Test whether mod_security is actually working

By default the engine will only be detecting mode:

SecRuleEngine DetectionOnly

You need to adjust SecRuleEngine On

sed -ie 's/^\s*SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/modsecurity/modsecurity.conf

and restart Apache.


In your browser try to access a website hosted on that server like in this example:

http://www.anywebsitefromthatserver.com/aphpfilethatdonotexist.php?something=../../etc

Then check Modsecurity log and you'll have something similar (If you have WHM / cPanel -> check in WHM -> Modsecurity Tools to see the log):

2017-12-14 10:28:41 www.anywebsitefromthatserver.com    YOUR IP: 68.XX.XX.XX    CRITICAL    404  930100: Path Traversal Attack (/../)

The detailed log will be like:

Request:    GET /aphpfilethatdonotexist.php?something=../../etc
Action Description: Warning.
Justification:  Pattern match "(?i)(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8 ..." at REQUEST_URI_RAW.

If you'll see a similar log then you can be sure your Modsecurity is activated and working.


I found an answer to this. Just visit your site like so: example.com/etc/passwd

That'll bring up an instant 403 from mod_security and log it in its default log.


I have a check as below

$ curl -ks -o /dev/null -w '%{http_code}' "https://something.example.com/foo?username=1'%20or%20'1'%20=%20'"

If you get a 403, then ModSecurity is working as expected.