RunCloud has taken a significant step forward in server protection by integrating ModSecurity and the OWASP Core Rule Set (CRS) into its Web Application Firewall (WAF). This advanced security system allows administrators to block attacks before they reach applications, ensuring robust protection while maintaining an intuitive management experience.
ModSecurity: A Shield Against Web Attacks
ModSecurity is an open-source Web Application Firewall (WAF) compatible with Apache, Nginx, and IIS servers. Its primary function is to analyze HTTP(S) traffic and apply security rules to prevent attacks before they can impact a web application.
According to OWASP, over 70% of cyberattacks target web applications. RunCloud’s ModSecurity integration helps mitigate risks such as:
✔ SQL Injection (SQLi)
✔ Cross-Site Scripting (XSS)
✔ Remote and Local File Inclusion (RFI/LFI)
✔ Malicious PHP and Java Code Execution
✔ Shellshock and HTTPoxy Attacks
✔ Metadata and Configuration Leakages
When a request is identified as malicious, the system blocks access and returns a 403 Forbidden message, preventing unauthorized actions.
OWASP CRS: Advanced Rules for Comprehensive Protection
While ModSecurity provides the security engine, the OWASP Core Rule Set (CRS) enhances detection accuracy, ensuring minimal false positives and adaptable security measures.
Administrators can select from four levels of paranoia, depending on their security needs:
🔹 Level 1 (PL1): Default, ideal for beginners and general websites.
🔹 Level 2 (PL2): Enhanced detection of SQLi and XSS attacks.
🔹 Level 3 (PL3): Identifies advanced evasion techniques and uncommon threats.
🔹 Level 4 (PL4): Extreme restrictions for high-security environments.
For most cases, RunCloud recommends Level 1 or 2 to balance security and usability.
Anomaly Threshold: A Scoring System for Threat Detection
One of the most critical components of ModSecurity is its Anomaly Scoring System, which assigns a risk score to each HTTP(S) request based on its threat level.
How the Anomaly Scoring System Works
Each incoming request is analyzed against security rules and assigned a cumulative risk score based on the following scale:
- Notice (2 points): Minor suspicious activity, no immediate action needed.
- Warning (3 points): Possible attack attempt, but not yet harmful.
- Error (4 points): Significant risk, but not an immediate threat.
- Critical (5 points): Confirmed malicious activity, requiring immediate blocking.
The Anomaly Threshold defines the total risk score allowed before a request is blocked.
Recommended Anomaly Threshold Settings
🔸 Low Sensitivity (10-15 points): Suitable for trusted traffic and regular user activity.
🔸 Balanced Mode (5-10 points): Recommended for production environments with optimized security.
🔸 Strict Mode (1-5 points): Aggressive blocking, ideal for highly sensitive data protection.
For example, if a request triggers three warnings (9 points) and an error (4 points), it reaches a total score of 13 points. If the threshold is set to 10, the request is automatically blocked.
This scoring system ensures that legitimate traffic is not unnecessarily blocked while malicious activities are stopped in real time.
Advanced Configuration and Custom Rules
RunCloud provides granular control over firewall settings, allowing administrators to customize security levels for specific needs:
- Exclusion Rules for Popular CMS Platforms: Prevent false positives for WordPress, Drupal, Magento, Nextcloud, and XenForo.
- Custom Firewall Rules (Business Plan Only): Block traffic based on IP, country, HTTP headers, or URI patterns.
- Real-Time Monitoring: Access error logs and audit reports directly from the dashboard without needing SSH.
How to Enable the Firewall in RunCloud
Enabling the WAF is quick and straightforward:
1️⃣ Log in to the RunCloud Dashboard and select your server.
2️⃣ Go to “Web Applications” and choose the application to protect.
3️⃣ Enable ModSecurity and OWASP CRS with a single click in the “Firewall” menu.
4️⃣ Adjust the Anomaly Threshold and Paranoia Level as needed.
5️⃣ Save changes, and the protection will be active immediately.
Conclusion: Simplified, High-Level Security
RunCloud has successfully simplified enterprise-grade security, integrating ModSecurity and OWASP CRS into an easy-to-manage firewall solution.
With flexible settings, customizable rules, and real-time monitoring, RunCloud offers powerful protection without compromising site performance.
🚀 Key Takeaways
✅ Blocks critical threats like SQLi, XSS, and RFI/LFI
✅ Adjustable Paranoia Levels and Anomaly Threshold
✅ Custom firewall rules for advanced security needs
✅ Intuitive dashboard for seamless management
This latest update solidifies RunCloud’s position as one of the most secure cloud server management platforms available today.
