ModSecurity® 3

Valid for versions 92 through the latest version

Version:

92


Last modified: October 12, 2020

Overview

ModSecurity® 3 is a web application firewall. You can use ModSecurity on systems that run Apache and Nginx. ModSecurity 3 is now a library, and you must install a connector for your web server in order for it to function.

Compatibility

ModSecurity 3 is compatible with systems that run both Apache and Nginx.

ModSecurity 3 is only compatible with CentOS 7 on systems that run Nginx.

Warning:

ModSecurity 3 is experimental. You must install the Experimental Repository to use it.

Install ModSecurity 3

You can install ModSecurity 3 in two ways.

In the interface

Use the EasyApache 4 interface (WHM > Home > Software >> EasyApache 4) to install the following packages:

  1. Install one of the following connectors:

    • ea-modsec30-connector-nginx — Install this package if your system runs Nginx.
    • ea-modsec30-connector-apache24 — Install this package if your system runs Apache.
  2. Install the ea-modsec30-rules-owasp-crs package — This installs the OWASP rule set for ModSecurity 3.

On the command line

Run the following commands to install ModSecurity 3 on the command line:

  1. Install one of the following connectors:

    • If your system runs Nginx, install the Nginx connector with the following command:
      	yum install ea-modsec30-connector-nginx
    • If your system runs Apache, install the Apache connector with the following command:
      	yum install ea-modsec30-connector-apache24
  2. Run the following command to install the OWASP rule set:

    yum install ea-modsec30-rules-owasp-crs

Configuration files

Depending on which ModSecurity connector you use, the system uses different configuration file locations.

Nginx

If you install the Nginx connector, ModSecurity uses the following configuration files:

Path Description
/etc/nginx/conf.d/modsec30.conf This file contains your ModSecurity default configuration and Include directives for the following modsec30.cpanel.conf and modsec30.user.conf files.
/etc/nginx/conf.d/modsec/modsec30.cpanel.conf This file contains the custom configurations and rules you defined in the cPanel & WHM user interface.
/etc/nginx/conf.d/modsec/modsec30.user.conf This file contains any ModSecurity settings that you cannot set via cPanel & WHM. You must edit this file manually if you wish to use it.
Important:
Use caution when you edit the modsec30.user.conf file, as unexpected results may occur.
/etc/nginx/conf.d/modsec_vendor_configs/ This directory contains your ModSecurity vendor configurations.
/var/log/nginx/modsec30_audit/ This directory contains the ModSecurity log files.
Note:

ModSecurity uses concurrent logging with Nginx.

Apache

If you install the Apache connector, ModSecurity uses the following configuration files:

Path Description
/etc/apache24/conf.d/modsec30.conf This file contains your ModSecurity default configuration and Include directives for the following modsec2.cpanel.conf and modsec2.user.conf files.
/etc/apache2/conf.d/modsec/modsec2.cpanel.conf This file contains the custom configurations and rules you defined in the cPanel & WHM user interface.
/etc/apache2/conf.d/modsec/modsec2.user.conf This file contains any ModSecurity settings that you cannot set via cPanel & WHM. You must edit this file manually if you wish to use it.
Important:
Use caution when you edit the modsec2.user.conf file, as unexpected results may occur.
/etc/apache2/logs/modsec_audit/ This directory contains the ModSecurity log files.
Note:
  • The Apache configuration file paths use modsec2 in their naming convention due to limitations on the system.
  • ModSecurity logs events concurrently in Apache when mod_ruid2 or mod_mpm_itk are installed. If they are not installed, it uses serial logging.

ModSecurity Rules

We provide the OWASP core rule set for ModSecurity 3 rules via RPM. You must install the ea-modsec30-rules-owasp-crs RPM to use it.

Third party rule sets

You can only install a third-party rule set if that rule set supports ModSecurity 3.

If you attempt to install an unsupported rule set in WHM’s ModSecurity Vendors interface (WHM >> Home >> Security Center >> ModSecurity Vendors) with ModSecurity 3 installed, the system will disable the rule set and return an error in the interface.

Rules format

ModSecurity 3 formats its rules differently than ModSecurity 2.

Differences between ModSecurity 2 and ModSecurity 3

There are several behavior differences between ModSecurity 2 and ModSecurity 3.

Important:

This list is not comprehensive.

Directives

ModSecurity 3 does not support the SecDataDir directive.

ModSecurity 3 with Nginx does not support the following directives:

  • SecConnEngine
  • SecDisableBackendCompression
  • SecDataDir
  • SecGsbLookupDb
  • SecGuardianLog

Response codes

ModSecurity 3 with Nginx may return a 406 response code in situations where ModSecurity 2.9 would return a 403 response code.

Additional Documentation