Valid for versions 92 through the latest version
Version:
92
Overview
ModSecurity 3 is a web application firewall. You can use ModSecurity on systems that run Apache and NGINX®. ModSecurity 3 is now a library, and you must install a connector for your web server in order for it to function.
Compatibility
ModSecurity 3 is compatible with systems that run both Apache and NGINX.
ModSecurity 3 is only compatible with CentOS 7 on systems that run NGINX.
ModSecurity 3 is experimental. You must install the Experimental Repository to use it.
Install ModSecurity 3
You can install ModSecurity 3 in two ways.
In the interface
Use the EasyApache 4 interface (WHM > Home > Software >> EasyApache 4) to install the following packages:
-
Install one of the following connectors:
ea-modsec30-connector-nginx
— Install this package if your system runs NGINX.ea-modsec30-connector-apache24
— Install this package if your system runs Apache.
-
Install the
ea-modsec30-rules-owasp-crs
package — This installs the OWASP rule set for ModSecurity 3.
On the command line
Run the following commands to install ModSecurity 3 on the command line:
-
Install one of the following connectors:
- If your system runs NGINX, install the NGINX connector with the following command:
yum install ea-modsec30-connector-nginx
- If your system runs Apache, install the Apache connector with the following command:
yum install ea-modsec30-connector-apache24
- If your system runs NGINX, install the NGINX connector with the following command:
-
Run the following command to install the OWASP rule set:
yum install ea-modsec30-rules-owasp-crs
Configuration files
Depending on which ModSecurity connector you use, the system uses different configuration file locations.
NGINX
If you install the NGINX connector, ModSecurity uses the following configuration files:
Path | Description |
---|---|
/etc/nginx/conf.d/modsec30.conf |
This file contains your ModSecurity default configuration and Include directives for the following modsec30.cpanel.conf and modsec30.user.conf files. |
/etc/nginx/conf.d/modsec/modsec30.cpanel.conf |
This file contains the custom configurations and rules you defined in the cPanel & WHM user interface. |
/etc/nginx/conf.d/modsec/modsec30.user.conf |
This file contains any ModSecurity settings that you cannot set via cPanel & WHM. You must edit this file manually if you wish to use it.
Important:
Use caution when you edit the
modsec30.user.conf file, as unexpected results may occur.
|
/etc/nginx/conf.d/modsec_vendor_configs/ |
This directory contains your ModSecurity vendor configurations. |
/var/log/nginx/modsec30_audit/ |
This directory contains the ModSecurity log files. |
ModSecurity uses concurrent logging with NGINX.
Apache
If you install the Apache connector, ModSecurity uses the following configuration files:
Path | Description |
---|---|
/etc/apache24/conf.d/modsec30.conf |
This file contains your ModSecurity default configuration and Include directives for the following modsec2.cpanel.conf and modsec2.user.conf files. |
/etc/apache2/conf.d/modsec2.cpanel.conf |
This file contains the custom configurations and rules you defined in the cPanel & WHM user interface. |
/etc/apache2/conf.d/modsec/modsec2.user.conf |
This file contains any ModSecurity settings that you cannot set via cPanel & WHM. You must edit this file manually if you wish to use it.
Important:
Use caution when you edit the
modsec2.user.conf file, as unexpected results may occur.
|
/etc/apache2/logs/modsec_audit/ |
This directory contains the ModSecurity log files. |
- The Apache configuration file paths use
modsec2
in their naming convention due to limitations on the system. - ModSecurity logs events concurrently in Apache when
mod_ruid2
ormod_mpm_itk
are installed. If they are not installed, it uses serial logging.
ModSecurity Rules
We provide the OWASP® ModSecurity core rule set for ModSecurity 3 rules via RPM. You must install the ea-modsec30-rules-owasp-crs
RPM to use it.
Third party rule sets
You can only install a third-party rule set if that rule set supports ModSecurity 3.
If you attempt to install an unsupported rule set in WHM’s ModSecurity® Vendors interface (WHM >> Home >> Security Center >> ModSecurity® Vendors) with ModSecurity 3 installed, the system will disable the rule set and return an error in the interface.
Rules format
ModSecurity 3 formats its rules differently than ModSecurity 2.
Differences between ModSecurity 2 and ModSecurity 3
There are several behavior differences between ModSecurity 2 and ModSecurity 3.
This list is not comprehensive.
Directives
ModSecurity 3 does not support the SecDataDir
directive.
ModSecurity 3 with NGINX does not support the following directives:
SecConnEngine
SecDisableBackendCompression
SecDataDir
SecGsbLookupDb
SecGuardianLog
Response codes
ModSecurity 3 with NGINX may return a 406 response code in situations where ModSecurity 2.9 would return a 403 response code.