Web application firewalls (WAFs) provide vital protection for websites and applications against threats like SQL injection, cross-site scripting, denial of service attacks, and much more. One powerful open source WAF option is ModSecurity. In this comprehensive guide, we’ll look at what ModSecurity is, the features it provides, how to install and configure it, managing rules, and how to leverage it to better secure your web apps.
What is ModSecurity?
ModSecurity is an open source web application firewall that acts as an external monitoring and filtering proxy for HTTP traffic headed to your web apps. It analyzes all requests in real-time and can block or log anomalous activity based on its ruleset.
ModSecurity sits in front of web servers like Apache and Nginx and scrutinizes the full incoming request stream before it reaches your application code. This allows it to detect and halt attacks like SQL injection, remote file inclusion, cross-site scripting, and more.
Key capabilities provided by ModSecurity include:
- Request analysis to spot deviations from normal parameters
- Pattern matching against known malicious payloads
- Validation of inputs and encoding enforcement
- Blocking, redirecting or logging violations as configured
- Detailed audit logs of all requests and actions
- Customizable rules tailored to your specific apps
- Integration with web servers, reverse proxies, and CDNs
- Lua scripting for administrative controls and dynamic responses
Together these features allow for robust protection beyond traditional firewalls. ModSecurity combines layers of positive and negative security models to provide defense in depth.
Why Use ModSecurity?
There are several reasons ModSecurity has become one of the most widely used open source WAFs:
Powerful protections out of the box – It comes packaged with the OWASP Core Rule Set (CRS) with over 100 built-in rules to detect the OWASP Top 10 web app vulnerabilities. This offers great baseline security.
Flexible and customizable – While CRS provides the foundation, ModSecurity is extremely flexible. You can modify existing rules, disable those not needed, set thresholds, and add your own custom rules tailored to your apps.
Lightweight and scalable – As an external proxy, ModSecurity doesn’t bog down your application servers. The efficient codebase has minimal performance impact and can scale to handle very high traffic loads.
Real-time monitoring – Requests are analyzed on-the-fly in real-time before being allowed to the backend. This enables stopping attacks in their tracks versus just reacting after exploitation.
Free and open source – Released under Apache 2.0 license, you can freely download, install, modify, and redistribute ModSecurity without licensing costs. The active community supports continued development.
These advantages make ModSecurity a go-to WAF option to consider protecting internet-facing web applications.
How To Install ModSecurity
There are a few different installation methods for deploying ModSecurity based on where it will sit in your infrastructure:
WAF-as-a-Service
One option is to utilize a managed WAF service like that offered by HETNiX. Their virtual private servers (VPS) include ModSecurity already pre-installed and configured for immediate WAF protection on your sites.
ModSecurity Web Server Module
On servers like Apache and Nginx, ModSecurity integrates directly as a module. This allows deploying it on the same host as your web apps:
- For Apache, compile or use a packaged mod_security module
- For Nginx, use the ModSecurity Nginx Connector and libmodsecurity library
Reverse Proxy
ModSecurity can also be setup on a separate server like Nginx to reverse proxy external requests. This provides some isolation between your apps and the WAF filtering logic.
CDNs and Load Balancers
Major CDN providers offer ways to implement ModSecurity rules at the edge. This allows filtering traffic before it reaches origin infrastructure.
How to Configure ModSecurity
The main configuration file for ModSecurity is /etc/modsecurity/modsecurity.conf on Debian-based distributions. This controls settings like:
- Core rule sets to enable (OWASP CRS by default)
- Location of data and rules files
- Request body handling
- Encoding normalization
- Logging and audit settings
- Performance tuning
Individual filtering rules can be created under /etc/modsecurity/rules.d/. For example:
SecRule REQUEST_URI "/admin.php" "id:1234,deny,status:403"This would block requests to /admin.php, returning a 403 error. Rules can check headers, payloads, encodings, sizes, regex patterns and more.
Additional useful configurations:
- Set SecRequestBodyAccess to avoid ModSecurity buffering entire request bodies before your app sees them.
- Tune SecRequestBodyInMemoryLimit, SecRequestBodyLimit, and SecRequestBodyNoFilesLimit to manage resources.
- Adjust SecRuleEngine DetectionOnly to test rules without blocking traffic.
- Use SecRuleUpdateTargetByTag to group related rules for better performance.
Managing Rules in ModSecurity
The OWASP Core Rule Set provides great baseline protection that you can expand on:
- Enable, disable, or tune specific CRS rules as needed for your environment using tags like @crs-sql-injection
- Set severity and thresholds on rules to fine tune detections and blocking
- Author custom rules tailored to your particular web apps – know what parameters, inputs, URLs, etc. are expected
- Regularly update CRS as new vulnerabilities arise and patches are released
- Test rules in DetectionOnly mode first to avoid overblocking legitimate traffic
- Review logs to identify patterns, tweak rules, and whitelist legitimate outliers
Careful rule management is important to balance effective security with a smooth user experience.
Conclusion
Adding a robust web application firewall like ModSecurity is an important security layer for websites and apps. With its extensive rulesets, real-time analysis, and flexible customizations, ModSecurity offers powerful protections beyond traditional firewalls.
Consider leveraging ModSecurity via a managed WAF VPS provider or your own self-hosted deployment. Properly configured, it can detect and halt the latest web application exploits and vulnerabilities.