What is ModSecurity?
ModSecurity is an open-source WAF (Web Application Firewall) that inspects HTTP requests and blocks attacks like SQL injection, XSS, and file inclusion.
Installation with Nginx
sudo apt install -y libmodsecurity3 libmodsecurity-dev
sudo apt install -y libnginx-mod-http-modsecurityOWASP Core Rule Set
cd /etc/nginx
sudo git clone https://github.com/coreruleset/coreruleset.git modsecurity-crs
cd modsecurity-crs
sudo cp crs-setup.conf.example crs-setup.confConfiguration
# /etc/nginx/modsecurity/modsecurity.conf
SecRuleEngine On
SecRequestBodyAccess On
SecRequestBodyLimit 13107200
SecResponseBodyAccess Off
# Logging
SecAuditEngine RelevantOnly
SecAuditLog /var/log/modsecurity/audit.log
SecAuditLogParts ABCFHZ
# Include OWASP CRS
Include /etc/nginx/modsecurity-crs/crs-setup.conf
Include /etc/nginx/modsecurity-crs/rules/*.confNginx Integration
server {
listen 443 ssl http2;
server_name example.com;
modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;
location / {
proxy_pass http://127.0.0.1:3000;
}
}Tuning False Positives
Start in detection mode:
SecRuleEngine DetectionOnlyReview logs, then whitelist legitimate requests:
# Disable specific rule for a path
SecRule REQUEST_URI "@beginsWith /api/webhook" \
"id:1001,phase:1,nolog,allow,ctl:ruleRemoveById=942100"Common Rules Triggered
| Rule ID | Attack Type | Description |
|---|---|---|
| 941100 | XSS | Cross-site scripting attempt |
| 942100 | SQLi | SQL injection attempt |
| 949110 | Inbound | Anomaly score exceeded |
| 932100 | RCE | Remote command execution |
| 930100 | Path Traversal | ../ in request |
Warning Never deploy ModSecurity in blocking mode without testing in DetectionOnly first. Overzealous rules can break legitimate functionality like rich text editors, file uploads, and API calls with JSON payloads.