server adminstration

Working with ModSecurity in the Apache web server

published on
https://github.com/SpiderLabs/ModSecurity

As promised in Installing and setting up Apache in Ubuntu I will briefly describe how to work with mod_security for those times where it is stopping your site from working as intended.

Setting up mod_security

Setting SecRuleEngine On in the configuration files means that you are setting mod_security up to immediately start blocking requests where that request manages to trip one of the rules.

This could result in some parts of your site not working correctly. You will need to work your way through your site yourself to see if your visitors would experience any issues.

An alternative

Setting SecRuleEngine DetectionOnly in the configuration files means that mod_security will only record in the logs that a rule would have been tripped had SecRuleEngine On been set instead.

If mod_security is set up this way then you need to make sure to monitor your logs to see what rules would have been tripped.

Mod_security shouldn't stay in the DetectionOnly state for ever. Depending on how many visitors your site gets you should change this setting to On after a week or so.

However, it would be a good idea for you to browse all areas of your site based on what a valid user would do so that you can see which rules stop your site from working and which are protecting your site.

Monitoring the log

If you wish to monitor the log to see if mod_security has blocked any requests (and which rules have been tripped) run the following command on your server:

sudo cat /var/log/apache2/error_log | grep ModSecurity

You should see some ID numbers. These are the IDs of the rules which have been tripped.

If SecRuleEngine On is set then this may mean part of your site isn't working correctly. If SecRuleEngine DetectionOnly is set then this will mean that these rules would have blocked requests.

If these rules are stopping your site from working correctly then you can disable them by adding the following line (one for each ID) to your virtual server configuration file:

SecRuleRemoveById id_number

where id_number is the number that appeared in the log you viewed earlier.

Conclusion

If you do disable any rules then make sure to restart Apache and re-test your site.