1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

MOD Security

Discussion in 'Security' started by Will.Spencer, Jul 16, 2007.

  1. #1
    Has anyone here played with MOD Security?

    What did you think?
    SEMrush
     
    Will.Spencer, Jul 16, 2007 IP
    Ajeet likes this.
    SEMrush
  2. InFloW

    InFloW Peon

    Messages:
    1,488
    Likes Received:
    39
    Best Answers:
    0
    Trophy Points:
    0
    #2
    We use it on our machines it's good at blocking a lot of common exploits if you keep your rules up to date. It can however block legimate traffic if you're not careful
     
    InFloW, Jul 17, 2007 IP
    Will.Spencer likes this.
  3. Will.Spencer

    Will.Spencer NetBuilder

    Messages:
    14,789
    Likes Received:
    1,040
    Best Answers:
    0
    Trophy Points:
    375
    #3
    What sort of legitimate traffic have you seen it accidentally block?

    I'm thinking of deploying it on an Apache instance with well over a hundred different web sites. It could take me months to figure out if there was a problem with one of the less profitable sites.
     
    Will.Spencer, Jul 17, 2007 IP
  4. ilxeon

    ilxeon Peon

    Messages:
    336
    Likes Received:
    48
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Mod security with tight ruleset is must for an first line of defence
     
    ilxeon, Jul 18, 2007 IP
  5. InFloW

    InFloW Peon

    Messages:
    1,488
    Likes Received:
    39
    Best Answers:
    0
    Trophy Points:
    0
    #5
    Well you can setup rules of any kind so you could say setup a rule where it blocks something like index.php?var=http://url.com/file.txt

    Looks like a great rule can block remote includes of exploit scripts (r57 comes to mind). But what happens if a site actually for some reason does remote includes of it's own files like that and does make checks to make sure it's that site. Now you've got a bad rule setup blocking traffic.

    There are various other rules I've seen that can block some posts depending on what's inside them and such.


    So as long as you have control of the sites then none of this should be an issue as you'll know what sort of rules could break things. You also can check it's logs as well to see if things are breaking.
     
    InFloW, Jul 18, 2007 IP
  6. clixxer

    clixxer Peon

    Messages:
    47
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #6
    Turn on logging and use mod_unique. People will tell you and you just have a look at the logs. Then just change your rules or create an exception. Will take a few days to straighten out the hidden problems but will be very nice.
    Cpanel's mod_security does not log - you need a manual installation for that.
     
    clixxer, Jul 19, 2007 IP
  7. agnivo007

    agnivo007 Peon

    Messages:
    4,290
    Likes Received:
    289
    Best Answers:
    0
    Trophy Points:
    0
    #7
    Well, I've faced problems at a shared host while posting a technical article on a wordpress blog.

    In the POST request while saving the article, it gave errors...then I figured out that as mod_security was set to check for shell commands like wget, it didn't work. ( I had to use w-get instead ;) )
     
    agnivo007, Jul 19, 2007 IP
  8. lkj

    lkj Peon

    Messages:
    729
    Likes Received:
    17
    Best Answers:
    0
    Trophy Points:
    0
    #8
    usually it will block linux typical support inquiry posts with command lines, arguments etc..etc....
     
    lkj, Jul 19, 2007 IP
  9. buck

    buck Peon

    Messages:
    251
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #9
    mod security on a new server i got on, block at least 400-500 member visits to the forum per day (including me and my co-admin at least 3 or 4 times a day)

    the webhost wouldn't even bother to look into it so i contacted vbulletin for a work around to it, and the member count came right back up to around 2,000 where it averaged
     
    buck, Jul 25, 2007 IP
  10. clickbuild

    clickbuild Member

    Messages:
    89
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    48
    #10
    You have no fricking idea the number of break-in attempts that are happening on your machine right now & modsec is absolutely the first step.

    Turn on logging but do not block access - check the logs every few hours and I am sure it will open your eyes and make want to spend some time tweaking the configs. If you understand the basics of regex you can tweak it pretty easily.

    You'll probably find remote inclusions will be the bulk of the attempts plus comment spam. If you run any open source apps you reeeeally need to plug the holes.

    For example, I just saw the wordpress wordtube plugin exploit come through - modsec caught them all.

    As for breaking apps, it'll happen but it is an easy fix, as soon as you see it in the logs, tweak the config and restart - peasy. If a client complains they will be more than happy when you let them know it was due to new beefed up security.

    Steve
     
    clickbuild, Jul 25, 2007 IP