WAF (ModSecurity)
WAF (Web Application Firewall) is a solution for protecting web applications from malicious attacks. WAF analyzes HTTP/HTTPS traffic between the client and the server and blocks malicious requests according to specified rules. Ispmanager uses ModSecurity as a WAF.
WAF installation
- Log in to the panel with a superuser account.
- Navigate to the Software configuration section → Web server (WWW) and click
Edit. - Check the box next to WAF and click Save.
Nginx uses ispmanager's custom-built ModSecurity module.
Apache uses the package provided by the OS.
If Nginx and Apache are used together, the module is only installed for Nginx.
OpenLiteSpeed and LiteSpeed use their built-in ModSecurity module.
/etc/modsecurity/owasp/rules/REQUEST-922-MULTIPART-ATTACK.conf file are removed from the OWASP set.ModSecurity v.2.x is used for Apache, and ModSecurity v.3.x — for Nginx and OpenLiteSpeed.
To start using WAF, enable it for users and sites.
How to enable WAF
For users
- Log in to ispmanager with an administrator level account or above.
- Navigate to the Users section.
- Select a user and click
Edit on the toolbar. - In the Access section, check the boxes:
- Can use WAF — the user will be able to enable and disable WAF for their sites. If you check only this box, the administrator ruleset (OWASP by default) will be used for the user's sites.
- Can change WAF settings — the user will be able to select sets of rules for each site and upload their own rules. The user will be able to directly influence the web server configuration. It is recommended to grant this permission only to trusted users.
- Click Save.
To get WAF working, it must be enabled for the site.
For sites
- Navigate to the Sites section.
- Select a site and click
Edit on the toolbar. - Go to the Optimization and DDoS protection section → WAF and select:
- Detection only — when the rules are triggered, requests are not blocked, but only recorded in the log. This mode is needed to search for false positive WAF alarms without the risk of disrupting the site's functionality. It is recommended to use it temporarily to disable irrelevant rules, and then select the Enabled option.
- Enabled — requests are blocked when rules are triggered.
- Click Save.
If a user is only allowed to enable WAF (without permissions to configure), the administrator ruleset will be used for their site by default.
Testing
To ensure the WAF rules are working correctly, run a "malicious" request to the site. For example:
curl 'https://YOUR_SITE/?foo=/etc/passwd&bar=/bin/sh'If the rules are operational, an error will appear when trying to open the site in the browser (if the WAF is in the Enabled mode), and a record of this request will be registered in the log.
WAF configuration
For servers
The rules set for the web server will be used by default for all sites where WAF is enabled. If you skip this setting, the OWASP ruleset will be used by default.
- Log in to the panel with a superuser account.
- Go to the Web server settings section → WAF settings and fill in the fields:
- Ruleset:
- OWASP
- COMODO
- Download from an external source (via URL) — custom ruleset as a
.conffile or an archive of several.conffiles - Upload from a local computer — custom ruleset as a
.conffile or an archive of several.conffiles
- External source URL (when downloading rules from an external source).
- Update the rules — allows you to update OWASP and COMODO rules, as well as rules downloaded from a URL. To update rules uploaded from the local computer, delete them and upload a new version. The rules will be updated for all sites that use the admin ruleset.
- Rules used — allows you to select which rules from the set will be available for sites. When adding rules from an external source or from a local computer, click Save to load the rules and make them available for selection.
- Add your own rules to the set — allows you to add rules from your local computer to OWASP, COMODO, or URL-loaded rules. In this case, both sets of rules will apply.
- Ruleset:
- Click Save.
For sites
The site-specific configuration allows you to override the ruleset at the web server level and add your own rules.
- Navigate to the Sites section.
- Select a site and click Edit on the toolbar.
- If WAF is not yet enabled for the site, enable it, and then fill in the fields in the Optimization and DDoS protection section:
- Ruleset:
- Administrator ruleset — a set of rules installed and configured by the administrator in the Web server settings section
- OWASP
- COMODO
- Download from an external source (via URL) — custom ruleset as a
.conffile or an archive of several.conffiles - Upload from a local computer — custom ruleset as a
.conffile or an archive of several.conffiles
- External source URL (when downloading rules from an external source).
- Update the rules — allows you to update URL-loaded rules. To update rules uploaded from the local computer, delete them and upload a new version. The rules will be updated only for the current site.
- Rules used — allows you to select which rules from the set will be available for the site. When adding rules from an external source or from a local computer, click Save to load the rules and make them available for selection.
- Add your own rules to the set — allows you to add rules from your local computer to the Administrator ruleset, OWASP, COMODO, or URL-loaded rules. In this case, both sets of rules will apply.
- Ruleset:
- Click Save.
WAF logging
By default, all requests that trigger WAF rules are added to the log.
To view the log, navigate to the Sites section, click 
next to the required site, select Logs → SITE.audit.log.
Logging settings can be changed in the configuration file WEB_SERVER_DIRECTORY/vhosts-resources/SITE/modsecurity.conf.
False positive WAF alarms
Some rules may block legitimate requests as malicious. To prevent this, enable Detection only mode in the WAF settings for the site and disable those rules. To do this:
- Go to the log.
- Find the false-malicious request and in it the ID of the rule that was triggered. Example
In this case, the rule ID is 932160.
- Disable this rule for the site:
- Navigate to the Sites section, select the required site and click
Edit. - In the Optimization and DDos protection → Used rules section find an ID of the rule and uncheck the box,
- Click Save.
- Navigate to the Sites section, select the required site and click
WAF rulesets
COMODO
Set of rules from the official COMODO website. Rules are downloaded from ispmanager's own repositories:
cwaf_2.tgz— ruleset for ModSecurity v2 (Apache)cwaf_3.tgz— ruleset for ModSecurity v3 (Nginx, OpenLiteSpeed)
The ruleset is stored in the /etc/modsecurity/comodo directory.
OWASP
Set of rules from the official OWASP repository. The ruleset is stored in the /etc/modsecurity/owasp/rules directory.
From an external source (URL-loaded)
Rules downloaded by an administrator via the Web server settings form are stored in the /etc/modsecurity/url directory.
Rules downloaded by a user via the site creation/editing form are stored in the /etc/modsecurity/SITE_url directory.
From a local computer
Rules downloaded by an administrator via the Web server settings form are stored in the /etc/modsecurity/custom directory.
Rules downloaded by a user via the site creation/editing form are stored in the /etc/modsecurity/SITE_custom directory.
Administrator ruleset
All rules set by the administrator in the Web server settings form are saved in the configuration file /etc/modsecurity/admin/main.conf. This ruleset is established for the site after selecting the Administrator ruleset option on the site creation/editing form.
WAF configuration files
The WAF module uses a hierarchical configuration, where configuration files are connected one to another. Below is a chain of configuration files for a site:
/etc/modsecurity/RULE_SET>/*.conf(global ModSecurity configuration file with rules files available for a site) →/etc/modsecurity/SITE.conf(ModSecurity configuration file for a site with a list of enabled and disabled rules) →/WEB_SERVER_DIRECTORY/vhosts-resources/SITE/modsecurity.conf(web server configuration file for ModSecurity with settings regulating when it's enabled, operation and logging) →/WEB_SERVER_DIRECTORY/vhosts/USER/SITE.conf(web server configuration file for a site).
The configuration file /WEB_SERVER_DIRECTORY/vhosts-resources/SITE/modsecurity.conf is generated based on the template /usr/local/mgr5/etc/templates/default/WEB_SERVER_modsecurity.template after changing site settings. To change the structure of the configuration file for all sites, edit the template according to the instructions (available to an administrator level account).
modsecurity on;
modsecurity_rules '
SecRuleEngine __MODE__
SecAuditLogParts ABCEFHJZ
SecAuditEngine RelevantOnly
SecAuditLog __LOG_PATH__
SecAuditLogType Serial
';
modsecurity_rules_file __INCLUDE__;- modsecurity on — ModSecurity is enabled
- modsecurity_rules '...' — main ModSecurity settings
- SecRuleEngine __MODE__ — controls the operation of the rules engine; possible values:
- On — blocking of attacks + logging.
- Off — completely disabled.
- DetectionOnly — logging only.
- SecAuditLogParts ABCEFHJZ — determines which parts of requests/responses to log:
- A — audit log header
- B — request header
- C — request body
- E — response body
- F — response header
- H — log footer
- J — loaded files
- Z — separator.
- SecAuditEngine RelevantOnly — only requests that trigger rules are logged.
- SecAuditLog __LOG_PATH__ — path to audit log file
- SecAuditLogType Serial — all logs are written to one file
- modsecurity_rules_file __INCLUDE__ — includes external files with rules
For more information about ModSecurity configuration parameters, please see the official guides: ModSecurity v2.x, ModSecurity v3.x.