Securing Apache with ModSecurity

Apache HTTP Server is the most widely used web server application and is arguably the best available. Nevertheless, being a good application does not automatically make Apache secure. If your websites are simple html pages with no dynamic web applications or scripts, you probably do not have need for much concern. Once you start introducing other elements, however, security can become an issue.

PHP scripts, for example, introduce vulnerabilities into your system that can be hard to predict. Rather than find out you have a security hole after the fact, the proactive web host will use a security system. ModSecurity is a free and open source web application firewall. As the name and description imply, it protects your web server by placing a firewall between it and your web applications. Before an outside entity can use your web applications to interact with the server, it must go through ModSecurity.

ModSecurity comes with a set standard core rules that you can install and immediately apply. Chances are, however, that you will want to customize those rules depending on your needs. Sometimes they might be too restrictive for certain applications. You can make exceptions and tweak it to your liking. The large community of users also submit custom rules that they share with each other. In addition to the source code, you can obtain binary packages for ModSecurity for various Linux distributions, BSD, Windows, and many Unix variants.

Photo source: Flickr