What is ModSecurity?

OTaKuHP
3 min readJun 1, 2021

--

ModSecurity, sometimes called Modsec, is an open-source web application firewall (WAF). Originally designed as a module for the Apache HTTP Server, it has evolved to provide an array of Hypertext Transfer Protocol request and response filtering capabilities along with other security features across a number of different platforms including Apache HTTP Server, Microsoft IIS and Nginx. It is a free software released under the Apache license 2.0.

The platform provides a rule configuration language known as ‘SecRules’ for real-time monitoring, logging, and filtering of Hypertext Transfer Protocol communications based on user-defined rules.

Although not its only configuration, ModSecurity is most commonly deployed to provide protections against generic classes of vulnerabilities using the OWASP ModSecurity Core Rule Set (CRS). This is an open-source set of rules written in ModSecurity’s SecRules language. The project is part of OWASP, the Open Web Application Security Project. Several other rule sets are also available.

To detect threats, the ModSecurity engine is deployed embedded within the webserver or as a proxy server in front of a web application. This allows the engine to scan incoming and outgoing HTTP communications to the endpoint. Dependent on the rule configuration the engine will decide how communications should be handled which includes the capability to pass, drop, redirect, return a given status code, execute a user script, and more.

Generally, ModSecurity leaves you free to decide how you take advantage of the features available instead. This flexibility is a core element of ModSecurity’s identity, and complements its open source structure. In fact, you can enjoy complete access to its source code, which empowers you to customize the tool to suit your unique needs.

And that’s crucial for anyone who wants tools to enable them to achieve what they have to with minimal restrictions. Which is probably all of us, right? ModSecurity is a versatile creation ideal for numerous usage scenarios. Let’s look at some of the most important:

  • Security monitoring and access control for applications
  • Comprehensive logging of HTTP traffic
  • Hardening web applications
  • A more personal solution
  • Continuous passive security assessments
  • ModSecurity’s Core Principles
  • Choices of Deployment
  • Understanding ModSecurity and Plesk
  • Final Notes for Nginx and ModSecurity on Linux Systems

Every server hosting client who hosts websites and web applications should consider using ModSecurity, but there are potential drawbacks to be aware of. ModSecurity blocks generic attacks against web applications. It isn’t an alternative to updating a CMS because it can’t account for specific vulnerabilities in every content management system. With ModSecurity, there is also the possibility of false positives: legitimate web traffic being blocked by accident. The CRS attempts to limit false positives, but it may not eliminate the risk. ModSecurity users are expected to keep an eye on what’s blocked and add exceptions to the rules as required.

To learn more about using ModSecurity on your Future Hosting server, take a look at the excellent free ModSecurity Handbook.

--

--

OTaKuHP
OTaKuHP

Written by OTaKuHP

Hacker / PenTester / AppSec / etc.

No responses yet