Overview
This article provides information about how to enable the Web Application Firewall (mod_security) in the panel.
Background
mod_security is a Web Application Firewall (WAF) that filters and blocks known malicious HTTP requests. Blocked HTTP requests include many, but not all, forms of Brute Force, Cross-Site Scripting (XSS), Remote File Inclusion (RFI), Remote Execution, and SQL injection (SQLi) attacks.
DreamHost enables mod_security for free by default, but you can enable or disable this feature in the panel if necessary.
You cannot disable mod_security on a VPS while using Nginx.
Enabling or disabling mod_security in the panel
- Navigate to the Manage Websites page.
- Click the Manage button to open the Domain Settings page, which allows you to adjust various settings for your site.
- Click the Website tab and scroll down to the Additional Settings section.
- To the right of Web Options, click the Modify button.
- To the right of Web Application Firewall, click the toggle to enable or disable.
- Click the Save Changes button.
The Web Application Firewall option enables the use of a special security module for your website. Many common attacks that can compromise your website are blocked by this option, but there are no guarantees that all attacks will be prevented. With this enabled, DreamHost proactively ensures that the most commonly known attacks are prevented.
Understanding mod_security at DreamHost
The following sections provide general guidance about how to interpret common issues that mod_security may find on your site.
DreamHost uses the HTTP response code 418. If you see 418 response codes in your access.log files, it means that mod_security blocked the request. However, this may not mean a specific visitor was blocked but rather a request to your website. You need to read your log entries to determine what caused the 418 error.
Further details related to the block are often in the corresponding date-stamped error.log entry. If you are having trouble deciphering why you are getting a 418 error in your log files, please don’t hesitate to contact support at Contact Support.
DreamHost mod_security rules
While most of DreamHost’s mod_security rule set is custom-created as threats emerge, the base comes from the OWASP mod_security Core Rules Set.
If you see an Unused error message
When a 418 error response is triggered by a user visiting your site, the following error message appears:
The 418 error indicates that mod_security has temporarily placed a ban on the server. This is most often triggered by multiple failed login attempts to a WordPress site. Once triggered, the message appears after any subsequent attempts to access the login page.
DreamHost support is unable to remove this ban once it has been triggered. In order for the ban to expire, the user must stop accessing the server for 10 minutes.
If you are seeing the 418 error outside of the context of a WordPress site login, please review your error and access logs for 418 response codes or Contact Support.
Using an .htaccess file
Disabling and modifying mod_security rules via an .htaccess file is not supported at this time.
See also
DreamHost links
Third-party links