We use it on our machines it's good at blocking a lot of common exploits if you keep your rules up to date. It can however block legimate traffic if you're not careful
What sort of legitimate traffic have you seen it accidentally block? I'm thinking of deploying it on an Apache instance with well over a hundred different web sites. It could take me months to figure out if there was a problem with one of the less profitable sites.
Well you can setup rules of any kind so you could say setup a rule where it blocks something like index.php?var=http://url.com/file.txt Looks like a great rule can block remote includes of exploit scripts (r57 comes to mind). But what happens if a site actually for some reason does remote includes of it's own files like that and does make checks to make sure it's that site. Now you've got a bad rule setup blocking traffic. There are various other rules I've seen that can block some posts depending on what's inside them and such. So as long as you have control of the sites then none of this should be an issue as you'll know what sort of rules could break things. You also can check it's logs as well to see if things are breaking.
Turn on logging and use mod_unique. People will tell you and you just have a look at the logs. Then just change your rules or create an exception. Will take a few days to straighten out the hidden problems but will be very nice. Cpanel's mod_security does not log - you need a manual installation for that.
Well, I've faced problems at a shared host while posting a technical article on a wordpress blog. In the POST request while saving the article, it gave errors...then I figured out that as mod_security was set to check for shell commands like wget, it didn't work. ( I had to use w-get instead )
mod security on a new server i got on, block at least 400-500 member visits to the forum per day (including me and my co-admin at least 3 or 4 times a day) the webhost wouldn't even bother to look into it so i contacted vbulletin for a work around to it, and the member count came right back up to around 2,000 where it averaged
You have no fricking idea the number of break-in attempts that are happening on your machine right now & modsec is absolutely the first step. Turn on logging but do not block access - check the logs every few hours and I am sure it will open your eyes and make want to spend some time tweaking the configs. If you understand the basics of regex you can tweak it pretty easily. You'll probably find remote inclusions will be the bulk of the attempts plus comment spam. If you run any open source apps you reeeeally need to plug the holes. For example, I just saw the wordpress wordtube plugin exploit come through - modsec caught them all. As for breaking apps, it'll happen but it is an easy fix, as soon as you see it in the logs, tweak the config and restart - peasy. If a client complains they will be more than happy when you let them know it was due to new beefed up security. Steve