What is Modshield technically?
Modshield is a custom implementation of Modsecurity powered by the OWASP core ruleset and fine-tuned rules from StrongBox IT. Modshield can also be considered as a wrapper that helps you make full use of Modsecurity features easily.
How many domains or applications can one instance of Modshield protect?
Technically, you can use an unlimited number of domains. If you are expecting high traffic across all your domains, we recommend that you split the allocations across multiple instances of Modshield as per your requirements.
What if I run an HTTPS application?
Simple. Just add the certificate information in the domain configuration and you are good to go.
Can I use Modshield only as a load balancer?
Yes. You can turn off the firewall option in the Domain Configuration and use Modshield as a Load Balancer alone.
What is a health check?
Modshield checks the status of the domains every 15 minutes and notifies you if your application server is down. If you want this time interval changed, please drop a note to support from your instance and we will have it sorted for you.
Does Modshield act as a CDN as well?
No. Modshield is not a CDN. Future updates might include this feature.
What happens when there is no space in the instance?
The only reason for this to happen could be that the log files have not been cleared for a long time. We recommend that you archive the logs.
Does Modshield satisfy any compliance requirements?
All compliances either mandate or recommend you to use an application firewall. Modshield fits this requirement perfectly since it allows you access to raw logs and events. The dashboard also has all the indicators that compliance standards recommend you to monitor.
What is a safe IP?
If there are certain users for whom you would like to turn off the firewall, you can add their IP addresses to the safe IP list. This would turn off the rules processing for all requests coming from that IP.
How is a Safe IP different from a Whitelisted IP?
Whitelists allow traffic only from the IPs in the list. All other IPs are blocked. Safe IPs do not have this restriction. It only turns off the firewall for the IPs defined and it is not as restrictive as a whitelist
If my IP is in the whitelist but my country is blacklisted, what happens?
Traffic from all IPs in the whitelist is allowed. Adding a whitelist turns off all blacklists automatically.
Can Modshield protect from Bots?
Modshield has curated threat intelligence updated regularly to help identify and block Bots, crawlers and bad IPs
Can Modshield detect automated scans
Yes. Modshield can detect and block automated scans by using the request header information and its DoS settings. OWASP Core ruleset also provides rules for detecting automated scanners
Can Modshield act as a standalone DLP solution?
You have to enable the firewall for Modshield to act as a DLP. DLP are also a set of rules which detect and perform defined actions on responses that might contain sensitive information. You will be required to provide the regex for what you consider as sensitive information
I want all events in the firewall to be transferred to my SIEM solution for monitoring. How can I do that?
Modshield has built-in log forwarding capabilities. You will have to set it up in the Log Management settings
How long are the log files stored in Modshield?
Modshield does not delete or rotate logs by itself. All events will be logged till there is space in the instance. You can transfer the log file to a cold storage using the FTP option provided.
Will the logs get deleted if I download the log files?
You will have an option to either clear the logs or let it stay, when the logs are downloaded
Can I write my own rules for protection?
Yes. Modshield allows an unlimited number of custom rules. Please ensure that the rules are as per Modsecurity defined syntaxes.
What happens if there is an error in the rule that I wrote?
Modshield validates the syntax before a custom rule is applied. If a custom rule has an error, that rule is not stored. A message is displayed for your information
How do you get the IP -geography correlation?
Modshield uses multiple data feeds to create a curated store for Geo IP information