Setup Modsecurity On CyberPanel to Protect Your Websites From Online Attacks Using
Protect Your Websites From Online Attacks Using Modsecurity On CyberPanel

Setup Modsecurity On CyberPanel to Protect Your Websites From Online Attacks Using

In this article we we discuss how to Protect Your Websites From Online Attacks Using Modsecurity On CyberPanel.

What is ModSecurity?

ModSecurity uses for web security. It is an open-source web-based firewall application (or WAF) supported by different web servers. Today’s different sorts of firewalls are available in the market but ModSecurity is a Signature-based firewall. ModSecurity is a web application firewall that can work either embedded or as a reverse proxy.

LiteSpeed Web Server has its own high-performance ModSecurity engine, offering excellent compatibility and performance. LiteSpeed/OpenLiteSpeed works well with popular ModSecurity rules sets such as OWASPAtomicorpComodo, and CloudLinux Imunify360. Apart from that CloudLinux Imunify360 rules are constantly updated with new signatures to cover newly introduced threats. (CyberPanel also support Imunify360 ModSecurity rules, but for that, you need to install Imunify360)

To become a partner with CyberLoader click here

Setup ModSecurity on CyberPanel

To setup ModSecurity on CyberPanel First you login the CyberPanel, then on sidebar click on Security, and then click on ModSecurity Conf.

Setup ModSecurity using CyberPanel

On the Mod Security configuration page, if you have already ModSecurity installed you will be allowed to configure ModSecurity otherwise you will be installed first.

ModSecurity installed

After clicking on Instal Now, CyberPanel will take few seconds to install ModSecurity for you and then redirect you to the configurations page shown in the image below.

ModSecurity instal now

ModSecurity Rules Packages

CyberPanel provides you with two rules set out of the box, you can enable them with one-click.

  1. OWASP ModSecurity Core Rules
  2. COMODO ModSecurity 3.0 Rules

In this tutorial, we will enable COMODO ModSecurity rules, you can easily set rules of OWASP ModSecurity Rules using the same method.

Before moving forward you check your site an attack payload such as

http://example.com/?a=b AND 1=1

And you should be able to see your site just fine.

CyberPanel website

Once you enabled Comodo rule package you should see a 403 error.

Enable COMODO ModSecurity Rules Package

After these setup Go to the sidebar of CyberPanel=>Security=>ModSecurity Rules Packages

Enable COMODO ModSecurity Rules Package

After clicking on ModSecurity Rules Packs, you can see OWASP ModSecurity and COMODO ModSecurity click on the second one.

COMODO ModSecurity

Click the switch and it will turn on COMODO Rules, to verify if COMODO rules are installed successfully, open:

http://example.com/?a=b AND 1=1

You should get 403 Forbidden error

error 403

You can also see your ModSecurity Audit logs from CyberPanel=>logs=>ModSecurity Audit logs

HTTP/1.1 403
Content-Type: text/html
Cache-Control: private, no-cache, max-age=0
Pragma: no-cache

---PHfMHO9k---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `[\[\]\x22',()\.]{10}$|(?:union\s+all\s+select\s+(?:(?:null|\d+),?)+|order\s+by\s+\d{1,4}|(?:and|or)\s+\d{4}=\d{4}|waitfor\s+delay\s+'\d+:\d+:\d+'|(?:select|and|or)\s+(?:(?:pg_)?sleep\(\d+\)|\d+\s*=\s* (397 characters omitted)' against variable `ARGS:a' (Value: `b AND 1=1' ) [file "/usr/local/lsws/conf/modsec/comodo/21_SQL_SQLi.conf"] [line "116"] [id "218500"] [rev "7"] [msg "COMODO WAF: SQLmap attack detected||modsec.cyber-sol.net|F|2"] [data "Matched Data: Upgrade-Insecure-Requests found within REQUEST_FILENAME: /"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "modsec.cyber-sol.net"] [uri "/"] [unique_id "161998521255.519140"] [ref "v4,1o2,7v8,9t:urlDecodeUni,t:lowercase"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Rx' with parameter `[\[\]\x22',()\.]{10}$|(?:union\s+all\s+select\s+(?:(?:null|\d+),?)+|order\s+by\s+\d{1,4}|(?:and|or)\s+\d{4}=\d{4}|waitfor\s+delay\s+'\d+:\d+:\d+'|(?:select|and|or)\s+(?:(?:pg_)?sleep\(\d+\)|\d+\s*=\s* (397 characters omitted)' against variable `ARGS:a' (Value: `b AND 1=1' ) [file "/usr/local/lsws/conf/modsec/comodo/21_SQL_SQLi.conf"] [line "116"] [id "218500"] [rev "7"] [msg "COMODO WAF: SQLmap attack detected||modsec.cyber-sol.net|F|2"] [data "Matched Data: Upgrade-Insecure-Requests found within REQUEST_FILENAME: /"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "CWAF"] [tag "SQLi"] [hostname "modsec.cyber-sol.net"] [uri "/"] [unique_id "161998521255.519140"] [ref "v4,1o2,7v8,9t:urlDecodeUni,t:lowercase"]

---PHfMHO9k---Z--

You can also see your ModSecurity Audit logs from SSH terminal through this command:

tail -f usr/local/lsws/logs/auditmodsec.log
ModSecurity Audit logs

If you want to see the detail log you can change the SecAuditLogParts from the CyberPanel=>ModSecurity Conf. ModSecurity logs are divided into various logical parts, each part is described below:

  • A. Audit Logs Headers
  • B. Best Headers
  • C. Request Body
  • D. Reserved and not used yet.
  • E. Intermediary response body. 
  • F. Final response headers
  • G. Reserved, and not used yet.
  • H. Audit log trailer.
  • I. Special Replacement for part C
ModSecurity Conf.

After saving these changes you can refresh your website with SQL injection payload and run the previous command again on your terminal and you will be able to see more detailed logs on your screen.

ModSecurity Conf detailed logs

Similarly ModSecurity will protect your site against other online attacks payloads using the signatures defined in Comodo Rules package, you can monitor the log files from time to time and see what is going on with your server. All done to setup ModSecurity on CyberPanel

Follow CyberLoader on Facebook / Twitter.

Join our Facebook group.


How to perform a Stress Test on your Web application using CyberLoader?

This Post Has One Comment

Leave a Reply