How to Use the Web Application Firewall

Steps

1. Go to Tools & Settings > Web Application Firewall.

   
2. Choose the mode: Detection Only or On.

3. Select a rule set (e.g., Atomic, OWASP).

   
4. Click Apply.

5. Examples of ModSecurity Rules, Rule IDs, How to Find Them in Logs, and WAF Modes Examples of ModSecurity Rules

   1. Block suspicious User-Agent strings

      Copy

      apacheCopiarEditarSecRule REQUEST_HEADERS:User-Agent "@rx (sqlmap|nikto|fuzz)" \
        "id:100001,phase:1,deny,status:403,msg:'Blocking suspicious User-Agent'"

   2. Limit number of URL parameters

      Copy

      apacheCopiarEditarSecRule &ARGS "@gt 10" \
        "id:100002,phase:2,deny,status:403,msg:'Too many URL parameters'"

   3. Block specific file extensions in uploads

      Copy

      apacheCopiarEditarSecRule FILES_NAMES "@rx \.(exe|php|jsp)$" \
        "id:100003,phase:2,deny,status:403,msg:'Executable file upload blocked'"

   Examples of Rule IDs and How to Find Them in Logs

   Each ModSecurity rule has a unique ID (like 949110, 981176, or custom ones like 100001 above). These IDs appear in your ModSecurity logs or Apache error logs when a rule is triggered.

   Example log entry:

   Copy

   pythonCopiarEditarModSecurity: Access denied with code 403 (phase 2). Match of "rx sqlmap" against "REQUEST_HEADERS:User-Agent" required. [id "100001"] [msg "Blocking suspicious User-Agent"]

   You can find these logs in:

   • Plesk: Domains > yourdomain.com > Logs (filter by ModSecurity)

   • CLI (Linux): /var/log/modsec_audit.log or /var/log/apache2/error.log

   WAF Modes Explained

   1. Disabled ModSecurity is completely turned off. No requests are inspected or blocked.

   2. Detection Only Rules are processed and logged, but no blocking occurs. Useful for testing which rules would trigger.

   3. On (Prevention Mode) Rules are processed, and malicious requests are blocked automatically based on the rule set.