What is ModSecurity and why do we need it ?

For time being, the internet growth and the accompanying vulnerability are very much. So we have to implement something special security for servers. So at the current state plugin like ModSecurity is a very good option to use. To learn more about it, Lets go down..

ModSecurity is an open source web based firewall application (or WAF) supported by Web server: Apache, Nginx, LiteSpeed and IIS. ModSecurity installed servers will carry out 80% of attacks over the web application level. It is a Web Application Firewall that can be played as an embedded or reverse proxy. Web application firewalls deploy to form an external security layer, which protects, detects and prevents protection levels before reaching web-based software programs. It is a module for HTTP servers which checks all HTTP requests to web servers.

It protects against attack against web applications and allows for HTTP traffic monitoring, logging, and real-time analysis. ModSecurity is interacting with Apache on the open source web server. There are many advantages of using Mod_security, and are resistant to various types of web attacks, including code injection, brute force, etc.

The ModSecurity contains Flexible Rule Engine to perform simple and complex operations. This can prevent attacks on ordinary code indictment to strengthen the security of the server. Web controls panels like cPanel, plesk etc..comes with inbuilt mod-security which can be easily enabled by one click.


ModSec scans all requests coming from the web server and relative feedback sent from the servers. If the test succeeds, HTTP requests are forwarded to the Web site, but if it fails, it will block the request and do the following.

Real-time application security monitoring and access control

At its core, ModSecurity gives you access to the HTTP traffic stream, in real-time, along with the ability to inspect it. This is enough for real-time security monitoring. There’s an added dimension of what’s possible through ModSecurity’s persistent storage mechanism, which enables you to track system elements over time and perform event correlation. You are able to reliably block, if you so wish, because ModSecurity uses full request and response buffering.

Full HTTP traffic logging

Web servers traditionally do very little when it comes to logging for security purposes. They log very little by default, and even with a lot of tweaking you are not able to get everything that you need. I have yet to encounter a web server that is able to log full transaction data. ModSecurity gives you that ability to log anything you need, including raw transaction data, which is essential for forensics. In addition, you get to choose which transactions are logged, which parts of a transaction are logged, and which parts are sanitized.

Continuous passive security assessment

Security assessment is largely seen as an active scheduled event, in which an independent team is sourced to try to perform a simulated attack. Continuous passive security assessment is a variation of real-time monitoring, where, instead of focusing on the behavior of the external parties, you focus on the behavior of the system itself. It’s an early warning system of sorts that can detect traces of many abnormalities and security weaknesses before they are exploited.

Web application hardening

One of my favorite uses for ModSecurity is attack surface reduction, in which you selectively narrow down the HTTP features you are willing to accept (e.g., request methods, request headers, content types, etc.). ModSecurity can assist you in enforcing many similar restrictions, either directly, or through collaboration with other Apache modules. They all fall under web application hardening. For example, it is possible to fix many session management issues, as well as cross-site request forgery vulnerabilities.

In-Short of above Features

  1. Security monitoring and access control
  2. Virtual patching
  3. Full HTTP traffic logging
  4. Security assessment
  5. Web application hardening
  6. Passive security assessment
  7. Simple request or Regular expression based Filtering
  8. URL Encoding Validation
  9. Auditing
  10. IP Reputation
  11. Null byte attack prevention
  12. Server identity masking
  13. Uploads memory limits

Final words

For commercial Modsec Rules, you can contact our team. Malware Expert provides protection against this kind of malware and bot network attacks even before customer patch their CMSs and before they get their website hacked while keeping the functionality of the website untouched. For more information click here