ModSecurity is an open source, cross-platform web application firewall (WAF) that can be deployed to secure web servers like apache, IIS and Nginx. Modsecurity works on powerful language of rules and its API allows monitoring of HTTP(S) that is coming in and out of your web server, to keep your web applications up and running all the time.
This article is written to show how ModSecurity protects web applications running on Apache Web Server. Below diagram illustrates 5 processing phases of Modsecurity, implemented over standard apache web server request cycle.
In these 5 phases, ModSecurity looks upon HTTP(S) data and analyze it. These five phases are designed to provides a comprehensive shield of security.
ModSecurity Five phases are
- Request headers (REQUEST_HEADERS)
- Request body (REQUEST_BODY)
- Response headers (RESPONSE_HEADERS)
- Response body (RESPONSE_BODY)
- Logging (LOGGING)
Let’s have a detailed look about these stages.
Phase 1 : Request Headers
This is the initial phase before Apache starts processing user request. Rules in this phase reads and analyze the HTTP Request Headers. The primary focus of rules in this phase are to see for malicious patterns in Request Header before Apache starts processing the request arguments.
Rules in this phase helps in determining things like whether or not to buffer the Request Body, or how to process the Request Body (e.g. parse it as XML )
Phase 2 : Request Body
After processing the Request Header, next in line is Request Body. At this stage Apache has received the complete request. Rules in this phase are mostly related to application.
ModSecurity supports following three encoding techniques for this phase, these are almost used in every web server these days.
- application/x-www-form-urlencoded – for transferring form data
- multipart/form-data – for file transfers
- text/xml – for XML data
Phase 3 : Response Headers
This is the phase where Request has been processed and Server starts sending back the Requested data. Just like Request Headers rules, this stage rules see what in Response Header is going back before sending the Response Body back to the user. Rules here help in making decision like whether or not to buffer the Response body.
Phase 4: Response Body
Once Response Request give green signal to buffer the Response body, rules can be deployed to analyze what type of contents are going against each request. Here you can analyze Responses like Failed Authentication or Error messages.
Stage 5 : Logging
This is the last of five phase cycle which ModSecurity follows to secure your Apache. Rules in this phase are placed just before the actual logging takes place. In this phase logs messages generated by apache web server are analyzed. One important thing about this phase is that you cannot block any connection here as its after Request/Response phase. Here you can also inspect Headers that are not available during Phase 3 and 4.
After seeing the ModSecurity 5 Phases, it can be deduced easily that if you have deployed ModSecurity for Web Applications Security with Malware Expert – ModSecurity rules you have made a right decision.