Protecting Your Server Against Malware With ModSecurity
In the world of web hosting, dealing with malware and compromised accounts is a daily occurrence. As more content management systems (CMS) become popular, the exploits for these systems become more widely known. Patching your systems to the latest version is not always enough. It’s more important than ever to ensure that you have a robust malware protection system in place.
This guide will explain how you can use ModSecurity to help protect your server against malware and malicious attacks. We will be using a cPanel environment with CentOS.
What is ModSecurity?
ModSecurity is an open-source Web Application Firewall (WAF) compatible with Apache, Nginx, and IIS. It uses rulesets to protect against common issues, and its Core Rule Set provides rules to defend against threats such as Trojans and SQL Injection. Custom rules can also be created, offering flexibility and customization.
Why Use ModSecurity?
The most common entry point for malware is through vulnerabilities in web applications hosted on the server. ModSecurity is an excellent tool for securing your server and preventing these exploits.
Installation
If ModSecurity is not already installed, you can install it with the following yum command:
yum install ea-apache24-mod_security2 -y
Rule Sets
cPanel provides the OWASP ModSecurity Core Rule Set V3.0 by default, but we recommend using the COMODO ModSecurity Apache Rule Set and Imunify360 Rule Set for better functionality and malware prevention. Add these rule sets with the following commands:
/usr/local/cpanel/scripts/modsec_vendor add https://waf.comodo.com/doc/meta_comodo_apache.yaml
/usr/local/cpanel/scripts/modsec_vendor add https://files.imunify360.com/static/modsec/v1/meta_imunify360_min.yaml
Additional Malware Protection
Consider adding a script from Malware Expert that runs every file uploaded via websites on the server through ClamAV. This can block a lot of malware from ever reaching the server. Use wget to download the Perl script and change its permissions:
wget -O /usr/local/bin/runav.pl
chmod 755 /usr/local/bin/runav.pl
We recommend using the ModSecurity rule to facilitate the above script. Download the configuration file:
wget -O /etc/apache2/conf.d/modsec/modsec2.user.conf
Configuration
Perform these final steps through WHM:
- Login to WHM and navigate to ModSecurity™ Configuration.
- Set Recommended Settings: Limit log file sizes and allow the rule sets to operate properly.
- Project Honey Pot Http
API Key: Obtain and enter this key in the appropriate field for enhanced protection.
- Navigate to ModSecurity™ Tools: Go to the Rule List and disable rule ID 33334. This rule is designed to scan uploaded files, which is superseded by the custom script/rule above. Leaving it enabled can cause issues with file uploads unless Imunify360 is installed.
Managing False Positives
You might find a few rules that cause false positives (e.g., 210831). You can disable these rules through the WHM interface. Generally, these rulesets are effective in offering protection against website compromises and reducing server load by blocking unwanted Apache requests.
Benefits of Using ModSecurity
- Enhanced Security: Protect against common web application vulnerabilities.
- Customizability: Create and implement custom rules to fit your specific needs.
- Reduced Server Load: Block malicious traffic before it reaches your web applications.
- Scalability: Adapt rulesets and configurations as your security needs evolve.
We’d love to hear your feedback on this post. What security measures do you use? Share your experiences and tips in the comments below.
For more detailed insights and expert advice on securing your servers, visit UKHost4u’s security solutions and explore resources on OWASP.
By following these steps, you can significantly enhance the security of your server, protect against malware, and ensure a robust defense against malicious attacks.
