WAF (ModSecurity)
A WAF (Web Application Firewall) is a solution for protecting web applications from malicious attacks. It analyzes HTTP/HTTPS traffic between the client and the server and blocks malicious requests according to specified rules. Ispmanager uses ModSecurity as a WAF.
WAF installation
- Log in to the panel with a superuser account.
- Navigate to the Software configuration section → Web server (WWW) and click
Edit. - Check the box next to WAF and click Save.
Nginx uses ispmanager's custom-built ModSecurity module.
Apache uses the package provided by the OS.
If Nginx and Apache are used together, the module is only installed for Nginx.
OpenLiteSpeed and LiteSpeed use their built-in ModSecurity module.
/etc/modsecurity/owasp/rules/REQUEST-922-MULTIPART-ATTACK.conf file are removed from the OWASP set.ModSecurity v.2.x is used for Apache, and ModSecurity v.3.x — for Nginx, OpenLiteSpeed and LiteSpeed.
To start using the WAF, enable it for users and sites.
Enabling WAF
For users
- Log in to ispmanager with an administrator level account or above.
- Navigate to the Users section.
- Select a user and click
Edit on the toolbar. - In the Access section, check the boxes:
- Can use WAF — the user will be able to enable and disable WAF for their sites.
If you check only this box, the administrator ruleset (OWASP by default) will be used for the user's sites. - Can change WAF settings — the user will be able to select sets of rules for each site and upload their own. The user will be able to directly influence the web server configuration. Give this permission only to trusted users.
- Can use WAF — the user will be able to enable and disable WAF for their sites.
- Click Save.
To start using the WAF, it must be enabled for the site.
For sites
- Navigate to the Sites section.
- Select a site and click
Edit on the toolbar. - Go to the Optimization and DDoS protection section → WAF and select:
- Detection only — when the rules are triggered, requests are not blocked, but only recorded in the log. This mode is used to detect WAF false positives without the risk of disrupting the site's functionality. It is recommended to use it temporarily to disable irrelevant rules, and then select the Enabled option.
- Enabled — requests are blocked when rules are triggered.
- Click Save.
If a user is only allowed to enable the WAF (without the permissions to change WAF settings), the administrator ruleset will be used for their site by default.
Verification
To ensure that the WAF rules are working, run a "malicious" request to the site. For example:
curl 'https://YOUR_SITE/?foo=/etc/passwd&bar=/bin/sh'If the WAF works, you will get an error when trying to open the site in the browser (if the WAF is in the Enabled mode), and this request will appear in the log.
WAF configuration
For servers
The rules set for the web server will be used by default for all sites where the WAF is enabled. If you skip this setting, the OWASP ruleset will be used by default.
- Log in to the panel with a superuser account.
- Go to the Web server settings section → WAF settings and fill in the fields:
- Ruleset:
- OWASP
- COMODO
- Load from an external source (via an URL) — custom ruleset as a
.conffile or an archive of several.conffiles - Upload from the local computer — custom ruleset as a
.conffile or an archive of several.conffiles
- External source URL (when loading rules from an external source).
- Update the rules — allows you to update OWASP and COMODO rules, as well as rules loaded from an URL. To update rules uploaded from the local computer, delete them and upload a new version. The rules will be updated for all sites that use the admin ruleset.
- Rules used — allows you to select which rules from the set will be available for sites. When adding rules from an external source or from a local computer, click Save to load the rules and make them available for selection.
- Add your own rules to the set — allows you to add rules from your local computer to OWASP, COMODO, or URL-loaded rules. In this case, both sets of rules will apply.
- Ruleset:
- Click Save.
For sites
The site-specific configuration allows you to override the ruleset selected at the web server level and add your own rules.
- Navigate to the Sites section.
- Select a site and click Edit on the toolbar.
- If WAF is not yet enabled for the site, enable it, and then fill in the fields in the Optimization and DDoS protection section:
- Ruleset:
- Administrator ruleset — a set of rules installed and configured by the administrator in the Web server settings section
- OWASP
- COMODO
- Load from an external source (via an URL) — custom ruleset as a
.conffile or an archive of several.conffiles - Upload from the local computer — custom ruleset as a
.conffile or an archive of several.conffiles
- External source URL (when loading rules from an external source).
- Update the rules — allows you to update URL-loaded rules. To update rules uploaded from the local computer, delete them and upload a new version. The rules will be updated only for the current site.
- Rules used — allows you to select which rules from the set will be available for the site. When adding rules from an external source or from a local computer, click Save to load the rules and make them available for selection.
- Add your own rules to the set — allows you to add rules from your local computer to the administrator ruleset, OWASP, COMODO, or URL-loaded rules. In this case, both sets of rules will apply.
- Ruleset:
- Click Save.
WAF logging
By default, all requests that trigger WAF rules are added to the log.
To view the log, navigate to the Sites section, click 
next to a site, select Logs → SITE.audit.log.
Logging settings can be changed in the configuration file WEB_SERVER_DIRECTORY/vhosts-resources/SITE/modsecurity.conf.
False positive WAF alarms
Some rules may block legitimate requests as malicious. To prevent this, enable the Detection only mode in the WAF settings for the site and disable those rules. To do this:
- Go to the log.
- Find the false-positive request and in it — the ID of the rule that was triggered. Example
In this case, the rule ID is 932160.
- Disable this rule for the site:
- Navigate to the Sites section, select the required site and click
Edit. - In the Optimization and DDos protection → Used rules section find an ID of the rule and uncheck the box,
- Click Save.
- Navigate to the Sites section, select the required site and click
WAF rulesets
COMODO
The set of rules from the official COMODO website. Rules are downloaded from ispmanager's own repositories:
cwaf_2.tgz— ruleset for ModSecurity v2 (Apache)cwaf_3.tgz— ruleset for ModSecurity v3 (Nginx, OpenLiteSpeed, LiteSpeed)
The ruleset is stored in the /etc/modsecurity/comodo directory.
OWASP
The set of rules from the official OWASP repository. The ruleset is stored in the /etc/modsecurity/owasp/rules directory.
From an external source (URL-loaded)
The rules loaded by an administrator via the Web server settings form are stored in the /etc/modsecurity/url directory.
The rules loaded by a user via the site creation/editing form are stored in the /etc/modsecurity/SITE_url directory.
From a local computer
The rules uploaded by an administrator via the Web server settings form are stored in the /etc/modsecurity/custom directory.
The rules uploaded by a user via the site creation/editing form are stored in the /etc/modsecurity/SITE_custom directory.
Administrator ruleset
All rules set by the administrator in the Web server settings form are saved in the configuration file /etc/modsecurity/admin/main.conf. This ruleset is set for the site after selecting the Administrator ruleset option on the site creation/editing form.
WAF configuration files
The WAF module uses a hierarchical configuration, where configuration files are connected one to another. Below is a chain of configuration files for a site:
/etc/modsecurity/RULE_SET>/*.conf(global ModSecurity configuration file with rules files available for a site) →/etc/modsecurity/SITE.conf(ModSecurity configuration file for a site with a list of enabled and disabled rules) →/WEB_SERVER_DIRECTORY/vhosts-resources/SITE/modsecurity.conf(web server configuration file for ModSecurity with its enabling, operation and logging settings) →/WEB_SERVER_DIRECTORY/vhosts/USER/SITE.conf(web server configuration file for a site).
The configuration file /WEB_SERVER_DIRECTORY/vhosts-resources/SITE/modsecurity.conf is generated based on the template /usr/local/mgr5/etc/templates/default/WEB_SERVER_modsecurity.template after changing site settings. To change the structure of the configuration file for all sites, edit the template according to the instructions (available to an administrator level account).
modsecurity on;
modsecurity_rules '
SecRuleEngine __MODE__
SecAuditLogParts ABCEFHJZ
SecAuditEngine RelevantOnly
SecAuditLog __LOG_PATH__
SecAuditLogType Serial
';
modsecurity_rules_file __INCLUDE__;- modsecurity on — ModSecurity is enabled
- modsecurity_rules '...' — main ModSecurity settings
- SecRuleEngine __MODE__ — controls the operation of the rules engine; possible values:
- On — blocking of attacks + logging.
- Off — completely disabled.
- DetectionOnly — logging only.
- SecAuditLogParts ABCEFHJZ — determines which parts of requests/responses to log:
- A — audit log header
- B — request header
- C — request body
- E — response body
- F — response header
- H — log footer
- J — loaded files
- Z — separator.
- SecAuditEngine RelevantOnly — only requests that trigger rules are logged.
- SecAuditLog __LOG_PATH__ — path to the audit log file
- SecAuditLogType Serial — all logs are written to one file
- modsecurity_rules_file __INCLUDE__ — includes external files with rules
For more information about ModSecurity configuration parameters, please see the official guides: ModSecurity v2.x, ModSecurity v3.x.