What is ModSecurity also referred to as ModSec, is essentially a firewall that helps you secure your web applications. It is a free and open-source web application firewall that was released back in 2002. ModSecurity is an apache module offered under the Apache license 2.0 and is the most widely deployed web application firewall.
Different web servers, including Apache, IIS, and Nginx, support ModSecurity. This platform provides a set of rules to perform operations that help ex-filtrate common web exploits. The rule configuration language is called ‘SecRules’ and utilizes user-defined rules to monitor and filter HTTP communications.
You can deploy ModSecurity to offer protections against various classes of vulnerabilities. The majority of cyber-attacks today occur at the web application level. Below is a comprehensive overview of ModSecurity, what it’s for, and how you can use the platform.
Is ModSecurity the same as Mod_Security?
Yes, ModSecurity and Mod_security are the same technology. The correct name is ModSecurity, but some systems will present the error Mod_security. If you are presented with a Mod_security error message, and you’re not finding much help, try searching for ModSecurity.
The terms ModSecurity and Mod_security are interchangable.
How Does ModSecurity Work?
You use web application firewalls to establish an extra external layer of security. This layer increases your web protection levels, detecting and stopping cyberattacks before reaching your web-based programs. ModSecurity offers the rule mentioned above configuration language (SecRules).
You can define rules to monitor (in real-time), log, and filter HTTP communications. The platform utilizes a rule set known as Open Web Application Security Project (OWASP) ModSecurity Core Rule Set or CRS to provide you defense against generic classes of web vulnerabilities.
CRS is an open-source rule set written in the SecRules language. It’s worth noting that you have access to other rule sets. The ModSec engine is deployed as a proxy server or embedded in the webserver to detect any threats.
The engine scans outgoing and incoming HTTP communications from the endpoint. Now, the ModSec engine decides on how to handle HTTP communications based on your rule configuration. The engine can drop, redirect, pass, execute user script or return status code, among other capabilities.
Should I Use ModSecurity?
If you own or operate a website, using ModSecurity is a good practice if you want to protect against cyberattacks via web applications. This is especially important if you run an e-commerce site. Mod_Security can help you with PCI DSS compliance.
Payment Card Industry Data Security Standards are a set of minimum requirements developed by the PCI Security Standards Council. These requirements help protect the credit card data that service providers and merchants handle. Mod_Security can help you satisfy some of these requirements by shielding your eCommerce website from external cyber threats.
Aside from that, there are several reasons why you should use ModSecurity. The platform enables real-time monitoring of application control and access control. ModSecurity offers real-time access to HTTP communication streams.
This allows you to inspect it. As such, you should use this platform if you want to conduct real-time security monitoring. If you wish, you can block potentially harmful communication streams.
It would be best if you also used ModSecurity if you want to conduct virtual patching. Virtual patching is a web security procedure where you manage vulnerabilities in applications via a separate layer.
With this concept, you can fix issues without touching the applications. Virtual patching is vital for applications that utilize communication protocols but is especially useful with HTTP.
Note that you should use ModSecurity if you understand the platform well. ModSecurity is quite complex and alters your website’s aspects, such as its ability to serve pages. It is advisable to go through the official ModSecurity documentation before using the platform.
What are the ModSecurity Deployment Options?
ModSecurity features support two deployment options. These options are embedded and reverse proxy. The Embedded choice is ideal if you already laid out your architecture and are reluctant to change it.
ModSecurity is an Apache module. This means you can include it in any compatible version of Apache. Note that this is the only deployment option if you seek to protect hundreds of web servers. In this scenario, it doesn’t make sense to develop separate proxy-based security layers.
The embedded option scales as your underlying infrastructure scales. It also doesn’t introduce new failure points. The only drawback with embedded deployment is that your web server shares resources with ModSecurity.
On the other hand, reverse proxy deployment relies on HTTP routers. These routers go between web servers and the clients. You get a web application firewall when you install a dedicated reverse proxy.
You can then use this firewall to protect web servers on that same network. Lots of people prefer having an external security layer. You are entirely isolated from the systems you protect.
This is beneficial for performance since the standalone ModSecurity platform has dedicated resources. You have access to more complex rules. The notable drawback of this deployment option is introducing a new point of failure, which you’ll need to address.
How to Check if ModSecurity is Enabled
The simplest method of determining whether ModSecurity is enabled is using cPanel. This software helps you manage web hosting servers. It allows end-user site owners and admins to control certain aspects of server and web administration via a web browser.
Log in to your cPanel account and navigate to the “Security” section. Next, click on the “ModSecurity” Icon.
Here you will see the options for enabling and disabling ModSecurity. If it’s enabled, you will see the message, “Mod_Security is enabled for your domains.”
Unfortunately, not all web hosting companies allow their clients access to Mod-Security, so you might not be able to see it in your cPanel. You will need to log a ticket with your hosting provider for support.
If you are more tech-savvy and want to check whether ModSecurity is enabled or not, you can access the Apache configuration file. You may be wondering where to find the central Apache configuration file.
If you installed Apache using a package manager (on most systems), the configuration file would be located in one of the below locations:
This is also applicable if Apache came preinstalled in your system. In case you installed Apache from the source, it might be located in /opt or /usr/local. However, the configuration files could have been moved to /etc. If you are unsure, you should inspect your build script.
To determine if ModSecurity is enabled, check the main configuration file and check if it has the following line. “LoadModule securitymodule modules/mod_security.so” if there is such a line, then ModSecurity is enabled.
Should I Disable ModSecurity?
Although ModSecurity can change some aspects of your website, it is not advisable to disable the module. Disabling ModSecurity leaves your website vulnerable to cyber-attacks that would have been otherwise blocked.
Disabling ModSecurity could compromise the ability of your website to meet specific PCI DSS requirements. This is very important if you operate an eCommerce site. You shouldn’t disable the module as it shields your site from cyber-attacks such as:
- SQL Injection – This cyber-attack accesses sensitive data in your database via SQL command strings entered into login forms, search boxes, and URLs (sometimes).
- Inclusion attacks – Attacks that trick web applications into executing malicious code.
- Cross-site Scripting – XSS attacks are a type of script injection that forces your site to be a staging point for attacks against your visitors.
- Brute Force – These involve scripts that quickly guess passwords and usernames until access is compromised.
Overall, ModSecurity is a great tool that uses several methods to protect your website from external cyber-attacks. It is a reliable, flexible, and vital resource for both end-users and system admins. You should consider this module as a core addition to your website’s security systems.