27 Jan

ModSecurity: Default on Every Plan

Back in November we discussed the need for web application firewalls and discussed some of the options out there for securing your site with one.  And, well, shortly there after someone reminded me:

Hey, wait, don’t we have ModSecurity implemented everywhere?

Oh yeah, ModSecurity, the old faithful of generic purpose WAF systems.   To be honest, we’ve run it across all of our servers for at-least a year now, silently, in the background, with nobody noticing.  We’re currently utilizing the OWASP Core Ruleset on all of our servers, and while it does detect and prevent a wide range of ‘standard issue’ web based attacks (Cross Site Scripting, Code Injection, SQL Injection, etc), the fact is, it’s we have to be deliberately conservative in what we detect and block at the server level.  Something that may be ‘fishy’ under to one website or code stack could be ‘business as usual’ on another site, so it’s not possible for us to make the rules “extremely secure”, because we don’t want to incorrectly block traffic that someone may actually need for their site to function.

Think of our ModSecurity implementation as a ‘first line defense’, it’s keeping an eye out for the really unscrupulous traffic, the things that we can look at and say “no way that can be legit traffic!”.  But the more granular, focused, specific needs of a given web platform? That’s where the need for a Web Application Firewall specific to your own site and needs comes in.

One thing we have rolled out in the last couple weeks, just in case, is the ability for clients to disable ModSecurity on a given domain under their account.  We don’t recommend it, and I believe we’ve only had one instance of a client really really wanting to do it, but that option is there now.  By default, we enable it everywhere, but if you go into cPanel, under the “Security” section, there’s now a ModSecurity area where you can disable it on a per domain basis.  It’ll warn you that this is potentially unsafe, and not recommended outside of debugging purposes (usually to prove that it’s not ModSecurity causing an issue with a site), but, if you need it, the option is there.