What is ModSecurity?
ModSecurity is a web application firewall module designed for use with Apache web servers. It provides an increased level of server security by protecting the server from vulnerabilities present in web application code. This increased security is achieved by detecting and preventing possible attack fronts before they reach the actual application. It is now estimated that over 70% of all attacks on web servers are carried out at web application level, hence the need for more secure web hosting environment.
AUSWEB deploys ModSecurity on all of our shared Linux hosting solutions to ensure we are able to provide the most secure shared hosting environment possible for our clients. Whilst it is not a guaranteed solution to protect against all web vulnerabilities, it reduces the attack surface of our hosting environments and therefore reduces the chances of a security breach.
From time to time, having ModSecurity installed will mean clients may experience ip blocks if code on a client website is deemed insecure. These blocks can also occur when using applications that are attempting to communicate with the server in an insecure manner, which can be caused by trojans/viruses on your pc or other software programs or their plugins.
What attacks do the Core Rules protect against?
In order to provide generic web applications protection, the Core Rules use the following techniques:
- HTTP protection – detecting violations of the HTTP protocol and a locally defined usage policy.
- Common Web Attacks Protection – detecting common web application security attack.
- Automation detection – Detecting bots, crawlers, scanners and other surface malicious activity.
- Trojan Protection – Detecting access to trojan horses.
- Errors Hiding – Disguising error messages sent by the server
Troubleshooting ModSecurity Alerts
Though there are many things that can trigger ModSecurity when working on or accessing your site, the first things you should check are the following:
- When a server block occurs, a log file is created which highlights which files were being accessed at the time the block occurred. This needs to be thoroughly checked to ascertain what the problem is. There are many forums that discuss ModSecurity and these are the best place to go to for help working out what the problem might be.
- Are you using a good, dedicated FTP program such as FileZilla? Web browser based FTP clients have been known to cause issues with ModSecurity and are not programs we recommend using.
- Have you performed a thorough virus scan to ensure you have no vulnerabilities on your pc? You may want to also check all pc’s on your network just in case there is nothing lurking in the background.
- Do you have any plugins installed into your web browser that may be trying to scan the server or web pages you are visiting? Browser plugins can be very useful but have often been the cause of ModSecurity issues. An example of this is the Firebug plugin for Firefox which we have found to be the culprit of a number of ModSecurity alerts.
For more detailed information on ModSecurity and how it helps with server security, you can visit their website by following the link below.
