Set Up a Web Application Firewall (WAF)

A Web Application Firewall (WAF) acts as a protective shield between users and your web application, filtering and blocking malicious traffic before it reaches your server. This is essential for preventing:

✅ SQL Injection – Attackers injecting malicious SQL queries.
✅ Cross-Site Scripting (XSS) – Malicious scripts executed in users' browsers.
✅ Cross-Site Request Forgery (CSRF) – Unauthorized actions performed on behalf of authenticated users.
✅ Malicious bots and DDoS attacks targeting your website.

By implementing a WAF, you reduce attack risks and protect your web applications from common vulnerabilities.

How to Set Up ModSecurity WAF for Apache or Nginx

1. Install ModSecurity and OWASP Core Rule Set (CRS)

For Apache (Debian/Ubuntu):

sudo apt install libapache2-mod-security2 -y
sudo apt install modsecurity-crs -y

For Nginx (Debian/Ubuntu):

sudo apt install libnginx-mod-security -y
sudo apt install modsecurity-crs -y

For CentOS/RHEL (Apache):

sudo yum install mod_security -y

2. Enable ModSecurity on Your Web Server

For Apache:

1. Enable ModSecurity module:

   sudo a2enmod security2
   

2. Edit ModSecurity configuration file:

   sudo nano /etc/modsecurity/modsecurity.conf
   

   Change:

   SecRuleEngine DetectionOnly
   

   To:

   SecRuleEngine On
   

3. Restart Apache to apply changes:

   sudo systemctl restart apache2
   

For Nginx:

1. Edit the Nginx configuration file:

   sudo nano /etc/nginx/nginx.conf
   

2. Add the ModSecurity directive under the http block:

   modsecurity on;
   modsecurity_rules_file /etc/nginx/modsec/main.conf;
   

3. Restart Nginx to apply changes:

   sudo systemctl restart nginx
   

3. Configure the OWASP ModSecurity Core Rule Set (CRS)

The OWASP CRS provides predefined WAF rules to protect against common attacks.

1. Edit the OWASP CRS settings file:

   sudo nano /etc/modsecurity/crs/crs-setup.conf
   

2. Enable stricter security rules:

   • Set paranoia level (higher = stricter security):

     SecAction \
       "id:900000, \
       phase:1, \
       nolog, \
       pass, \
       t:none, \
       setvar:tx.paranoia_level=2"
     

   (Default is 1, but 2 increases security with minimal false positives.)

3. Restart Apache or Nginx to apply:

   sudo systemctl restart apache2   # For Apache
   sudo systemctl restart nginx      # For Nginx
   

4. Regularly Update WAF Rules

To stay protected against new threats, update ModSecurity and CRS rules frequently:

✅ For Debian/Ubuntu:

sudo apt update && sudo apt upgrade -y

✅ For CentOS/RHEL:

sudo yum update -y

✅ For Manual CRS Updates:

cd /etc/modsecurity/crs/
sudo git pull
sudo systemctl restart apache2   # Restart Apache

5. Test WAF Protection

1. Simulate an SQL Injection Attack:
   Try accessing:

   http://yourwebsite.com/?id=1' OR '1'='1
   

   (Your WAF should block the request.)

2. Check WAF logs for blocked attacks:

   sudo cat /var/log/modsec_audit.log
   

Alternative: Use Cloud-Based WAF Solutions

If managing a self-hosted WAF is complex, consider cloud-based WAFs, which offer automatic rule updates and AI-driven protection.
✅ Cloudflare WAF → Easy to set up, protects against bots, DDoS, and web attacks.
✅ AWS WAF → Integrates with AWS services to filter malicious traffic.
✅ Sucuri WAF → Blocks attacks at the DNS level before they reach your server.

Best Practices for WAF Security

✅ Enable ModSecurity logging to monitor blocked threats.
✅ Fine-tune WAF rules to balance security and usability (avoid false positives).
✅ Combine WAF with Fail2Ban for extra protection against brute-force attacks.
✅ Regularly test your web application for vulnerabilities (e.g., with OWASP ZAP).

By deploying a Web Application Firewall (WAF), you protect your website from hackers, prevent data breaches, and secure web applications against modern cyber threats.