Web Application Firewall (ModSecurity)

In order to detect and prevent attacks against web applications, the web application firewall (ModSecurity) checks all requests to your web server and related responses from the server against its set of rules. If the check succeeds, the HTTP request is passed to website to retrieve the content. If the check fails, the predefined actions are performed.

ModSecurity is supported in both Plesk for Linux and for Windows. It works as a web server (Apache or IIS) module.

Note: To use web application firewall (ModSecurity), administrators who upgrade from Plesk 11.5 must obtain a new Plesk Onyx license key either directly from Plesk or from their vendor.

Turning on ModSecurity

To turn on the web application firewall:

  1. Go to Tools & Settings > Web Application Firewall (ModSecurity) (in the Security group).

    If you do not see this link, install the ModSecurity component in Tools & Settings > Updates and Upgrades > Add/Remove Components > Web hosting group.

    new screen

  2. Set the web application firewall mode to On or Detection only. Each incoming HTTP request and the related response will be checked against a set of rules. If the check succeeds, the HTTP request will be passed to web site to retrieve the content. If the check fails, the event will be logged. In the Detection only mode, no other actions will be performed. In the On mode, the HTTP response will be provided with an error code.

    Note: The web application firewall modes can be set on the server and domain levels. However, the domain level mode cannot be higher than the mode set for the server. For example, if the web application firewall is working in Detection only mode on the server level, you will not be able to turn it to On for domains. Only Off and Detection only modes will be shown.

  3. Select the set of rules that will be checked by the web application firewall engine for each incoming HTTP request, or upload a custom rule set. You can select the following rule sets:
  4. To automatically update the selected rule set, select the Update rule set checkbox and select the update period.
  5. Select a predefined set of parameters or specify your custom ModSecurity directives. You can select the following predefined sets of parameters:


Log Files (Linux)

On Linux, ModSecurity uses two locations for logs:

Log Files (Windows)

On Windows, ModSecurity audit logs are domain-specific and located in %plesk_dir%\ModSecurity\vhosts\<domain's GUID>\logs (where %plesk_dir% is the default installation directory for Plesk).


Switching off Rules

A website can stop functioning as expected after you change the web application firewall mode to On from Off or Detection only. In the website error log, you can find such error codes as 403, 404, or 500, and they stop appearing after you change the web application firewall mode back to Detection only or Off. In this case, analyze the ModSecurity audit log to find out what is happening. You can switch off too excessively restrictive security rules or adjust the website.

To find out why an HTTP request cannot be completed for a website:

  1. View the audit log file for the website.

    In Plesk for Linux, you can use the Plesk's UI to view the log: go to Tools & Settings > Web Application Firewall (ModSecurity) and click the ModSecurity Log File link to download the audit log and open it in a new browser window.

  2. Use Search (Ctrl+F in most web browsers) to find events for the website (the domain name) that have caused problems. For example, your_domain.tld. The browser will highlight entries like HOST: your_domain.tld. In the three lines above the highlighted entry, find a string like --eece5138-B--. The eight symbols between the hyphens (in our example, eece5138) are the ID of the event triggered by the HTTP request.
  3. Search further for other entries with the same event ID. Look for an entry with the letter H after the event ID (in our example, eece5138-H--). This entry contains the ID and description of the security rule triggered while checking the HTTP request. The security rule ID is an integer number in quotation marks, starting with 3 and put with the prefix id in square brackets. For example, [id "340003"].
  4. Find a security rule ID in the event using the substring [id "3. This ID can be used when you switch off rules.

To switch off a rule:

  1. Go to Tools & Settings > Web Application Firewall (ModSecurity).
  2. In the Switch off security rules section, select the security rule by its ID (for example, 340003), by a tag (for example, CVE-2011-4898), or by a regular expression (for example, XSS) and click OK.

Nginx and ModSecurity Notes (Linux)

On Linux, ModSecurity is a module for Apache. Thus, it can check only HTTP requests that reach Apache. Apache can be supplemented with another web server - nginx. If you turn on the Process PHP by nginx option of the nginx web server for dynamic content of your website (in Apache & nginx settings for a website), the web application firewall will not be able to check HTTP requests because they will never reach Apache. For static content, if the Serve static files directly by nginx option is on, then HTTP requests will not reach Apache, so ModSecurity will not check them.

Upgrade Notes (Linux)

Useful tips if you had ModSecurity installed on the server before upgrading to Plesk Onyx:

Next in this section:

Atomic ModSecurity Rule Sets