Skip to content

Web Application Firewall (WAF)

enconf includes a built-in Web Application Firewall based on ModSecurity with the OWASP Core Rule Set (CRS). The WAF protects websites against the most common attacks like SQL injection, cross-site scripting (XSS) and remote code execution.

Enabling the WAF

Per Site

  1. Go to Websites and edit the desired site
  2. Under Security, enable the Web Application Firewall switch
  3. Save — the WAF is active immediately

Package Permission

The WAF can be enabled per hosting package:

  1. Go to Hosting Packages
  2. Edit a package
  3. Under Permissions, enable Web Application Firewall (WAF)

Customers without this permission will not see the WAF toggle and cannot enable the WAF.

WAF Logs

Under WAF in the menu you'll find the log viewer. All detected attacks and suspicious requests are displayed:

  • Timestamp — When the incident was detected
  • Client IP — The attacker's IP address
  • Method / URI — Which page was attacked
  • Rule ID — The OWASP CRS rule that was triggered
  • Severity — CRITICAL, ERROR, WARNING or NOTICE
  • Action — Whether the request was blocked or only detected

Filtering

You can filter logs by Site/Domain and Severity.

Rule Exclusions (Whitelisting)

Sometimes the WAF incorrectly identifies legitimate requests as attacks (false positives). In such cases, individual rules can be disabled per site:

  1. Go to WAFRule Exclusions
  2. Select the affected site
  3. Enter the rule ID(s) (e.g. 941100, 942100)
  4. Click Save

You can find rule IDs in the WAF logs (column "Rule ID").

Use whitelisting with care

Only disable rules that provably cause false positives. Every disabled rule reduces protection for that site.

Common Rule IDs

Rule ID Description
941100 XSS attack detected (via libinjection)
942100 SQL injection detected (via libinjection)
920350 IP address as host header
932100 Remote command execution (Unix)
933100 PHP injection attack

Technical Details

  • Engine: ModSecurity 3 as Nginx module (libnginx-mod-http-modsecurity)
  • Ruleset: OWASP Core Rule Set (CRS)
  • Mode: DetectionOnly (default) — can be switched to Enforce
  • Log file: /var/log/nginx/modsec_audit.log
  • Exclusion files: /etc/nginx/modsec.d/<username>_exclusions.conf
Home Features Preise Partner Über uns Integration Impressum Datenschutz AGB

© 2026 NetCell IT · Felix Netzel · In der Wüste 23a, 51381 Leverkusen