What is ModSecurity and why do we need it ?

Web applications are often flawed and under constant attacks, so we have to implement some special security for our servers. ModSecurity is a valuable tool for enhancing security by detecting and preventing various types of attacks and vulnerabilities

What is ModSecurity?

ModSecurity is an open-source web-based firewall application (or WAF) that is designed to provide an additional layer of security for web applications and websites. It is supported by the following web servers: Apache, Nginx, LiteSpeed, and IIS.

ModSecurity-installed servers will carry out 80% of attacks over the web application level. It is a Web Application Firewall that can be played as an embedded or reverse proxy. Web application firewalls deploy to form an external security layer, which protects, detects, and prevents protection levels before reaching web-based software programs. It is a module for HTTP servers that checks all HTTP requests to web servers.

Why do we need ModSecurity?

ModSecurity addresses a wide range of threats and vulnerabilities that web applications and websites commonly face. It protects against attacks against web applications and allows for HTTP traffic monitoring, logging, and real-time analysis. ModSecurity interacts with Apache on the open-source web server. There are many advantages of using Mod_security and are resistant to various types of web attacks, including code injection, brute force, etc.

Here are some reasons why we need ModSecurity:

  1. Security monitoring and access control
  2. Virtual patching
  3. Full HTTP traffic logging
  4. Security assessment
  5. Web application hardening
  6. Passive security assessment
  7. Simple request or Regular expression based Filtering
  8. URL Encoding Validation
  9. Auditing
  10. IP Reputation
  11. Null byte attack prevention
  12. Server identity masking
  13. Uploads memory limits

How does it work?

The ModSecurity contains Flexible Rule Engine to perform simple and complex operations. This can prevent attacks on ordinary code indictment to strengthen the security of the server. Web controls panels like cPanel, plesk etc..comes with inbuilt mod-security which can be easily enabled by one click.

ModSec scans all requests coming from the web server and relative feedback sent from the servers. If the test succeeds, HTTP requests are forwarded to the Web site, but if it fails, it will block the request and do the following.

Real-time application security monitoring and access control

At its core, ModSecurity gives you access to the HTTP traffic stream, in real-time, along with the ability to inspect it. This is enough for real-time security monitoring. There’s an added dimension of what’s possible through ModSecurity’s persistent storage mechanism, which enables you to track system elements over time and perform event correlation. You are able to reliably block, if you so wish, because ModSecurity uses full request and response buffering.

Full HTTP traffic logging

Web servers traditionally do very little when it comes to logging for security purposes. They log very little by default, and even with a lot of tweaking you are not able to get everything that you need. I have yet to encounter a web server that is able to log full transaction data. ModSecurity gives you that ability to log anything you need, including raw transaction data, which is essential for forensics. In addition, you get to choose which transactions are logged, which parts of a transaction are logged, and which parts are sanitized.

Continuous passive security assessment

Security assessment is largely seen as an active scheduled event, in which an independent team is sourced to try to perform a simulated attack. Continuous passive security assessment is a variation of real-time monitoring, where, instead of focusing on the behavior of the external parties, you focus on the behavior of the system itself. It’s an early warning system of sorts that can detect traces of many abnormalities and security weaknesses before they are exploited.

Web application hardening

One of my favorite uses for ModSecurity is attack surface reduction, in which you selectively narrow down the HTTP features you are willing to accept (e.g., request methods, request headers, content types, etc.). ModSecurity can assist you in enforcing many similar restrictions, either directly, or through collaboration with other Apache modules. They all fall under web application hardening. For example, it is possible to fix many session management issues, as well as cross-site request forgery vulnerabilities.

Keep your servers protected!

Malware Expert provides protection against this kind of malware and bot network attacks even before customer patch their CMSs and before they get their website hacked while keeping the functionality of the website untouched. See our commercial Modsec Rules.