What is Mod_Security?
ModSecurity is one of the oldest and most popular Web Applications Firewalls around. As any WAF, it helps system administrators to keep their systems secure, preventing known and unknown web attacks like:
- SQL Injection
- Iframe attacks,
- Webshell/Backdoor Detection
- Botnet Attack Detection
- HTTP Denial of Service (DoS) Attacks
Mod_Security is an open source & free software, and today we will learn how to install this fantastic security tool on a cPanel server.
When people is developing a dynamic web page, 99% of the time they forget to write secure code to prevent hacks and general attacks to their web applications. By doing simple things like validating input you can prevent lot of security issues with your servers and apps. In this cases, cPanel Mod_security can help to prevent web attacks to your applications.
One simple example would be this DROP TABLE query made from a vulnerable URL:
http://www.nixcp.com.com/admin.php?username=admin1'">DROP%20TABLE%20users--
This is a common SQL injection that tries to run a classic ‘DROP TABLE’ against the ‘users’ table from the database running at ‘nixcp.com’ website.
If your site is running Mod_Security, you will certainly be safe from this kind of attacks as they will be blocked from running.
In this case, a 406 error will appear at the browser and server error_log file when mod_security is enabled.
All websites running Mod_Security will always show a 406 error, it’s the typical mod security error. If you are a legitimate user, you will have to contact your server hosting provider to disable mod_security for your account, or disable the mod_security rule that is preventing your site to work normally.
Be aware that disabling mod_security for the entire domain or server is a big security risk, my advise is always to disable specific rules per domain, and not globally.
How can I install ModSecurity on cPanel servers?
cPanel Mod Security installation comes from EasyApache. Which makes all the process super fast and easy for most new cPanel WHM users.
EasyApache installs whm cpanel mod security configuration files, which later can be tweaked from WHM interface to increase cpanel security.
ModSecurity can be installed from WHM > Software > EasyApache. Then select ModSecurity from the list, it is listed on the Short Options list, almost at the begining of the EasyApache process.
Expected more? No, it’s fast and easy if you use EasyApache.
Configuring cPanel Mod Security
This installation comes with a basic ruleset defined by cPanel, you can install any new rules by configuring ModSecurity. ModSecurity can be configured from WHM panel:
Security Center » ModSecurity Configuration
If you need to debug your ModSecurity hits, you can found useful logs at:
Security Center » ModSecurity Tools » Hits List
How can I disable ModSecurity for one particular website?
Login to WHM, then list accounts, search for the account you want to disable modsecurity for, and click over the cPanel green icon, this will land in the cPanel page for that website. Now, click on ModSecurity » Disable.
Installing COMODO WAF Rules
COMODO WAF is a free mod_security ruleset that is available for public usage. It’s a great way to harden your mod_security rules to prevent attacks. It includes brute force attacks against most common applications like WordPress, Joomla, Drupal, etc, plus great rules to prevent SQL Injections, information reveal and much more.
Learn how to install this fantastic mod_security rules from this tutorial: Install COMODO WAF on cPanel
Conclusion
ModSecurity is one of the most important cPanel WHM security tools that any Sysadmin or develper must have installed on their servers running Apache + PHP services. It helps a lot to harden all kind of vulnerable PHP scripts and it’s specially useful for outdated-vulnerable CMS installations (WordPress, Joomla, Drupal, Prestashop, etc).
mod_security cpanel installation is pretty easy and can be done within a few minutes thanks to cPanel’s fantastic server administration tools.
Read more about Mod_Security and its rules:
Yes, Comodo WAF is quite good, it is catching many various xss attacks and bad bots. One have to watch the Hits list some days/weeks to disable false positive generating rules and such.