More than 70% of all attacks are carried out over the web application level. Organizations need every help they can get in making their systems more secure. Web application firewalls are installed to establish an external security layer that improves the security level, detects and prevents attacks before they reach web-based software programs.In this guide we are going to tell you about ModSecurity in cPanel and everything you need to know about it.
This blog is a part of our cPanel server management services where we make sure your cPanel server works efficiently with any issues.
What is ModSecurity and Why we Need it
ModSecurity is an open-source web-based firewall application supported by different web servers providers. It provides HTTP request filtering and other capabilities to help in detecting and blocking attacks before attackers reach an application using regular expressions and a set of rules. It protects your website from various attacks by blocking malicious scripts, programs and injections.
Websites acquire vulnerabilities and attacks due to improper/poor coding of website or website applications and by using open source applications without proper upgrade or patching. The ModSecurity interface allows you to enable or disable ModSecurity for your domain.
Enabling and Disabling of ModSecurity
1. First of all, log into your cPanel account.
2. Now navigate to the SECURITY tab, and click on the icon of ModSecurity.
3. Navigate to the Domains tab, find the domain you want to disable or enable ModSecurity for, and hit the On/Off button to enable or disable ModSecurity for that specific domain.
4. Wait for a pop-up which shows that ModSecurity is enabled or disabled.
This is how to disable or enable ModSecurity feature.The ModSecurity module is enabled by default. However, there may be some situations where you need to disable ModSecurity for testing or troubleshooting purposes. For example, when ModSecurity is enabled an application may not function correctly. To verify this, you have to disable ModSecurity and see if the application works correctly. We strongly recommend you not to disable ModSecurity. Disabling ModSecurity may put your website at risk from vulnerabilities.
How to install ModSecurity in cPanel
We will install the ModSecurity version 3. It is faster than the previous versions.To install ModSecurity 3, you will need root access to your server. Please refer to the following steps to install ModSecurity 3 in cPanel. We assume you have root access to the server, and also Easyapache4 is installed on it.
1. Log in to your server with SSH and run the following command:
yum install ea4-experimental
2. Next, we need to install the connector that allows ModSecurity to work with a web server. We provide two connectors, one for Apache and one for NGINX. They can be installed in the shell or WHM.
3. First, you’ll need to uninstall ModSecurity 2. Run this code to uninstall it.
yum remove ea-apache24-mod_security2
In the shell, install the relevant connector with one of:
For apache
yum install ea-modsec30-connector-apache24
For NGINX
yum install ea-modsec30-connector-nginx
For WHM
1. Login to your WHM Panel.
2. Inside the software, click on the EasyApache 4, then click on the customize button.
3. Go to the additional packages and ensure the connector is installed. If you are working for apache, ensure that modsec30-connector-apache24 is installed. For NGINX, you require modsec30-connector-nginx.
4. Click on the Next, review, and provision button to complete the installation.
5. Now, we will install the OWASP Core Rule Set using the below command.
yum install ea-modsec30-rules-owasp-crs
Configuration of ModSecurity
At ModSecurity configuration, you can set up several global settings. It includes settings to control the behaviour of different ModSecurity components such as the audit engine, rules engine, and connection engine. If you would like to use an external geolocation database or logging tool, you can configure the relevant paths and binaries in this interface too.
ModSecurity Tools
‌ModSecurity Tools is the primary interface to monitor and configure the firewall’s rules. The Hits List displays requests that triggered a rule and let users deactivate rules if they want to enable similar connections in future.
ModSecurity Vendors
ModSecurity Vendors contains tools for adding and managing rule sets. If you followed the instructions in the previous section, you should see the cPanel-provided OWASP CRS rule set, that you can activate or deactivate here, as well as controlling automatic updating. You can also turn on and off groups of rules in the rule set, such as IP reputation, WordPress exclusion, and scanner detection rules.
Managing ModSecurity with ModSecurity SDBM Utility
ModSecurity stores details about IPs and requests in the /var/cpanel/secdatadir/ip.pag file. Over time, this file may consume more disk space because ModSecurity doesn’t purge stale data. If you would like the system to automatically clean this cache, install the ModSecurity SDBM utility with given command-
yum install ea-modsec-sdbm-util
cPanel’s maintenance scripts will trigger the utility automatically if installed, but with the following command you can also run it manually:
/scripts/shrink_modsec_ip_database -x
As a general rule, we suggest system admins to let the maintenance scripts handle cache clean-ups. If you decide to run the SDBM tool utility manually, ensure to restart Apache with:
/scripts/restartsrv_httpd
ModSecurity 3, cPanel, and NGINX
Unlike earlier versions, ModSecurity 3 is the only tool that works independently of the web server. It no longer depends on Apache and can be integrated with NGINX on cPanel via EasyApache4’s ea-modsec30-connector-nginx connector.
However, NGINX support on cPanel is experimental, and we suggest against using it as an Apache replacement for production sites.NGINX is not yet a standalone alternative to Apache on cPanel servers.
Conclusion
In this article we have covered all the aspects of ModSecurity in cPanel such as, enable and disable the ModSecurity in cPanel, configuration and installation of ModSecurity in cpanel, ModSecurity tools, ModSecurity Vendors. It’s straightforward to install and manage ModSecurity 3, a fast, powerful web application firewall that protects applications from a huge range of attacks and vulnerabilities.