Mod_Security is a web application firewall, which is a free software released under the Apache license 2.0. It helps in protecting websites from various attacks. The main advantage of the application lies in its user-friendliness, as the user can customise his path through the available features. This blog discusses different usage scenarios of the application like errors due to Mod_Security and disabling Mod_security rules.

Mod_Security can be run either in embedded-mode or in reverse-proxy mode.

Embedded

In embedded mode, Mod_Security is an Apache module and you can add it to any compatible version of Apache. For those who have their architecture well laid out and don’t look for a change, then embedded Mod_Security is a good choice. It is the only possible option, if you need to protect a group of web servers. A major challenge here is server resources are shared between the web server and Mod_Security.

Mod_Security configuration will be included in /etc/httpd/conf/httpd.conf Apache file as follows:

Include “/usr/local/apache/conf/modsec2.conf”

Reverse proxy

Reverse proxies are in fact HTTP routers, designed to stand between web servers and their clients. This method provides complete isolation from the systems under protection. The main disadvantage of this approach is it opens a new point of failure, which needs to be addressed with a high-availability setup of two or more reverse proxies.

Mod_Security has certain usage scenarios or security models that are frequently employed by the users. Some of them are discussed below:

Negative Security Model – This model looks for all bad and malicious requests. However, this is not a favourable method for recognising new attack vectors but is effective at blocking a large number of automated attacks.

Positive Security Model – Here only valid requests are accepted and all others are rejected. This approach works best with applications that are more frequently used.

Virtual Patching – The applications can be patched from the outside without touching the application source code. This makes the system secure until a proper patch pops up.

Extrusion Detection Model – Mod_Security can also check outbound data and helps in blocking important information disclosure like social security numbers and credit card numbers.

Mod_Security errors are common in Joomla and WordPress sites and are easily recognisable. Even though Mod_Security is used to prevent possible attacks, at times legitimate requests may also get blocked. Hence it is important to know how to disable the same. We can disable Mod_Security rules that are getting triggered for a specific domain by following three steps:

Step1:

Run the following command to create the directory where we’ll be placing our ModSecurity configuration file:

mkdir -p /usr/local/apache/conf/userdata/std/2/userna5/example.com/

Step2:

In order to disable just the specific ModSecurity rule, run the following command in the ModSecurity configuration file:

echo “SecRuleRemoveById ID” >>

/usr/local/apache/conf/userdata/std/2/userna5/example.com/modsec.conf

Along with this uncomment the following line in the apache configuration file:

“Include usr/local/apache/conf/userdata/std/2/userna5/example.com/*.conf”

Step3:

Finally restart the Apache service with the following command to make the new ModSecurity configuration file active:

service httpd restart

Mod_Security provides the freedom to choose what to do, which is a vital part of its identity. As a valuable security tool, it has proven to be highly effective. Also, if you wish to protect your web applications, this tool is essential.