Knowledgebase : Technical Information
mod_security Explained
Posted by Administrator on 17 September 2018 03:29 am

What is mod_security?
mod_security is a server side module for Apache that allows us to scan web requests and apply filters based on a huge range of criteria. Essentially it acts as a web application firewall and sits between the web request itself and the server. Here's a brief illustration for clarity:

How does it work?
When a request comes in to the server from a visitor trying to access your website, the request data and other pieces of information they send are scanned by mod_security for known attack signatures against a set of rules that we have saved server side. Things like the browser they are using, the size of their request, the filename they are requesting and so on are all checked against these rules, and if anything abnormal or dangerous is detected, the request is blocked before it is processed by PHP or Litespeed. Think of it as a firewall for your website.

The rules we are using currently come from Comodo, and are a public set of rules used by a large number of people worldwide. These rules are updated regularly by the Comodo team, so when new vulnerabilities and attacks are detected in the wild, our rules can be automatically updated to include detection for them - protecting your websites further against new attacks.

How accurate and reliable is it?
Overall, mod_security is very reliable and accurate and will detect and block most common web application attacks. However, it's important to note that mod_security is a rule based system. Rules need to be manually written by developers and then applied to a server in order for them to work correctly. It can be very difficult for these rules to accurately work when you factor in the potential for a huge number of different configurations, software versions and other server differences. Occasionally a rule will trigger under normal website usage, causing a false positive. This false positive may temporarily cause problems for you or your visitors accessing your website. If you notice any errors (typically 403 or 503 errors) on your website, please get in touch with us and our team can investigate if a rule is being triggered as a false positive.

When a false positive is reported, we can take steps to disable that specific rule against an account so that it doesn't trigger again. All mod_security triggers are saved and logged server side, so we can pass on this diagnostic and debug information to Comodo so that they can review the rules. When reviewing the rules they can modify or rewrite them to become more accurate. It is an on-going process, but one that will surely ensure that the rules are optimized and ultimately perfected over time.

The rate of false positives is very low and you are unlikely to notice mod_security having any effect on your website(s) at all.

Will mod_security slow down my website?
There may be a small overhead caused by the scanning procedure of mod_security, however this should be barely noticeable and should not cause any performance issues for your website or its pages.

I don't want mod_security on my account at all! Can you disable it?
mod_security is designed to protect your websites against specific attacks that may be aimed at the software you are using. For example, if you are running Wordpress then mod_security may protect you from various well-known Wordpress exploits and attacks. Because of this we strongly recommend that this remains enabled on your account. That said, if you would like us to disable this for your entire account and forfeit the additional protection it provides, we can do so on request via support ticket.