Protecting Your Server Against Malware With ModSecurity
In the world of web hosting, dealing with malware and compromised accounts is a daily occurrence. As more and more content management systems become popular, the exploits to these systems become more widely known. Patching your systems to the latest version is not always enough, and it’s more important than ever to ensure that you have a robust malware protection system in place.
This guide will explain how you can use ModSecurity to help protect your server against malware and malicious attacks. In this guide we will be using a cPanel environment with CentOS.
ModSecurity is an open-source Web Application Firewall (WAF) which is compatible with Apache, Nginx and IIS. It uses rulesets to protect against the common issues, and it’s Core Rule Set provides rules to protect against common problems such as Trojans and SQL Injection. Custom rules can also be created, providing flexibility and customization
The most common point of entry for malware is through vulnerabilities in web applications hosted on the server. ModSecurity is a great tool for locking your server down and preventing this.
Installation
If not already installed, install ModSecurity with the following yum command:
yum install ea-apache24-mod_security2 -y
Rule Sets
cPanel provides the OWASP ModSecurity Core Rule Set V3.0 as standard but we personally prefer to use the COMODO ModSecurity Apache Rule Set and Imunify360 Rule Set. These rule sets provide far more functionality and are the best prevention against malware. These can be added as follows:
/usr/local/cpanel/scripts/modsec_vendor add https://waf.comodo.com/doc/meta_comodo_apache.yaml
/usr/local/cpanel/scripts/modsec_vendor add https://files.imunify360.com/static/modsec/v1/meta_imunify360_min.yaml
This is an optional step but one we would recommend. This script from Malware Expert runs every file uploaded via websites on the server through ClamAV. Hopefully this will block a lot of malware from ever reaching the server. The following commands will use wget to download the Perl script, and change the permissions on it to allow it to be executed.
wget -O /usr/local/bin/runav.pl
chmod 755 /usr/local/bin/runav.pl
We’ve put the ModSecurity rule which facilitates the above script and a couple of others that Malware Expert recommend in the following file which can be downloaded in just one step. Note that this will overwrite any custom ModSecurity rules you already have so you might just want to append the contents of the file instead of overwriting it.
wget -O /etc/apache2/conf.d/modsec/modsec2.user.conf
Configuration
These final steps are best done through WHM itself. Login and navigate to ModSecurity™ Configuration. We would recommend the following settings which will limit the log file sizes and allow the rule sets to operate properly.
It’s also worth obtaining a Project Honey Pot Http:BL API Key and entering it the field on the same page.
Finally, navigate to ModSecurity™ Tools and then Rule List. Disable rule ID 33334 which is designed to scan uploaded files, and is therefore superseded by the custom script/rule above. Leaving it enabled will almost certainly cause issues for file uploads unless of course you have Imunify360 installed.
And that’s it! You may find a few rules which cause false positives (e.g. 210831) which you can disable through this interface but generally we’ve found them to be quite effective. The advantage of using these rulesets is two-fold. Not only do they offer some protection against your websites being compromised but they also reduce server load by blocking unwanted Apache requests from ever reaching your site.
We’d love to hear your feedback on this post. What security measures do you use?
