regarding it should you need our assistance. You’re not using KnownHost for the best web hosting experience? Well, why not? Check with our Sales team to see what can KnownHost do for you in improving your webhosting experience.