Web Application Firewall (WAF)
The Web Application Firewall (Mod Security) offers the option of checking individual parts or the entire GET and POST request for possible attacks. Depending on the setting, the WAF can be used for either NGINX or Apache.
Activate Web Application Firewall
First log in to the Plesk Control Panel and navigate to the menu item Tools & Settings → Web Application Firewall (ModSecurity). Change the setting here to the value Detection only or On to activate the WAF.
Plesk - Web Application Firewall](/api/attachments.redirect?id=bc0540af-ebbd-4060-af5b-5ff0a21c56ab)
| Mode | Explanation |
|---|---|
| Off | Incoming HTTP requests and associated responses are not checked. |
| Detection only | Each incoming HTTP request and the associated response are compared with a rule set. If this check is successful, the HTTP request is forwarded to the website content. If the check fails, the event is logged and ModSecurity takes no further action. Other services such as Fail2Ban can still perform their own actions for HTTP requests that have failed the check. |
| On | Each incoming HTTP request and the corresponding response are compared with a rule set. If this check is successful, the HTTP request is forwarded to the website content. If the check fails, the event is logged, a notification is sent and an HTTP response with an error code is returned. |
Deactivate web application firewall
First log in to the Plesk Control Panel and navigate to the menu item Tools & Settings → Web Application Firewall (ModSecurity). Change the setting here to the value Off to completely deactivate the WAF.
Deactivating the Web Application Firewall represents a potential security risk and should only be used for test purposes.
Troubleshooting
ModSecurity audit log
The ModSecurity audit log file is the most useful source of information in the system. As soon as ModSecurity detects that an event occurs, it generates an entry in the audit log file.
Example log entry for the URL https://www.creoline.de/.env
--c495fc5c-A--
[10/Sep/2021:13:31:33 +0000] YTteNQUBTQYAAFwXTCwAAABN XXX.XXX.XXXX.XXX 39132 5.1.77.6 7081
--c495fc5c-B--
GET /.env HTTP/1.0
Host: www.creoline.de
X-Real-IP: XXX.XXX.XXX.XXX
X-Accel-Internal: /internal-nginx-static-location
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept-Encoding: gzip, deflate
Accept: */*
--c495fc5c-F--
HTTP/1.1 403 Forbidden
Last-Modified: Sun, 05 Mar 2017 01:28:46 GMT
ETag: "3fc-549f1b33767e0"
Accept-Ranges: bytes
Content-Length: 1020
Connection: close
Content-Type: text/html
--c495fc5c-H--
Message: Access denied with code 403 (phase 1). Matched phrase "/.env" at REQUEST_URI. [file "/etc/apache2/modsecurity.d/rules/comodo_free/02_Global_Generic.conf"] [line "120"] [id "210492"] [rev "3"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client XXX.XXX.XXX.XXX] ModSecurity: Access denied with code 403 (phase 1). Matched phrase "/.env" at REQUEST_URI. [file "/etc/apache2/modsecurity.d/rules/comodo_free/02_Global_Generic.conf"] [line "120"] [id "210492"] [rev "3"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"] [hostname "www.creoline.de"] [uri "/.env"] [unique_id "YTteNQUBTQYAAFwXTCwAAABN"]
Action: Intercepted (phase 1)
Stopwatch: 1631280693566204 805 (- - -)
Stopwatch2: 1631280693566204 805; combined=333, p1=255, p2=0, p3=0, p4=0, p5=78, sr=112, sw=0, l=0, gc=0
Producer: ModSecurity for Apache (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine mode: "ENABLED"
--c495fc5c-Z--Each rule violation is organized in the log file as follows:
- request
- response
- rule information
You will find the following details in the rule information:
[id "210492"] [rev "3"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"]| value | description |
|---|---|
| ID | Rule ID |
| REV | Version defined by the operator of the rule set |
| Severity | The severity of the rule violation |
| Tag | The assigned groups of the rule set |
Storage location of the logs
The Web Application Firewall logs are saved in the directory /var/log/ with the file name modsec_audit.log. Depending on the configured log rotation (logrotate), further archived logs with the name modsec_audit.log.1.gz are created automatically.
Deactivate rule
To deactivate a rule using the rule ID or the parent tag, navigate to the Disable security rules section. Here you can deactivate individual rules using the Rule ID or Tag.
Frequent false positives
When using Shopware with an activated Web Application Firewall, the following rules can lead to unwanted blocking of requests:
| Rule-ID | Shopware Action | Request-URI |
|---|---|---|
| 210580 | Save customer profile | POST /account |
| Customer Login | GET /account/login | |
| Request notifications from Shopware API | GET /api/notification/message | |
| FriendsOfShopware/FroshTools Health Check | GET /api/_action/frosh-tools/health/status | |
| 211180 | Shop Homepage | GET /myShop/index.php |
| 214540 | Google Tag Manager | |
| 214940 | Google Tag Manager |