How to Add Custom ModSecurity Rules with OpenLitespeed and DirectAdmin

When ModSecurity is used with OpenLiteSpeed it will improve the security of your server by applying a Web Application Firewall (WAF). The ModSecurity WAF increases the protection level applied to your server by detecting and preventing attacks before they reach web-based software programs.

The ModSecurity module is configured by applying a flexible rules based engine that can perform multiple simple and complex operations. The rules based engine uses a Core Rule Set (CRS) which provides protection against cross website scripting,
bad user agents, SQL injection, trojans, session hijacking and more. DirectAdmin is able to use ModSecurity Core Rule Sets (CRS) provided by OWASP and Comodo and can be easily installed using custombuild.

The most common ModSecurity rule triggered on a server is the 403 Forbidden error. This simply means that the process you are trying to complete has been prevented from being actioned as you do not have the required permissions to access this process.

ModSecurity works in the background and will check every request against the various rules in the Core Rule Set to filter out any malicious requests. This could be attacks against WordPress core files such as wp-login.php or admin-ajax.php, known vulnerabilities in WordPress plugins such as the recent File Manager which is currently installed on 600,000+ websites and documented by the WordFence Security Team or against system files such as the .env file. The ultimate goal for the attack is too find an exploitable vulnerability in your server or software to hack your website or server.

In this guide, we will show you how to add and enable custom ModSecurity rules with OpenLitespeed and DirectAdmin. Rebuild the ModSecurity rules and apply them to all websites hosted on the server. This guide assumes you have already installed ModSecurity. If you haven’t, you can follow our How to Install ModSecurity with OpenLiteSpeed and DirectAdmin guide.

By default custombuild will use the httpd-modsecurity-enable.conf file to enable and configure ModSecurity with OpenLitespeed. However, we can’t write directly to this file as when we rebuild the vhost configuration files using the ./build rewrite_confs command custombuild will overwrite any changes.

We will need to use a custom httpd-modsecurity-enable.conf template to enable the changes and ensure they are added into the OpenLitespeed configuration file generated by custombuild.

To create the custom the httpd-modsecurity-enable.conf template file, simply use the following commands.

cd /usr/local/directadmin/custombuild/
mkdir -p custom/openlitespeed/conf
cp -p /usr/local/lsws/conf/httpd-modsecurity-enable.conf custom/openlitespeed/conf/

These commands how now created a new custom OpenLitespeed configuration folder within the existing custombuild folder and copied the existing httpd-modsecurity-enable.conf template. Now the file has been copied we can edit the file using the following commands.

nano /usr/local/directadmin/custombuild/custom/openlitespeed/conf/httpd-modsecurity-enable.conf

The default httpd-modsecurity-enable.conf template file will look similar to the example below.

module mod_security {
modsecurity on
modsecurity_rules_file /usr/local/lsws/conf/httpd-modsecurity.conf
modsecurity_rules_file /usr/local/directadmin/data/admin/modsecurity_rules
}

Before we add in our custom ModSecurity rules it is important to understand what each line means.

  • modsecurity on – simply means that the ModSecurity Module is on. The available options are on or off.
  • modsecurity_rules_file – specifies the location of the ModSecurity rules file. These are written to the bottom of the httpd-modsecurity.conf file by default.

Now we can add our custom ModSecurity rules to the httpd-modsecurity-enable.conf template inside the modsecurity_rules block. When adding custom rules to the modsecurity_rules block we need to ensure they are enclosed inside a backtick "`". Inside the block we can include multiple rules, however, it is important to keep in mind that ModSecurity will load all rules in order.

In the httpd-modsecurity-enable.conf file simply copy the example rule shown below after the modsecurity on line.

modsecurity_rules `
SecRuleEngine On
SecRule ARGS:testparam "@contains test" "id:12345,deny,status:403,msg:'Our modsec test rule has triggered'"
`

The file show now look like the example below.

module mod_security {
modsecurity on
modsecurity_rules `
SecRuleEngine On
SecRule ARGS:testparam "@contains test" "id:12345,deny,status:403,msg:'Our modsec test rule has triggered'"
`
modsecurity_rules_file /usr/local/lsws/conf/httpd-modsecurity.conf
modsecurity_rules_file /usr/local/directadmin/data/admin/modsecurity_rules
}

Below is an explanation of the new code we have added into the httpd-modsecurity-enable.conf file.

  • modsecurity_rules – simply specifies the ModSecurity rules code block.
  • SecRuleEngine On – means that ModSecurity will now log and block any rules that match.
  • SecRule ARGS:testparam – is the custom ModSecurity rule.

After saving the httpd-modsecurity-enable.conf file you will need to rebuild the ModSecurity rules file and vhost configuration files using the following commands.

./build modsecurity_rules
./build rewrite_confs

Now you can test the custom ModSecurity rule has been implemented correctly using the following command.

https://example.com/index.html?testparam=test

Note

Don’t forget to change https://example.com to your own domain you want to test.

After testing the custom ModSecurity rule you will get 403 Forbidden response. You can also check the ModSecurity log by logging into your DirectAdmin dashboard. Once in the main dashboard select the ModSecurity icon under Server Manager.

How to Block Bad Bots using ModSecurity with DirectAdmin

In the ModSecurity dashboard select Log from the tabbed menu. Under the domain section you will see the domain used in the test above, in our example it shows demo.vpsbasics.com alongside the request /index.html?testparam=test. To the right you will see the rule ID1234 has been blocked with the message Our modsec test rule has triggered.

How to Add Custom ModSecurity Rules with OpenLitespeed and DirectAdmin

That’s it. You have successfully added and enabled custom ModSecurity rule with OpenLitespeed and DirectAdmin. You have also rebuilt the ModSecurity rules file and applied it to all existing websites hosted on the server.

How useful was this guide?

Click on a star to rate it!

Average rating / 5. Vote count:

Be the first to rate this guide.

We are sorry that this guide was not useful for you!

Help us to improve this guide!

Tell us how we can improve this guide?

By VPSBasics

This guide was written by the VPS Basics editorial team, led by Gilberto Van Roosen. They are a unique blend of people, dedicated to providing highly detailed, comprehensive and importantly easy to follow tutorials, written in plain English. They specialise in tutorials for managing Linux servers and its software.

Join the Conversation

Note: Your email address will not be published when posting a comment.

Note: All comments are held for moderation and are reviewed by our editorial team prior to approval.

VPSBasics uses Akismet anti-spam filters to reduce spam across our website. Our website is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. Learn how your data is processed.