Using the OWASP ModSecurity Rule Set
Posted by Allura on 10 01 2019.
A set of rules that Apache’s ModSecurity™ module uses to help protect one’s server is known as The OWASP (Open Web Application Security Project) ModSecurity™ CRS (Core Rule Set). These rules however do not make one’s server unaffected to attacks, but they greatly increase the amount of protection for one’s web applications.
One should use this set as:
- Protection from insecure web application design: It creates a layer of protection for web applications such as WordPress, phpBB, or other types of web applications and protect against vulnerabilities in out-of-date web applications that protect against vulnerabilities in unpatched, out-of-date applications with much potential. If an application developer makes some security mistakes, then the ModSecurity will block a security attack way before it can access the vulnerable application.
- Protection against operating system level attack: It provides protection against attacks exploiting the operating system of one’s server. The ModSecurity rules were created by security experts to prevent the use of the exploit thought Apache. These rules added by additional security is also used by the server administrators to their system until the release of a security patch for Bash shell.
- Protect against generalized malicious traffic: Some of the security threats faced by server administrators may not attack directly a program or application on one’s server. For example, DoS (Denial of Service) attacks are common attacks. The impact of such malicious traffic can be minimised through the use of ModSecurity rules.
What are the Risks?
It can block legitimate traffic (false positives). Both OWASP and cPanel, Inc. however, aims to assist rule set to minimise potential for false positives and may block legitimate traffic.
One may review the ModSecurity Tools interface (WHM >> Home >> Security Center >> ModSecurity™ Tools) to evaluate the traffic blocked by rule set and check whether it affects the legitimate users or not.
How to use the Rule Set
- One must select the ModSecurity (mod_security) Apache module while using EasyApache 4 interface (WHM >> Home >> Software >> EasyApache 4).
- One may use the ModSecurity Vendors interface (WHM >> Home >> Security Center >> ModSecurity™ Vendors) to install the OWASP rule set. The rules become active when one enable the configuration files.
- One may use the ModSecurity Tools interface (WHM >> Home >> Security Center >> ModSecurity™ Tools) to review the logged notifications and blocked traffic from these rules.
How to Report a Possible Issue with this Rule
- One can navigate to WHM’s ModSecurity Tools interface (WHM >> Home >> Security Center >> ModSecurity™ Tools).
- Then locate the hit that the rule generated in the Hits List and click on More.
- Then click on Report this hit.
It is to note that this option will not appear if the vendor does not accept reports.
- Then enter the email address, reason for the report, and other additional comments for the vendor.
- Click on Review Report.
- Lastly, verify the information in one’s report and click Submit.
The OWASP ModSecurity CRS makes a use of configuration files containing the rules which help protecting the server. These files group alike rules together making them easier to manage.
The user can know all about the OWASP ModSecurity Rule Set going through the information reviewed in this article.