Naxsi vs ModSecurity – Which is the best for me?
Cyber criminals hack nearly 50000 websites a day!
That is why, most Web Hosts need to enable firewall programs like ModSecurity, NAXSI etc. to defend these server hacks.
Although both of them are free, the choice of Naxsi vs Modsecurity depends largely on the server configuration.
At Bobcares, we help server owners to choose and configure these web application firewall programs as part of our Support Services for Web Hosts.
Today, let’s discuss on the pros and cons of NAXSI and ModSecurity.
NAXSI – What is it and Why ?
Nginx Anti-XSS & SQL Injection (NAXSI) is a web application firewall which is specifically designed for Nginx servers.
Naxsi helps to fight against attackers that add vulnerable scripts on the website. Additionally, it provides a way to avoid code injections to the database used by the websites.
Now, let us have a close look at the major pros and cons of NAXSI.
Pros of NAXSI
The major benefits of NAXSI include:
1. Simple rule set
NAXSI protects websites with a simple rule set that uses a score based system. It scores every url request with a score.
When this score is greater than the threshold value set in the configuration, NAXSI automatically blocks the website request.
If the request url contains possible malicious characters like “<“, / [slash], or drop, that automatically increase the score. And such urls are blocked from executing on the server.
2. Supports Whitelist
It is a great benefit that NAXSI allows to create a set of whitelist rules. These rules say that certain malicious pattern match in selected applications are ok and NAXSI allows them.
To make things easier, NAXSI comes with a tool called Nxtool. This tool automatically learns from the website traffic and creates the whitelist. Additionally, if over 20% of your users have the same triggering factor in their website requests, it will be recorded as legitimate. All such requests pass through the web server.
3. Resistant to WAF bypass techniques
When the firewall rules became strict, hackers have found out alternate ways to bypass them. But, NAXSI takes care of possible bypass techniques like encoding the url, concatenation of strings in the request etc.
4. Fast & easy to maintain
NAXSI do not eat up a large share of server resources. Also, it does not need any periodic updates as in ModSecurity. Once installed, it works continuously with out any downtime.
Cons of NAXSI
Although there are many benefits, NAXSI comes with its own downsides as well.
1. Learning mode for every application update
NAXSI has 2 modes, Live and Learning. It is in the learning mode that NAXSI creates the whitelist rules. So, whenever there is an update in the website code, we need to run NAXSI in learning mode and modify rules to allow legitimate traffic.
As a result, this creates an overhead especially when there are frequent code modifications in the website.
2. Type of Webserver
There is a major drawback that NAXSI is suitable only for Nginx systems. It will not work for Apache or IIS. Thus, it largely restricts the options available for the type of web server.
From our experience in managing servers, we see that NAXSI works great in docker based applications. As a result, our Support Engineers often recommend and set up NAXSI for applications like Owncloud, Elasticsearch etc.
ModSecurity – What is it and Why?
ModSecurity is one of the popular web application firewall that supports web servers like Apache, IIS, Nginx etc.
It maintains a library of malicious patterns, also known as Signatures. When the request url matches any of the signatures, they are blocked.
Though it is a great tool to detect cross-site scripting, trojan attacks etc., it also has its own merits and demerits.
Pros of ModSecurity
ModSecurity comes with pros like :
1. Blocks common attacks
ModSecurity comes with a Core Rule set that takes care of almost all known attacks in the internet. So there is no additional need to write rules to block already known vulnerable applications.
2. Supports Virtual patching
Similarly, ModSecurity gives the option of “Virtual Patching“. Virtual patching helps to prevent an exploit in the server as a result of a newly discovered vulnerability.
In other words, when there is a new WordPress or PHP based attack, you just have to patch your ModSecurity application on an immediate basis. That prevents further websites attack using this vulnerability. Also, you get more time to update each vulnerable WordPress website.
3. High Customization
Also, ModSecurity allows to write specific rules for the applications hosted on the server. It gives room for custom modifications, when there are some particular type of attacks that are most critical for your applications.
Cons of ModSecurity
Again ModSecurity has its own share of cons too.
1. Tough to maintain rule set
All ModSecurity rules are basically regular expressions, which can be hard to maintain. Also, when there are too many rules, it becomes a real challenge to allow good traffic and block only the malicious attacks.
Our Support Engineers often get helpdesk requests from customers where ModSecurity blocks legitimate requests too.
2. Higher resource usage
ModSecurity often shows high resource usage when there are too many rules configured. Higher the number of websites running on the server, higher will be the resource usage on the server. So the choice depends on the server specifications too.
With proper implementation and careful tuning, web applications firewalls like ModSecurity and NAXSI greatly help to avoid possible web server hacks. Today, we’ve seen the comparative analysis that helps our upport Engineers to choose ModSecurity or NAXSI.