Protecting Your Server Against Malware With ModSecurity
In the fast-paced world of web hosting, managing malware and compromised accounts has become a routine task. As popular Content Management Systems (CMS) like WordPress, Joomla, and Drupal continue to grow, so do the vulnerabilities that hackers can exploit. Simply updating your CMS to the latest version isn’t always enough to safeguard your server. Now, more than ever, it’s essential to implement a comprehensive malware protection strategy to keep your server secure.
In this guide, we’ll show you how to leverage ModSecurity, a powerful Web Application Firewall (WAF), to protect your server from malware and malicious attacks. This guide is tailored for users with a cPanel environment running CentOS.
What is ModSecurity?
ModSecurity is an open-source Web Application Firewall (WAF) compatible with popular web servers like Apache, Nginx, and IIS. It operates using predefined rulesets to guard against common security vulnerabilities, including SQL injection and Trojans. ModSecurity’s Core Rule Set (CRS) provides essential protection, while custom rules can be created to address specific threats, allowing for a flexible, highly customizable defense mechanism.
Why Use ModSecurity?
The most frequent entry point for malware is through unpatched or vulnerable web applications hosted on your server. ModSecurity acts as an added layer of security, safeguarding your server from these common exploits and preventing unauthorized access.
Installation
If ModSecurity is not already installed, you can install it with the following yum command:
yum install ea-apache24-mod_security2 -y
Rule Sets
cPanel provides the OWASP ModSecurity Core Rule Set V3.0 by default, but we recommend using the COMODO ModSecurity Apache Rule Set and Imunify360 Rule Set for better functionality and malware prevention. Add these rule sets with the following commands:
/usr/local/cpanel/scripts/modsec_vendor add https://waf.comodo.com/doc/meta_comodo_apache.yaml
/usr/local/cpanel/scripts/modsec_vendor add https://files.imunify360.com/static/modsec/v1/meta_imunify360_min.yaml
Additional Malware Protection
Consider adding a script from Malware Expert that runs every file uploaded via websites on the server through ClamAV. This can block a lot of malware from ever reaching the server. Use wget to download the Perl script and change its permissions:
wget -O /usr/local/bin/runav.pl
chmod 755 /usr/local/bin/runav.pl
We recommend using the ModSecurity rule to facilitate the above script. Download the configuration file:
wget -O /etc/apache2/conf.d/modsec/modsec2.user.conf
Configuration
Perform these final steps through WHM:
- Login to WHM and navigate to ModSecurity™ Configuration.
- Set Recommended Settings: Limit log file sizes and allow the rule sets to operate properly.
- Project Honey Pot Http
API Key: Obtain and enter this key in the appropriate field for enhanced protection.
- Navigate to ModSecurity™ Tools: Go to the Rule List and disable rule ID 33334. This rule is designed to scan uploaded files, which is superseded by the custom script/rule above. Leaving it enabled can cause issues with file uploads unless Imunify360 is installed.
Managing False Positives
You might find a few rules that cause false positives (e.g., 210831). You can disable these rules through the WHM interface. Generally, these rulesets are effective in offering protection against website compromises and reducing server load by blocking unwanted Apache requests.
Benefits of Using ModSecurity
- Enhanced Security: Protect against common web application vulnerabilities.
- Customizability: Create and implement custom rules to fit your specific needs.
- Reduced Server Load: Block malicious traffic before it reaches your web applications.
- Scalability: Adapt rulesets and configurations as your security needs evolve.
We’d love to hear your feedback on this post. What security measures do you use? Share your experiences and tips in the comments below.
In today’s digital landscape, securing your server from malware and malicious attacks is crucial for maintaining the integrity of your web hosting environment. By implementing tools like ModSecurity and following security best practices, you can create a robust defense system that proactively identifies and blocks vulnerabilities before they can cause harm.
For more expert guidance on securing your server, be sure to explore UKHost4u’s security solutions and resources on OWASP for up-to-date information on web security practices.
If you need assistance or have any questions, feel free to contact our support team. We are available via live chat, phone, or ticket system to help you ensure your server remains secure.
