What is Mod_Security?
Mod_Security, also referred to as ModSec, is essentially a tool that helps you secure your web applications. It is a free and open-source web application firewall that was released back in 2002. Mod_Security is an apache module offered under the Apache license 2.0 and is the most widely deployed web application firewall.
Different web servers, including Apache, IIS, and Nginx, support Mod_Security. This platform provides a set of rules to perform operations that help ex-filtrate common web exploits. The rule configuration language is called ‘SecRules’ and utilizes user-defined rules to monitor and filter HTTP communications.
You can deploy Mod_Security to offer protections against various classes of vulnerabilities. The majority of cyber attacks today occur at the web application level. Below is a comprehensive overview of Mod_Security, what it’s for, and how you can use the platform.
How Does Mod_Security Work?
You use web application firewalls to establish an extra external layer of security. This layer increases your web protection levels, detecting and stopping cyberattacks before reaching your web-based programs. Mod_Security offers the aforementioned rule configuration language (SecRules).
You can define rules to monitor (in real-time), log and filter HTTP communications. The platform utilizes a rule set known as Open Web Application Security Project (OWASP) ModSecurity Core Rule Set or CRS to afford you defense against generic classes of web vulnerabilities.
CRS is an open-source rule set written in the SecRules language. It’s worth noting that you have access to other rule sets. The ModSec engine is deployed as a proxy server or embedded in the webserver to detect any threats.
The engine scans outgoing and incoming HTTP communications from the endpoint. Now, the ModSec engine decides on how to handle HTTP communications based on your rule configuration. The engine can drop, redirect, pass, execute user script or return status code, among other capabilities.
Should I Use Mod_Security?
If you own or operate a website, using Mod_Security is a good practice if you want to protect against cyberattacks via web applications. This is especially important if you run an e-commerce site. Mod_Security can help you with PCI DSS compliance.
Payment Card Industry Data Security Standards (PCI DSS) are a set of minimum requirements developed by the PCI Security Standards Council. These requirements help protect the credit card data that service providers and merchants handle. Mod_Security can help you satisfy some of these requirements by shielding your eCommerce website from external cyber threats.
Aside from that, there are several reasons why you should use Mod-Security. The platform enables real-time monitoring of application control and access control. Mod_Security offers real-time access to HTTP communication streams.
This allows you to inspect it. As such, you should use this platform if you want to conduct real-time security monitoring. If you wish, you can block potentially harmful communication streams.
It would be best if you also used Mod_Security is you seek to conduct virtual patching. Virtual patching is a web security procedure where you manage vulnerabilities in applications via a separate layer.
With this concept, you can fix issues without touching the applications. Virtual patching is vital for applications that utilize communication protocols, but is especially useful with HTTP.
Note that you should use Mod_Security if you understand the platform well. Mod_Security is quite complex and alters some aspects of your website, such as its ability to serve pages. It is advisable to go through the official Mod_Security documentation before using the platform.
What are the Mod_Security Deployment Options?
Mod_Security features support for two deployment options. These options are embedded and reverse proxy. The Embedded choice is ideal if you already laid out your architecture and are reluctant to change it.
Mod_Security is an Apache module. This means you can include it in any version of Apache that’s compatible. Note that this is the only deployment option if you seek to protect hundreds of web servers. In this scenario, it doesn’t make sense to develop separate proxy-based security layers.
The embedded option scales as your underlying infrastructure scales. It also doesn’t introduce new failure points. The only drawback with embedded deployment is that your web server shares resources with Mod_Security.
On the other hand, reverse proxy deployment relies on HTTP routers. These routers go between web servers and the clients. You get a web application firewall when you install a dedicated reverse proxy.
You can then use this firewall to protect web servers on that same network. Lots of people prefer having an external security layer. You are completely isolated from the systems you protect.
This is beneficial for performance since the standalone Mod_Security platform has dedicated resources. You have access to more complex rules. The notable drawback of this deployment option is the introduction of a new point of failure, which you’ll need to address.
How to check if Mod_Security is enabled
The simplest method of determining whether Mod_Security is enabled is using cPanel. This software helps you manage web hosting servers. It allows end-user site owners and admins to controls certain aspects of server and web administration via a web browser.
Install cPanel and create an account. Log in to your account and navigate to the “Security” section. Next, click on the “ModSecurity” Icon.
Here you will see the options for enabling and disabling Mod_Security. If it’s enabled, you will see the message, “ModSecurity is enabled for your domains.”
If you are more tech-savvy and want to check whether Mod_Security is enabled or not, you can access the Apache configuration file. You may be wondering where to find the central Apache configuration file.
If you installed Apache using a package manager (on most systems), the configuration file would be located in one of the following locations:
- /etc/apache2/httpd.conf
- /etc/httpd/httpd.conf
- /etc/apache2/apache2.conf
- /etc/httpd/conf/httpd.conf
This is also applicable if Apache came preinstalled in your system. In case you installed Apache from source, it may be located in /opt or /usr/local. However, the configuration files could have been moved to /etc. If you are unsure, you should inspect your build script.
To determine if Mod_Security is enabled, check the main configuration file and check if it has the following line. “LoadModule security_module modules/mod_security.so” if there is such a line, then Mod_ Security is enabled.
Should I Disable Mod_Security?
Although Mod_Security can change some aspects of your website, it is not advisable to disable the module. Disabling Mod_Security leaves your website vulnerable to cyber attacks that would have been blocked otherwise.
Moreover, disabling it compromises the ability of your website to meet certain PCI DSS requirements. This is very important if you operate an eCommerce site. You shouldn’t disable the module as it shields your site from cyber attacks such as:
- SQL Injection –this cyber attack accesses sensitive data in your database via SQL command strings entered into login forms, search boxes, and URLs (sometimes).
- Inclusion attacks – attacks that trick web applications into executing malicious code.
- Cross-site Scripting – XSS attacks are a type of script injection that forces your site to be a staging point for attacks against your visitors.
- Brute Force – these involve scripts that quickly guess passwords and usernames until access is compromised.
Overall, Mod_Security is a great tool that uses several methods to protect your website from external cyber-attacks. It is a reliable, flexible, and vital resource for both end-users and system admins. You should consider this module as a core addition to your website’s security systems.