What is ModSecurity and how does it work?

ModSecurity, often referred to as ModSec, is a free, open-source Web Application Firewall (WAF).

ModSec was initially designed as a module for Apache web servers and has since evolved to support other web servers such as Microsoft IIS and Nginx.

ModSec can protect web applications against attacks such as:

• SQL Injection
• Cross Site Scripting (XSS)
• File Inclusion
• Cross Site Request Forgery (CSRF)

… and many more by monitoring traffic in real-time and blocking malicious requests based on a set of rules.

As ModSec is open-source, it is extremely versatile and can be modified by website administrators to implement rules based on their security needs.

The WAF operates on predefined or user-defined rules to dictate how to handle incoming traffic and acts upon it accordingly.

By default, ModSec will cover websites against all common attacks using its Core Rule Set (CRS), which is maintained by the Open Web Application Security Project, better known as OWASP.

This includes all attacks listed in OWASP’s Top 10 and new rules can be implemented to cover new vulnerabilities and attack vectors.

How ModSec works

ModSec works by inspecting incoming HTTP requests prior to them reaching the web application and analysing the response from the application before it is sent back to the client.

If ModSec detects a pattern as defined by one of its many rules, it will handle the request and response as defined by the rule it has triggered.

Usually, if a ModSec rule is hit, the client will receive an HTTP Client Error Response, such as Error 403 (Forbidden).

The actions that ModSec can take are:

• Logging: Recording details about the request and/or response and what rule was triggered for further analysis.
• Blocking: Outright blocking the request from reaching the web application or the response reaching the client.
• Alerting: Typically used for serious exploits, this will alert the administrators if any of the defined rules are triggered.

How to write a SecRule

ModSec rules are written in the SecRule directive, all conforming to the same format, which consist of four parts:

• Variables:Tells ModSec where to look.
• Operator: Tells ModSec when to trigger a match.
• Transformations: Tells ModSec how to normalise the variable data before an operator is applied.
• Actions: Tells ModSec what to do if a rule matches.

An example SecRule will looks like the following:

SecRule ARGS:ip ";" "t:none,log,deny,msg:'semi colon test',id:2"

This rule will disallow the use of semi-colons when used in the ‘IP’ parameter.

Click here to find out more about how to write a SecRule.

ModSecurity at 20i

At 20i we consider cyber security to be of the upmost of importance and implement many measures to keep our systems and our customer’s content safe and secure.

Along with our free security services, such as anti-DDoS protection, brute force prevention, malware scanning and many more, we also use ModSecurity.

Our security experts handle the updating of existing rules and the implementation of new rules, taking the strenuous workload off our clients.

We frequently keep our eyes out for the latest updates and the OWASP Top 10 to ensure that we are ahead of the curve and can mitigate any new threats against our platform.