• Tuesday, November 18, 2025

This security solution is a comprehensive, automated security tool designed to protect Linux web servers, particularly those utilizing cPanel and Plesk. It incorporates a powerful Web Application Firewall (WAF) that integrates seamlessly with Apache and Nginx servers, providing robust defense against common web-based attacks such as SQL injection, cross-site scripting (XSS), remote file inclusion (RFI), and brute force attempts. Beyond general web protection, this security solution offers specialized rulesets and optimizations for CMS-specific security and prevention of WordPress account compromises.

Key Features of the Web Application Firewall

  • Real-Time Protection: Continuously monitors web traffic to block malicious requests as they occur.
  • CMS-Specific WAF Rules: Provides predefined rulesets for popular Content Management Systems like WordPress, Joomla, and Drupal, addressing platform-specific vulnerabilities.
  • Minimized Rule Set: Utilizes a lightweight, optimized ruleset to enhance performance without compromising security.
  • WordPress Account Compromise Prevention: Includes additional rules and features specifically designed to safeguard WordPress login and administrative areas from brute force attacks and unauthorized access attempts.
  • Integrated with Popular Web Servers: Offers seamless protection for widely used web servers such as Apache and Nginx.
  • AI-Powered Threat Detection: Employs artificial intelligence to detect and mitigate zero-day attacks proactively.
  • Automatic Rule Updates: Ensures continuous protection against emerging threats through automated rule updates.
  • Malware Scanning: Integrates advanced detection and removal capabilities for various types of malware.
  • Brute Force Protection: Defends against brute force attacks targeting login pages.

Installation Guide for the Web Application Firewall Solution

Server Requirements

Before proceeding with the installation of this powerful WAF solution, it is crucial to ensure that your server environment meets the necessary prerequisites to guarantee a smooth and successful deployment. These requirements are vital for optimal performance and compatibility.

  • Operating System: CentOS 7/8, CloudLinux 7/8, RHEL 7/8, or Ubuntu 16.04/18.04/20.04.
  • Web Servers: Apache, Nginx, or LiteSpeed.
  • Control Panels: cPanel, Plesk, or DirectAdmin.
  • Root access to the server.

Installing the Security Solution

To deploy this security solution on your server, carefully follow these outlined steps. Each command should be executed precisely as indicated.

  1. Log in as Root: Establish an SSH connection to your server as the root user.
  2. Download and Install the Security Solution's Script: To acquire the installation script for your chosen security solution, please download it from your provider's official repository. Once downloaded, execute the script using the following commands: 
    wget [URL_TO_YOUR_INSTALLATION_SCRIPT]
bash [YOUR_INSTALLATION_SCRIPT_NAME]
  3. Activate the Security Solution: Upon completion of the installation, it is necessary to activate the software using a valid license key. This key can typically be obtained from your security provider's account. Execute the command below, replacing KEY with your actual license key. 
    [Your_Security_Solution_Agent_Command] register KEY
  4. Verify Installation: Following activation, confirm that the security solution has been successfully installed and is operating correctly by checking its service status: 
    systemctl status [Your_Security_Solution_Service_Name]

    You should see a message indicating that the security solution is active and running.

Integrating the WAF Solution with cPanel

Once the security solution is installed, integrating its Web Application Firewall with your cPanel environment is a straightforward process, allowing you to manage its features directly from your hosting control panel.

  1. Log in to cPanel: After installing the security solution, log in to your WHM/cPanel interface as the root user.
  2. Access the Security Solution Dashboard: Navigate to the Security Center and locate the icon for the security solution. Clicking this will open its dedicated dashboard.
  3. Enable the WAF: Within the solution's dashboard, proceed to the Firewall section and activate the Web Application Firewall (WAF). An option to toggle WAF protection for your hosted websites will be available.
  4. Select Web Server: In the WAF settings, confirm that the WAF is enabled for either Apache or Nginx, depending on your server's current web server configuration.

Configuring the Web Application Firewall

CMS-Specific WAF Rules

This security solution provides specialized, predefined WAF rules tailored for widely used Content Management Systems such as WordPress, Joomla, and Drupal. These rules are designed to target and mitigate vulnerabilities unique to each CMS, offering highly focused protection.

  1. Access CMS-Specific Rules:
    • Within the solution's dashboard, navigate to the WAF Configuration section.
    • Activate the CMS-specific rules pertinent to your installed CMS. For instance, if you are hosting a WordPress site, ensure that WordPress-specific rules are active.
  2. Common CMS Vulnerabilities Covered:
    • WordPress: The rulesets provide comprehensive protection against common threats, including safeguarding against plugin vulnerabilities, theme file injection, and XML-RPC abuse.
    • Joomla: Guards against file inclusion, SQL Injection, and administrator URL abuse.
    • Drupal: Protection covers remote code execution, arbitrary file uploads, and SQL injection.
  3. Customizing CMS-Specific Rules:
    • Flexibility is offered for customizing these rules. You might, for example, choose to strengthen protections on sensitive paths like /wp-login.php or /administrator.
    • Custom rules can be implemented in the dedicated Custom Rules section to address specific vulnerabilities as needed.

Minimized Rule Set

The security solution offers an optimized rule set, based on ModSecurity, which delivers essential protection while maintaining high performance. This is particularly beneficial for servers with constrained resources, as it ensures critical threats are blocked without imposing a heavy server load.

  1. Enable Minimized Rule Set:
    • In the ModSecurity section of the WAF dashboard, toggle the option to utilize the minimized rule set. This will apply a more streamlined version of the standard rules.
  2. Benefits of a Minimized Rule Set:
    • Performance: This approach significantly reduces the load on your server by processing fewer rules, leading to faster request handling.
    • Essential Protection: The minimized ruleset focuses on the OWASP Top 10 vulnerabilities, ensuring core security without unnecessary checks.
  3. Customizing the Minimized Rule Set:
    • Users have the option to selectively reintroduce rules deemed critical for their specific environment, allowing for a balanced approach between performance and security coverage.
    • Additional rules can be added using the "Add Rule" option as required.

WordPress Account Security Enhancement

Given that WordPress is among the most frequently targeted CMS platforms, implementing additional security measures for its administrative areas and user accounts is paramount. This security solution provides a suite of tools designed to bolster WordPress login pages and prevent account takeovers.

  1. Enable WordPress-Specific Security:
    • Within the Login Protection section, activate brute force protection specifically for WordPress.
    • This feature automatically detects multiple failed login attempts on wp-login.php and blocks IP addresses exhibiting suspicious behavior.
  2. Two-Factor Authentication (2FA) Recommendation:
    • While this security solution does not natively offer 2FA, it is highly recommended to enable 2FA through a compatible WordPress plugin, such as Google Authenticator. The solution's brute force protection complements 2FA by preventing unauthorized login attempts before they even reach the two-factor authentication stage.
  3. Monitor Login Attempts:
    • Regularly review the Logs section to track login attempts and identify potential unauthorized access.
    • Configure alerts for multiple failed logins originating from the same IP address to detect brute force attempts proactively.
  4. Harden wp-admin Directory:
    • Enhance the security of the wp-admin directory by configuring custom WAF rules. This can involve limiting access to the wp-admin area by specific IP addresses or applying password protection for the entire directory.
  5. Additional Account Compromise Prevention Tips:
    • To further safeguard your WordPress installation, consistently update all WordPress plugins and themes to mitigate vulnerabilities.
    • Ensure administrative usernames are unique and not easily guessable, avoiding common names like "admin."
    • Continuously monitor for any signs of compromise, such as the appearance of new, unknown users or unexpected changes to user roles.

Monitoring and Management of the WAF Solution

Monitoring Traffic and Threats

Effective management of any web application firewall includes continuous monitoring of traffic and threats. This security solution provides robust tools for real-time observation and analysis.

  1. Real-Time Monitoring:

    Access the Traffic section within the solution's dashboard to observe incoming web requests in real-time. This interface displays the total number of blocked attacks, alongside detailed logs for each detected malicious request.

  2. Review Blocked Requests:

    Examine all requests that have been blocked by the WAF. Utilize the available filtering options to search for specific IP addresses, URLs, or types of threats, enabling targeted analysis of security incidents.

Whitelisting and Blacklisting IP Addresses

To fine-tune the WAF's behavior, the ability to whitelist trusted IP addresses and blacklist suspicious ones is essential for tailored access control.

  1. Whitelist Trusted IPs:

    To permit specific IP addresses to bypass the WAF's rules, navigate to the Whitelist section and add the desired trusted IP addresses. This ensures uninterrupted access for legitimate users or services.

  2. Blacklist Suspicious IPs:

    For persistent malicious actors or recurring suspicious traffic patterns, you can manually add IP addresses to the Blacklist section. This action will effectively block all traffic originating from those specified IP addresses.

Analyzing WAF Logs

Detailed logging is a cornerstone of effective security management. This security solution meticulously logs all WAF activity, providing valuable insights into potential threats and traffic patterns.

  1. Access Logs:

    The Logs section in the dashboard provides a real-time view of all WAF activity, including blocked requests, identified threats, and general traffic patterns.

  2. Analyze Patterns:

    Leverage these comprehensive logs to identify recurring attack patterns and optimize your WAF rules accordingly. If particular types of attacks are observed frequently, consider updating your custom rules to proactively mitigate them.

Best Practices for Optimizing Your Web Application Firewall

To maximize the effectiveness and efficiency of your Web Application Firewall, adhering to a set of best practices is crucial. These guidelines help ensure your web applications remain secure against evolving threats.

  1. CMS-Specific Hardening:
    • Utilize the solution’s specialized rulesets to provide tailored and robust protection for popular CMS platforms.
    • Regularly review and update these CMS-specific rules to stay ahead of new vulnerabilities.
  2. Leverage the Minimized Rule Set:
    • For servers with resource limitations, employ the optimized rule set. Supplement it with custom rules only when absolutely necessary to enhance specific security aspects without impacting performance.
  3. WordPress Security Best Practices:
    • Implement enhanced security measures for WordPress administrative areas, including additional rules and continuous monitoring, to effectively prevent account compromise.
    • Activate brute force protection, diligently review login logs, and consider using custom rules to restrict access to wp-login.php and wp-admin.
  4. Regularly Review WAF Logs:
    • Consistently monitor WAF logs to detect new types of threats, especially targeted attacks against CMS platforms such as WordPress or Joomla. Proactive log review enables timely adjustments to your security posture.

Modifying and Customizing WAF Rules

The security solution empowers users to fine-tune their web application firewall rules, allowing for modifications to existing rules or the addition of custom rules to meet precise security requirements.

Accessing WAF Rules

  1. Log in to cPanel/WHM:

    Access your security solution's dashboard from within your cPanel or WHM interface.

  2. Navigate to the WAF Rules Section:

    Under the Security tab, click on the Web Application Firewall (WAF) section. Here, you will find a comprehensive list of all currently active rules.

Modifying Existing Rules

The solution allows for precise adjustments to predefined rules, enabling you to adapt them to your specific operational needs.

  1. Locate the Rule to Modify:

    Search for the specific rule you wish to modify, either by its unique rule ID or by filtering based on the vulnerability type it addresses (e.g., SQL Injection, XSS).

  2. Edit the Rule:
    • Select the rule to review its detailed parameters.
    • You have the flexibility to adjust the conditions under which the rule is triggered or the actions it takes (e.g., block, drop, or allow traffic). For example, you can alter a rule to permit certain traffic types that were previously blocked by adjusting the SecRuleAction parameter within its configuration.

Adding Custom Rules

For scenarios requiring highly specific protections not covered by default rules, the option to add custom rules is invaluable.

  1. Create a New Rule:

    Within the Custom Rules section, initiate the creation of a new rule by clicking "Add Rule."

  2. Define the Rule:

    Construct your custom rule utilizing the ModSecurity syntax. As an illustration, to block a particular IP address from accessing your site, you might use:

    SecRule REMOTE_ADDR "^123\.45\.67\.89$" "id:200001,drop,log"
  3. Save and Apply:

    After defining the rule, save it and ensure it is properly applied across all relevant domains or directories to activate its protection.

Managing Rule Priorities

When multiple rules might apply to the same incoming traffic, managing their execution order through priorities is essential for predictable behavior. Rules with higher priority (typically indicated by lower ID numbers) are evaluated first.

  • To alter the priority of a rule, you can edit its rule ID, ensuring that more critical rules are processed before others. Additionally, it is possible to create specific exceptions based on factors like IP addresses, particular URLs, or user agents to refine rule application.

Handling False Positives

Occasionally, legitimate web traffic may be inadvertently blocked by Web Application Firewall rules, leading to what are known as false positives. This guide outlines how to identify such instances and fine-tune or disable rules to ensure seamless user experience.

Identifying False Positives

The initial step in addressing false positives involves diligently reviewing WAF logs to pinpoint legitimate requests that were mistakenly flagged as malicious.

  1. Review WAF Logs:

    Access the Logs section in the security solution's dashboard to examine all blocked traffic entries.

  2. Filter by Rule ID or IP:

    Utilize the filtering options to search for specific rule IDs, IP addresses, or URLs that have been subject to blocking. Focus on requests that appear legitimate but were nevertheless intercepted by the WAF.

  3. Analyze the Request:

    Thoroughly review the details of each blocked request to ascertain if it constitutes a false positive. Inspect the request headers, URL, and the action taken by the rule to verify whether the traffic should have been permitted.

Disabling or Modifying Specific Rules

Once a false positive has been identified, you have several options to prevent recurrence, from temporarily disabling a rule to whitelisting specific traffic.

  1. Disable the Rule:

    After pinpointing a false positive, locate the corresponding Rule ID within the WAF settings. To temporarily disable the rule, you can use a command such as:

    [Security_Solution_WAF_Command] rules disable id 981176

    Replace 981176 with the actual Rule ID you intend to disable. This action will prevent the rule from blocking further traffic.

  2. Whitelist IP Addresses:

    If a particular IP address is consistently affected by false positives, you can whitelist it to ensure it bypasses WAF rules. Navigate to the Whitelist section in the security solution's dashboard and add the IP address. For example, using a ModSecurity rule:

    SecRule REMOTE_ADDR "^123\.45\.67\.89$" "id:200002,allow,log"
  3. Modify the Rule (Instead of Disabling):

    Rather than completely disabling a rule, consider modifying it to narrow its scope. For instance, you can add exceptions based on specific URLs or parameters, thereby avoiding the blocking of legitimate requests while still upholding security.

Testing and Re-enabling Rules

After making changes to WAF rules, thorough testing is essential to confirm that the desired outcome has been achieved without inadvertently introducing new vulnerabilities.

  1. Test the Changes:

    Following any modification or temporary disabling of a rule, rigorously test your website's functionality by simulating legitimate traffic. Confirm that the change has effectively resolved the false positive issue without creating new security vulnerabilities.

  2. Re-enable Rules if Necessary:

    If a rule was disabled temporarily, monitor its performance over time. Should it prove essential for blocking genuine attacks, consider re-enabling it after careful tweaking or fine-tuning to prevent future false positives.

Adjusting Request Body Size (Content-Length) in the WAF

The Request Body Size (controlled by the Content-Length header) setting within the ModSecurity engine, utilized by this Web Application Firewall solution, governs the maximum permissible size for an HTTP request body. Adjusting this crucial limit can facilitate large file uploads or, conversely, act as a defense mechanism against attacks that exploit oversized requests.

Accessing ModSecurity Configuration

To modify request body size limits, you will need to access the underlying ModSecurity configuration through your control panel.

  1. Log in to cPanel/WHM:

    Access your WHM or cPanel interface and navigate to the security solution's dashboard.

  2. Locate the ModSecurity Configuration:

    Within the WAF Settings section of the solution's dashboard, find the ModSecurity Configuration file, where you can directly edit rule parameters and settings.

Modifying the Request Body Limit

To adjust the Request Body Size, you must modify the SecRequestBodyLimit directive within the ModSecurity configuration file. This setting directly impacts the maximum size of data that can be sent in a single request.

  1. Open ModSecurity Configuration:

    Open the main ModSecurity configuration file, typically found at: /etc/modsecurity/modsecurity.conf

  2. Edit the Request Body Limit:

    Search for the SecRequestBodyLimit line in the configuration file. The default value is 13107200, which corresponds to 13 MB for the request body. You can adjust this value to meet your specific needs. For example:

    • Increase Request Body Size: 
      SecRequestBodyLimit 52428800

      This sets the request body limit to 50 MB.

    • Decrease Request Body Size: 
      SecRequestBodyLimit 1048576

      This sets the request body limit to 1 MB.

Modifying the Request Body In-Memory Limit

The in-memory limit determines the maximum portion of the request body that will be stored in RAM, rather than being written to disk. Adjusting this can impact performance, especially with large requests.

  1. Locate the In-Memory Limit Directive:

    Find the SecRequestBodyInMemoryLimit directive.

    SecRequestBodyInMemoryLimit 131072
    • Default Value: 131072 means 128 KB of the request body is stored in memory.
    • Adjusting the Value: Increase or decrease this limit based on the available memory on your server.

    Example:

    • Increase In-Memory Limit: 
      SecRequestBodyInMemoryLimit 262144

      This sets the in-memory limit to 256 KB.

Modifying the Response Body Limit

Similarly, the Response Body Limit can be controlled to ensure that excessively large responses generated by the server are managed appropriately, preventing potential resource exhaustion.

  1. Edit the Response Body Limit Directive:

    Locate the SecResponseBodyLimit directive.

    SecResponseBodyLimit 5242880
    • Default Value: 5242880 sets the response body limit to 5 MB.
    • Increase the Limit: If your application frequently generates large responses (e.g., downloadable content or extensive data exports), you might need to increase this limit. For instance: 
      SecResponseBodyLimit 10485760

      This increases the response body limit to 10 MB.

    • Disable Response Body Limit: If there's a need to completely disable this limit, use the configuration: 
      SecResponseBodyLimitAction ProcessPartial

      This setting ensures that larger responses are processed, but only up to the specified limit, effectively managing resource usage.

Applying Changes and Restarting Services

After making any modifications to the ModSecurity configuration, it is imperative to save the changes and restart your web server for the new settings to take effect.

  1. Save the Configuration:

    Once all necessary changes have been made to the ModSecurity configuration file, ensure you save the file to apply your modifications.

  2. Restart the Web Server:

    To activate the new settings, restart your web server (Apache or Nginx). Use the following commands based on your server type:

    For Apache:

    systemctl restart httpd

    For Nginx:

    systemctl restart nginx
  3. Verify Changes:

    Following the web server restart, it is crucial to verify that the newly configured limits are active. Check the WAF logs for any warnings or errors related to request size to confirm successful implementation.

Common Scenarios for Adjusting Request Body Size

Understanding the practical implications of adjusting request body size limits can help tailor your WAF configuration to specific application requirements and security postures.

  • Large File Uploads:

    If your web application allows users to upload substantial files, such as images, PDFs, or videos, increasing the Request Body Size is often necessary to accommodate these larger file transfers.

  • Security Tightening:

    Conversely, reducing the Request Body Size can enhance security by preventing attacks that leverage oversized requests. This provides an additional layer of defense against Denial of Service (DoS) attacks that attempt to overwhelm the server with extremely large payloads.

  • Performance Optimization:

    Optimizing the In-Memory Limit can significantly improve server performance by ensuring that large request bodies are not entirely loaded into memory, which could otherwise lead to system slowdowns and resource strain.

Best Practices for Request Body Size Management

Effective management of request body size involves a careful balance between security, performance, and application functionality. Adhering to these best practices will help you achieve an optimal configuration.

  1. Balance Security and Performance:

    Ensure that the configured Request Body Size is sufficiently large to handle all legitimate application requests, including file uploads and data submissions. Simultaneously, avoid setting it excessively high, which could create vulnerabilities for attackers to exploit through oversized requests.

  2. Monitor Logs Regularly:

    Consistently review your WAF logs for any requests that are blocked due to Content-Length limits. This monitoring is vital for identifying whether the current limits require further fine-tuning to prevent legitimate traffic from being interrupted.

  3. Optimize Memory Usage:

    By strategically adjusting the In-Memory Limit, you can enhance overall server performance. This allows larger request bodies to be processed and logged efficiently without overburdening the server's memory resources.

  4. Apply Limits Specific to Application Needs:

    For environments hosting multiple applications, consider adjusting the Request Body Size specifically for individual domains or paths within your web server configuration. This granular approach ensures that each application benefits from optimally tailored protection and performance settings.

Conclusion

This comprehensive Web Application Firewall solution offers a robust and highly customizable approach to safeguarding your web applications against a myriad of contemporary threats. With its specialized rules for popular Content Management Systems, an optimized ModSecurity rule set, and advanced features for WordPress account compromise prevention, it provides extensive protection across various web server environments. By diligently following the guidelines outlined in this document, you can effectively install, configure, and optimize this WAF solution to secure your server and critical web applications.

Back