This is Part 2 of the guide. If you missed the first half, check it out here: ModSecurity vs SafeLine: Why Not Use Both? (Part 1)
Part 4: System Hardening
π 1. Allow Required Ports via iptables
Using iptables as the firewall, I needed to open ports 8080 (ModSecurity) and 9443 (SafeLine console):
# Check current rules
iptables -L -n
# Allow traffic on port 80 (same applies for other ports)
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
# Save and restart
service iptables save
service iptables restart
# Verify status
service iptables status
π 2. Block Specific IP Addresses
You can easily drop traffic from unwanted IPs:
iptables -A INPUT -s 45.148.10.174 -j DROP
service iptables save
systemctl restart iptables
iptables -nvxL --line
For example, after applying these rules, traffic from IP 45.148.10.174 is blocked.
Part 5: Defense in Depth Strategy
Combining SafeLine WAF with ModSecurity provides layered protection:
- SafeLine handles first-line filtering with a clean GUI and low false-positive rate.
- ModSecurity provides deep inspection but can be harder to tune.
- iptables ensures port access is tightly controlled.
1. Configure SafeLine Upstream
Set SafeLine to forward traffic to 127.0.0.1:8080, which routes to Nginx with ModSecurity. Then, block all non-localhost traffic.
2. Set Cloud Firewall Rules
In your cloud security group (e.g. AWS, Aliyun), restrict access to port 8080 so only internal traffic is allowed:
- Allow:
127.0.0.1:8080 - Deny: All other sources
3. Lock Down iptables for Port 8080
# Accept only from localhost
iptables -A INPUT -i lo -p tcp --dport 8080 -s 127.0.0.1 -j ACCEPT
# Drop everything else to port 8080
iptables -A INPUT -i lo -p tcp --dport 8080 -j DROP
# (Optional) Remove old open port rule
iptables -D INPUT 2
Explanation of the commands:
-A INPUT: Adds a rule to the INPUT chain (for inbound traffic).
-i lo: Matches the local loopback interface (lo).
-p tcp: Specifies the protocol as TCP.
--dport 8080: Specifies port 8080 as the destination.
-s 127.0.0.1: Allows only traffic from 127.0.0.1.
-j ACCEPT: Accepts the connection.
The second rule drops traffic that does not match 127.0.0.1. The third command removes the previous rule for port 8080.
Part 6: Common Issues & Fixes
βοΈ 1. nginx: [alert] kill(...) failed (3: No such process)
Run the full command to reload Nginx:
/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
The path /usr/local/nginx/sbin/nginx points to the Nginx executable, and -c /usr/local/nginx/conf/nginx.conf specifies the configuration file.
βοΈ 2. nginx: [error] open() "/usr/local/nginx/logs/nginx.pid" failed
If Nginx reload fails, check the PID file or regenerate it:
netstat -ntlp # Check running process
# Manually update nginx.pid if needed
Then restart:
nginx -s stop && nginx
βοΈ 3. SafeLine WAF Troubleshooting
For SafeLine-specific issues, check the official FAQ:
π https://docs.waf.chaitin.com/en/faq/home
Conclusion
Using SafeLine + ModSecurity together gives you the best of both worlds: powerful rule-based filtering from ModSecurity and an intuitive, lower-maintenance GUI from SafeLine.
By isolating ports, hardening firewall access, and combining two WAF engines, you get a secure and flexible defense setup thatβs ideal for both production and testing.
Ready to try it? Let me know how it works for you or suggest improvements in your own stack.
Join the SafeLine Community
Want to try a powerful, open source WAF?
Top comments (0)