How ModSecurity protects WordPress websites

Now a days majority of wordpress security breaches are not to stealing your valuable data to a limit or mess with your website. Instead they are aiming your server and attempts to use your server as an email relay for spam, or to set up a temporary web server to serve their vulnerable files. Keeping your websites secure is the most challenging one on all time. So let’s get started how ModSecurity protects wordpress sites.
ModSecurity is an open-source web application firewall (WAF) and acts as real-time application monitoring, logging, and access control. It is deployed to provide protections against generic classes of vulnerabilities using some Core Rule Set written in its SecRules language. Potentially block common code injection attacks in real-time, and has the ability to inspect it.

How it works?

ModSecurity acts as an IDS layer (intrusion detection) between the web serving content of the wordpress website and the outside world. It processes requests such as query strings, http post content and other incoming and outgoing HTTP communications to the endpoint .similar requests submission and checks against the predefined Secrules. The rules contain some set of regular expressions that if matched, will refuse to process the request. which pass, drop, redirect, and return a given status code.
For example, if the following query string is passed to WordPress index.php file
GET http://yoursite.com/index.php?../../etc/passwd
In this case, ModSecurity will treat this as a malicious attempt to read the password file on a linux/unix system and interrupt the request and generating an error message.

What does ModSecurity Do?

• Real time security monitoring and access control
• Virtual patching
• Full HTTP traffic logging
• Web application hardening
• Continuous passive security assessment
• Simple request or regular expression based filtering
• Auditing
• IP reputation based filtering
• DOS protection
• Null byte attack prevention
• Server identity masking
• Setting memory limits for web uploads

Identify ModSecurity installed on your hosting server?

If you have root access on the server, the mod_security log file can be usually found at

/etc/httpd/logs/modsec_audit.log or /etc/httpd/logs/error.log

Below mentioned log is the sample error log from mod security which clearly shows that SQL injection attempt on a WordPress website is blocked.

tail /etc/httpd/logs/error_log
[Sun Nov 18 07:57:23.857486 2018] [:error] [pid 1328] [client 77.161.107.217]
ModSecurity: Access denied with code 500 (phase 2).
Pattern match “(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+
from|bulk[[:space:]]+insert|union.+select|convert.+(.*from)” at ARGS:comment.
[file “/usr/local/apache/conf/modsec2.user.conf”] [line “379”] [id “300016”]
[rev “2”] [msg “Generic SQL injection protection”] [severity “CRITICAL”]
[hostname “www.example.com”] [uri “/wp-comments-post.php”]
[unique_id “VuVVo0UQ6TcBBAUwzDEAABBAb”]

If you get to see similar errors on the website, as below, it should be from ModSecurity.

406 – Not acceptable
403 – Forbidden: Access is denied error is shown. You do not have permission to view this directory or page using the credentials that you supplied.

How to configure Web Application firewall (ModSecurity) in Plesk and cPanel

Mod security is supported in both Linux & Windows for Plesk and cPanel. It works as a web server (Apache or IIS) module. To use web application firewall (mod security), administrators who upgrade from Plesk 11.5 must obtain a new Plesk onyx licence key either directly from Plesk or from their vendor.
For cPanel You will need to install the ModSecurity Apache module first.
If your system runs EasyApache 3, use WHM’s EasyApache 3 interface (WHM >> Home >> Software >> EasyApache 3) to install the ModSecurity Apache module
If your system runs EasyApache 4, use WHM’s EasyApache 4 interface (WHM >> Home >> Software >> EasyApache 4) or the below command to install the ModSecurity Apache module

yum install ea-apache24-mod_security2

Once the apache module is installed, you could find an Interface WHM >> Home >> Security Center >> ModSecurity Tools which allows you to add and manage rules.

How to Enable Modsecurity in Plesk?

Please follow below steps to enable Modsecurity;
1. Go to Tools & Settings > Web Application Firewall (ModSecurity) in the security group.
2. We can set the web application firewall mode to On or Detection only. Each incoming HTTP request and other related query will be checked against the rule set of modsecurity. If the check succeeds, the HTTP request will be passed to web site to retrieve the content. If the check fails, web site will displaying corresponding error message. In the On mode, the HTTP response will be provided with an error code.
3.We can select a rule set from the interface that will be checked by the web application firewall engine for each incoming HTTP request or we can upload any set of custom rule.
There are two rule set explained below.

• Atomic Basic Modsecurity –> A free starter version of the Atomic ModSecurity rules, bundled with Plesk. It contains important security features and bug fixes released on a monthly basis.
• OWAP Modsecurity core Rule set (CRS) –> The CRS provides generic protection from unknown vulnerabilities often found in web applications.

4. By selecting the update rule set option in plesk, the rule set will update automatically.
Enable “Update rule sets” and set this to weekly:

5. Under “Configuration”, you have three options for the rule sets. The options available are Fast,Tradeoff and Thorough:

6. Click OK to apply the settings. This will restart Apache and load the ModSecurity settings.
Log location Plesk (Linux)
Mod security audit log located in /var/log/httpd/modsec_audit.log is very detailed and it is used by the whole plesk server. To view the ModSecurity audit log.Go to Tools & Settings > Web Application Firewall (Modsecurity) > click the Logs Archieve link in the Modsecurity audit log section.
Log location Plesk (Windows)
On Windows, ModSecurity audit logs are domain-specific and located in %plesk_dir%\ModSecurity\vhosts\<domain’s GUID>\logs (where %plesk_dir% is the default installation directory for Plesk).
Log location (cPanel)
# grep -i mod /usr/local/apache/logs/error_log | grep
Add a rule

In order to add specific rule, perform the following step;

• Click Add Rule in the ModSecurity Tool, A new interface will display.
• Enter the rule in the Rule Text text box.
• Select the Enable Rule checkbox.
• Select the Deploy and Restart Apache checkbox.
• Click Save.

While adding custom rule set, please make sure it is compatible with your domain settings as well. Otherwise your legit user activity might be triggered with those rules.
Edit a rule

In order to edit a rule, perform the following steps in Home »Security Center »ModSecurity Tools »Edit Custom Rules:

• Click Edit for the rule that you wish to update.
• Make the desired changes in the Rule text box.
• Click Save.

How to whitelist IP address for ModSecurity in Plesk

As an example in order to whitelist 203.0.113.2 IP address with rule ID 55666 proceed with the following
Navigate to Tools & Settings in plesk > ModSecurity > Settings > Configuration
Add the following rule to Custom directives field:
SecRule 203.0.113.2 “^127\.0\.0\.1$”
phase:1,log,allow,ctl:ruleEngine=Off,id:55666
FYI: Have you installed ConfigServer Security&Firewall in the server? If so you will get an additional layer of protection by enabling “LF_MODSEC” in CSF. It is enabled by default and the config file is at “/etc/csf/csf.conf”.
So the prime advantage of Mod Security enabled server is, it can block common code injection attacks in real-time and filters incoming HTTP requests.

Thanks for dropping by. Ready for the next blog?
https://dev.sysally.com/blog/mail-server-ip-reputation-best-practices/

Read more, our featured blog?  WordPress Security: How to secure a website