ModSecurity is a web application firewall (WAF) that can protect sites and applications against many common attacks, including cross-site scripting and code injection attacks. ModSecurity is a handy tool to have in your arsenal if your server runs dynamic content management systems like WordPress or eCommerce applications like Magento. But doesn’t your server already have a firewall? Yes, it’s built into the kernel, but WAF’s like ModSecurity play a complementary role.
All firewalls inspect network requests and decide which to allow and which to ignore. Firewalls make these decisions by referring to rules provided by the server administrator. A rule might tell the firewall to block all network traffic to a particular port, for instance. Linux servers are equipped with the iptables firewall, which is a utility program that allows server administrators to control the kernel’s built-in firewall module, netfilter. On CentOS, iptables is usually controlled via FirewallD, a more user-friendly way to manage firewall rules.
However, iptables works on the lower layers of the network. It can block network traffic to a specific port or from particular sources, but it doesn’t inspect traffic to see if it might be an attempt to exploit a security vulnerability. It could easily block traffic to the web server, but that’s not what we want. We only want to drop malicious traffic that targets our CMS or eCommerce store, and that’s not within iptables’ capabilities.
ModSecurity is designed to fill that gap. It examines incoming network requests to see if they match patterns associated with common attacks against web applications. ModSecurity is a real-time filter for malicious activity. Originally, ModSecurity was a module for the Apache web server, but today it is a standalone library that can interface with all popular web servers, including NGINX and Microsoft’s IIS server.
Just like iptables, ModSecurity uses a set of rules to determine which requests to accept and which to drop. The rules have to be provided by the server administrator, but free rulesets are available. The most popular free ruleset is curated by OWASP. The OWASP ModSecurity Core Rule Set (CRS) is regularly updated and is capable of blocking a wide range of generic attacks, including those on the OWASP top-ten list of critical security vulnerabilities, such as SQL injection, cross-site scripting, PHP code injection, bot attacks, and more.
Every server hosting client who hosts websites and web applications should consider using ModSecurity, but there are potential drawbacks to be aware of. ModSecurity blocks generic attacks against web applications. It isn’t an alternative to updating a CMS because it can’t account for specific vulnerabilities in every content management system. With ModSecurity, there is also the possibility of false positives: legitimate web traffic being blocked by accident. The CRS attempts to limit false positives, but it may not eliminate the risk. ModSecurity users are expected to keep an eye on what’s blocked and add exceptions to the rules as required.
To learn more about using ModSecurity on your Future Hosting CentOS server, take a look at the excellent free ModSecurity Handbook.