ModSecurity is a web application firewall that runs as a module on a web server and provides protection against various attacks on our web applications.
It allows us to monitor HTTP traffic and perform real-time analysis. It is a product developed by Breach Security and is available as free software under the GNU license.
ModSecurity was previously only available for Apache servers, but is now available for Microsoft IIS and NginX.
The module has various functionalities:
Request filtering: incoming HTTP requests are analyzed by the mod_security module before passing them to the Web server, in turn, these requests are compared against a set of predefined rules to perform the corresponding actions. To perform this filtering, regular expressions can be used, allowing the process to be flexible.
Anti-evasion techniques: routes and parameters are normalized before analysis to avoid evasion techniques.
Remove multiple slashes (//)
Delete directories referenced by themselves (./)
The and the / are treated the same way in Windows.
URL decoding.
Replacing null bytes with spaces()
Understanding the HTTP Protocol: By understanding the HTTP protocol, ModSecurity can perform specific and granular filtering.
Post Payload Analysis: Intercepts and analyzes content transmitted through the POST method.
Audit Log: it is possible to leave an audit trail for subsequent forensic analysis.
HTTPS filtering: since it is embedded as a module, it has access to the data after it has been decrypted.
Byte Range Check: Allows you to detect and block Shellcodes, limiting the byte range.
Real-Time Monitoring: In addition to logging all HTTP traffic, ModSecurity can monitor traffic in real-time to detect attacks. This means that ModSecurity acts as an intrusion detection tool.
Starting with version 2, ModSecurity added various functionalities that we mentioned:
Five processing phases, including: request headers, request body, response headers, response body, and logging.
Transformation options per rule.
Transactional variables.
Data persistence (used in tracking IP addresses, application sessions, and application users).
Support for anomaly ranking and basic event correlation (counters can be automatically decremented over time, variables can expire).
Support for Web applications and session IDs.
Support for XML (parsing, validation, XPath).
IP blocking
ModSecurity can be implemented and integrated into our existing web server infrastructure. This type of implementation has the following advantages:
We don't have to modify our internal network.
We do not add a point of failure to the network.
Load Balancing and Scalability: Since ModSecurity works integrated into web servers, it automatically takes advantage of additional load balancing and scalability functionality.
We would have no problems with compressed or encrypted content: Many intrusion prevention systems have difficulty analyzing encrypted traffic. This is not a problem for Modsecurity since it analyzes the traffic when it is already decrypted.
ModSecurity is an essential security tool that has proven to be very effective. If you are a systems administrator with critical web applications that must be accessed publicly, this is an Application Firewall that deserves your attention.
In any case, you always have the possibility of deactivating/activating modsecurity from your cpanel. For example, in the event that you are in the middle of developing a website or script and want to prevent your IP from being constantly blocked when faced with the established modsecurity rules: https://clientes.atlanticadigital.net/knowledgebase/307/Activar-o -disable-ModSecurity-in-cPanel.html