ModSecurity (ModSec) is an Apache module that helps protect your website from external attacks.
As a web application firewall (WAF), ModSecurity detects and blocks unwanted intrusions into your site. As an industry-standard open source WAF, ModSecurity serves as a strong and flexible resource for not only system administrators, but for all end-users, including merchants.
At Nexcess, we deploy ModSecurity on every server and consider it one of the core components of your site’s security.
Why you need it
For ecommerce purposes, ModSecurity is an essential piece of PCI DSS compliance, helping satisfy Requirement 6.6 by helping shield your site against external threats. Therefore, we strongly advise against disabling or uninstalling the module. Removing the module not only makes your site vulnerable to attacks that would otherwise be blocked, but also compromises your site’s ability to satisfy critical PCI DSS requirements.
Though no security system can responsibly claim perfection, these are some of the most common attacks ModSecurity can help prevent:
SQL injection, a type of attack that attempts to access sensitive information in a database by entering SQL command strings in search boxes, login forms, and sometimes directly into URLs. Successful attacks divulge usernames, passwords, credit card numbers, and can also make other databases in that system vulnerable to such attacks.
Cross-site scripting (XSS), a form of script injection that forces your website to act as a staging point for attacks on your site’s visitors. If successful, users may unknowingly interact with malicious processes and expose their computers or devices to attack.
Inclusion vulnerabilities, a type of attack that tricks applications with insecure code into executing the attacker’s malicious code.
Brute force attacks, a script designed to rapidly guess username and password combinations until the attacker gains access. Some scripts only guess the top 10 or top 100 passwords, while more prolonged attacks use multiple dictionaries and make millions of guesses per second over minutes, hours, or even days.
Function
ModSecurity employs a variety of methods to protect websites. Here are some of the most common. For more information, visit the ModSecurity website.
Real-time application security monitoring and access control: This focuses on external threat mitigation and includes whitelisting and blacklisting, as well as real-time threat assessment and blocking.
Full HTTP traffic logging: ModSec keeps detailed logs of all incoming and outgoing traffic, making it an exceptional tool for all investigations.
Continuous passive security assessment: Instead of monitoring external threats, this feature monitors internal systems for abnormalities and weaknesses in a proactive effort to identify them before they can be exploited.
Web application hardening: This feature allows administrators to restrict the types of HTTP requests accepted by their website, such as request methods, request headers, and content types, among others.
How we use ModSecurity
To function as outlined above, ModSecurity relies on the use of one or more rule sets. We use two: the OWASP ModSecurity Core Rule Set (CRS), and one of our own design that is tailored to each client’s choice of applications. The CRS is an industry-standard mature rule set that is frequently updated for new emerging vulnerabilities while still minimizing the risk of false positives. Our supplemental rule set gives us the flexibility to block newly discovered and zero-day vulnerabilities quickly, acting as a vital stop-gap until they can be properly patched.
False positives
On occasion, ModSecurity will report a false positive or block legitimate traffic. If you suspect this is the case, you can resolve this issue by expanding your whitelist. We can assist with resolving false positives by whitelisting the affected elements without compromising the overall effectiveness of ModSecurity. For assistance with false positives, please contact our support team as directed below.
For 24-hour assistance any day of the year, contact our support team by email or through your Client Portal.
