cPanel

ModSecurity® 3

Photo of admin adminJuly 23, 2021
0 519 3 minutes read

Valid for versions 92 through the latest version

Version:

92

Overview

ModSecurity 3 is a web application firewall. You can use ModSecurity on systems that run Apache and NGINX®. ModSecurity 3 is now a library, and you must install a connector for your web server in order for it to function.

Compatibility

ModSecurity 3 is compatible with systems that run both Apache and NGINX.

ModSecurity 3 is only compatible with CentOS 7 on systems that run NGINX.

Warning:

ModSecurity 3 is experimental. You must install the Experimental Repository to use it.

Install ModSecurity 3

You can install ModSecurity 3 in two ways.

In the interface

Use the EasyApache 4 interface (WHM > Home > Software >> EasyApache 4) to install the following packages:

  1. Install one of the following connectors:

    • ea-modsec30-connector-nginx — Install this package if your system runs NGINX.
    • ea-modsec30-connector-apache24 — Install this package if your system runs Apache.

  2. Install the ea-modsec30-rules-owasp-crs package — This installs the OWASP rule set for ModSecurity 3.

On the command line

Run the following commands to install ModSecurity 3 on the command line:

  1. Install one of the following connectors:

    • If your system runs NGINX, install the NGINX connector with the following command: 
      	yum install ea-modsec30-connector-nginx
    • If your system runs Apache, install the Apache connector with the following command: 
      	yum install ea-modsec30-connector-apache24

  2. Run the following command to install the OWASP rule set: 

    yum install ea-modsec30-rules-owasp-crs

Configuration files

Depending on which ModSecurity connector you use, the system uses different configuration file locations.

NGINX

If you install the NGINX connector, ModSecurity uses the following configuration files:

Path Description
/etc/nginx/conf.d/modsec30.conf This file contains your ModSecurity default configuration and Include directives for the following modsec30.cpanel.conf and modsec30.user.conf files.
/etc/nginx/conf.d/modsec/modsec30.cpanel.conf This file contains the custom configurations and rules you defined in the cPanel & WHM user interface.
/etc/nginx/conf.d/modsec/modsec30.user.conf This file contains any ModSecurity settings that you cannot set via cPanel & WHM. You must edit this file manually if you wish to use it.

Important:
Use caution when you edit the modsec30.user.conf file, as unexpected results may occur.
/etc/nginx/conf.d/modsec_vendor_configs/ This directory contains your ModSecurity vendor configurations.
/var/log/nginx/modsec30_audit/ This directory contains the ModSecurity log files.
Note:

ModSecurity uses concurrent logging with NGINX.

Apache

If you install the Apache connector, ModSecurity uses the following configuration files:

Path Description
/etc/apache24/conf.d/modsec30.conf This file contains your ModSecurity default configuration and Include directives for the following modsec2.cpanel.conf and modsec2.user.conf files.
/etc/apache2/conf.d/modsec2.cpanel.conf This file contains the custom configurations and rules you defined in the cPanel & WHM user interface.
/etc/apache2/conf.d/modsec/modsec2.user.conf This file contains any ModSecurity settings that you cannot set via cPanel & WHM. You must edit this file manually if you wish to use it.

Important:
Use caution when you edit the modsec2.user.conf file, as unexpected results may occur.
/etc/apache2/logs/modsec_audit/ This directory contains the ModSecurity log files.
Note:
  • The Apache configuration file paths use modsec2 in their naming convention due to limitations on the system.
  • ModSecurity logs events concurrently in Apache when mod_ruid2 or mod_mpm_itk are installed. If they are not installed, it uses serial logging.

ModSecurity Rules

We provide the OWASP® ModSecurity core rule set for ModSecurity 3 rules via RPM. You must install the ea-modsec30-rules-owasp-crs RPM to use it.

Third party rule sets

You can only install a third-party rule set if that rule set supports ModSecurity 3.

If you attempt to install an unsupported rule set in WHM’s ModSecurity® Vendors interface (WHM >> Home >> Security Center >> ModSecurity® Vendors) with ModSecurity 3 installed, the system will disable the rule set and return an error in the interface.

Rules format

ModSecurity 3 formats its rules differently than ModSecurity 2.

Differences between ModSecurity 2 and ModSecurity 3

There are several behavior differences between ModSecurity 2 and ModSecurity 3.

Important:

This list is not comprehensive.

Directives

ModSecurity 3 does not support the SecDataDir directive.

ModSecurity 3 with NGINX does not support the following directives:

  • SecConnEngine
  • SecDisableBackendCompression
  • SecDataDir
  • SecGsbLookupDb
  • SecGuardianLog

Response codes

ModSecurity 3 with NGINX may return a 406 response code in situations where ModSecurity 2.9 would return a 403 response code.

Photo of admin adminJuly 23, 2021
0 519 3 minutes read
Photo of admin

admin

Related Articles

How to Set Up Calendars and Contacts

July 23, 2021

CVE 2019 7524 Buffer overflow when reading extension header from Dovecot index files

July 23, 2021

Backup Tarball Contents

July 23, 2021

Perform a DNS Cleanup

July 23, 2021

Leave a Reply

Your email address will not be published. Required fields are marked *