How Can We Help?
< All Topics
Print

cPGuard WAF required settings and depencies

cPGuard WAF  is a set of ModSecurity rules set which can work with Apache, Nginx, and Litespeed Web Servers. As it is written on top of the ModSecurity module, it has related dependencies and they must meet before enabling cPGuard WAF. Based on the control panel and other software you use on your server, you may need to adjust related settings to make things ready for cPGuard WAF.

Here we will describe some of the common and generic settings that you need to do if you are getting WAF settings errors in cPGuard

Requirements and Settings

The server must meet the following requirements to enable cPGuard WAF

  • ModSecurity version 2.9.4 or higher must be enabled on the Web Server
  • SecRuleEngine should be turned ON
  • OWASP rules set must be DISABLED as it is not compatible with our WAF
  • SecAuditLog must be enabled to display WAF logs in the UI [ not required WAF to block attacks…it is only for logging purposes]
Settings in cPanel

The following values should be set properly in Home  >> Security Center >> ModSecurity™ Configuration » Configure Global Directives

  1. “Audit Log Level SecAuditEngine” should be set to “Only log noteworthy transactions” which is recommended 
  2. “Rules Engine SecRuleEngine” should be set to “Process the rules” 

Also do not enable additional ModSecurity vendor rules from WHM >> Security Center >> ModSecurity™ Vendors » Manage Vendors

 

ConfigServer ModSecurity Control

You should not turn off ModSecurity in ConfigServer ModSecurity Control [ CMC ]

Settings in DirectAdmin

You should enable ModSecurity in your Web Server without any additional rules. The CWAF rules are compatible and you can enable that optionally if you would like.

cd /usr/local/directadmin/custombuild
./build update
./build set modsecurity yes
./build set modsecurity_ruleset "no"
./build modsecurity
./build modsecurity_rules
./build rewrite_confs

You should also make sure that SecRuleEngine is enabled in SecRuleEngine should be ON from DirectAdmin >> Server Manager >> ModSecurity

Plesk ModSecurity Settings

In Plesk, you need to enable ModSecurity module in Apache or Nginx with our custom rules set or Comodo WAF ( based on your preference ) before enabling WAF. Please note that you should not enable OWASP rules set, as it is not compatible with cPGuard WAF.

The recommended ways to enable ModSecurity before turning on cPGuard WAF are given below

If you wish to enable ModSecurity in Apache, run following command

plesk bin server_pref --update-web-app-firewall -waf-rule-engine on -waf-web-server apache  -waf-rule-set custom -waf-archive-path /opt/cpguard/app/resources/cpg_modsec_enable.conf.zip

If you wish to enable ModSecurity in Nginx, run the following command

plesk bin server_pref --update-web-app-firewall -waf-rule-engine on -waf-web-server nginx  -waf-rule-set custom -waf-archive-path /opt/cpguard/app/resources/cpg_modsec_enable.conf.zip

Once ModSecurity is enabled using one of the above commands, you can turn on cPGuard WAF from Settings. 

As mentioned above, you can optionally enable Comodo WAF rules instead of our custom ModSecurity rules set if you prefer to use them as well.

Was this article helpful?
0 out of 5 stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?
Please submit the reason for your vote so that we can improve the article.
Table of Contents