Protect your Websites from online attacks using ModSecurity on CyberPanel

What is ModSecurity?

ModSecurity is an open-source web application firewall (or WAF). There are different sorts of firewalls available in today’s market but ModSecurity is signature based firewall. LiteSpeed Web Server has its own high-performance ModSecurity engine, offering excellent compatibility and performance. LiteSpeed/OpenLiteSpeed works well with popular ModSecurity rules sets such as OWASP, Atomicorp, Comodo, and CloudLinux Imunify360.

Even though its a signature based firewall but in most of the cases it can prevent your site from getting compromised. Because usually hackers have automatic bots scanning for vulnerable sites with multiple attack payloads and these payloads are blocked by ModSecurity signature based rules.

Apart from that CloudLinux Imunify360 rules are constantly updated with new signatures to cover newly introduced threats. (CyberPanel also support Imunify360 ModSecurity rules, but for that you need to install Imunify360)


Setup ModSecurity using CyberPanel

First of all login to the CyberPanel, on the main dashboard click on Security, and then click on ModSecurity Conf.

Then you will land on ModSecurity configuration page and if you already have ModSecurity installed, you will be allowed to configure ModSecurity other wise you will be opted to install first.

Once you click Install Now, CyberPanel will take few seconds to install ModSecurity for you and then redirect you to configurations page, which will look something like the image below. You can read and learn more about this page in our ModSecurity Configurations guide.


ModSecurity Rules Packages

As mentioned above, ModSecurity is signature based firewall, so you need to provide ModSecurity with set of rules against which it can scan your web requests and protect your web application and if you don’t provide rules to ModSecurity it will not be able to protect your sites.

And CyberPanel provides you with two rules set out of the box, you can enable them with one-click.

  1. OWASP ModSecurity Core Rules
  2. COMODO ModSecurity 3.0 Rules

In this tutorial, we will enable COMODO ModSecurity rules set, you can similarly enable OWASP ModSecurity Rules too.

Before moving forward visit your site with an attack payload such as

http://example.com/**?a=b AND 1=1**

And you should be able to see your site just fine.

However, once we enable Comodo Rules Package, you should see a 403 error.

Enable COMODO ModSecurity Rules Package

Go to the sidebar of CyberPanel=>Security=>ModSecurity Rules Packages

On the next screen, you can see OWASP ModSecurity and COMODO ModSecurity click on the second one to enable COMODO ModSecurity rules package.

Click the switch and it will turn on COMODO Rules, to verify if COMODO rules are installed successfully, open:

http://example.com/?a=b AND 1=1

You should get 403 Forbidden error

You can also see your ModSecurity Audit logs from CyberPanel=>logs=>ModSecurity Audit logs

HTTP/1.1 403
Content-Type: text/html
Cache-Control: private, no-cache, max-age=0
Pragma: no-cache

---PHfMHO9k---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `[\[\]\x22',()\.]{10}$|(?:union\s+all\s+select\s+(?:(?:null|\d+),?)+|order\s+by\s+\d{1,4}|(?:and|or)\s+\d{4}=\d{4}|waitfor\s+delay\s+'\d+:\d+:\d+'|(?:select|and|or)\s+(?:(?:pg_)?sleep\(\d+\)|\d+\s*=\s* (397 characters omitted)' against variable `ARGS:a' (Value: `b AND 1=1' ) [file "/usr/local/lsws/conf/modsec/comodo/21_SQL_SQLi.conf"] [line "116"] [id "218500"] [rev "7"] [msg "COMODO WAF: SQLmap attack detected||modsec.cyber-sol.net|F|2"] [data "Matched Data: Upgrade-Insecure-Requests found within REQUEST_FILENAME: /"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "modsec.cyber-sol.net"] [uri "/"] [unique_id "161998521255.519140"] [ref "v4,1o2,7v8,9t:urlDecodeUni,t:lowercase"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Rx' with parameter `[\[\]\x22',()\.]{10}$|(?:union\s+all\s+select\s+(?:(?:null|\d+),?)+|order\s+by\s+\d{1,4}|(?:and|or)\s+\d{4}=\d{4}|waitfor\s+delay\s+'\d+:\d+:\d+'|(?:select|and|or)\s+(?:(?:pg_)?sleep\(\d+\)|\d+\s*=\s* (397 characters omitted)' against variable `ARGS:a' (Value: `b AND 1=1' ) [file "/usr/local/lsws/conf/modsec/comodo/21_SQL_SQLi.conf"] [line "116"] [id "218500"] [rev "7"] [msg "COMODO WAF: SQLmap attack detected||modsec.cyber-sol.net|F|2"] [data "Matched Data: Upgrade-Insecure-Requests found within REQUEST_FILENAME: /"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "CWAF"] [tag "SQLi"] [hostname "modsec.cyber-sol.net"] [uri "/"] [unique_id "161998521255.519140"] [ref "v4,1o2,7v8,9t:urlDecodeUni,t:lowercase"]

---PHfMHO9k---Z--

You can also see your ModSecurity Audit logs from ssh terminal through this command:

tail -f usr/local/lsws/logs/auditmodsec.log

If you want to see the detail log you can change the SecAuditLogParts from the CyberPanel=>ModSecurity Conf. ModSecurity logs are divided into various logical parts, each part is described below:

  • A. Audit Logs Headers
  • B. Best Headers
  • C. Request Body
  • D. Reserved and not used yet.
  • E. Intermediary response body.
  • F. Final response headers
  • G. Reserved, and not used yet.
  • H. Audit log trailer.
  • I. Special Replacement for part C

After saving these changes you can refresh your website with SQL injection payload and run the previous command again on your terminal and you will be able to see more detailed logs on your screen.

Similarly ModSecurity will protect your site against other online attacks payloads using the signatures defined in Comodo Rules package, you can monitor the log files from time to time and see what is going on with your server.

Thank you for this article. However, I can’t seem to download the OWASP security rules from cyberpanel. It’s basically giving me a 404 error from github. Has the link changed? Is there another way to proceed?

@shoaibkk can you help to reproduce this? If this is actually a bug. I will try to fix this tomorrow morning from office.

I’d gone to Security → Firewall and turned that on first. Then I went to Security → ModSecurity Rules Packs and tried to turn the status on for OWASP. I’m wondering that the Firewall blocked my importing of the OWASP rules? After I went back and paused the firewall, I tried it again and it worked.

Let me check and revert to you.

Can you upgrade and try now.

Thank you for your time. I’m a longtime user of Cpanel but I’m very new to cyberpanel. So, bear with me. How do I check what version I currently have? Can’t seem to google up an answer for that.

Like I said above, I’d disabled the firewall, tried it again, and it worked. That was prior to the upgrade you just made. Best I could do was to switch OWASP status off and on again (with the firewall enabled). It worked again. So, unfortunately I can’t seem to reproduce the error.

I could (and will upgrade), but I’m not sure I can revert to the state I was in previous to the OWASP rules status activation. Unfortunately, I don’t think it reproduces the exact situation enough to warrant a proper test.

Yes, I can not reproduce the error on my end either. Although I do made some adjustments in code.

You can see CyberPanel version on the Version Management window. And you can always run the upgrade script for force upgrade and to get the latest code from stable or any other branch.