• Howdy! Welcome to our community of more than 130.000 members devoted to web hosting. This is a great place to get special offers from web hosts and post your own requests or ads. To start posting sign up here. Cheers! /Peo, FreeWebSpace.net
managed wordpress hosting

Best mod_security Rules Recommended for Apache

We often have requests to configure the “best rules” for mod_security. Mod_security is a popular Apache plugin that serves as a Web Application Firewall, screening requests coming in to the webserver based on a set of configurable rules.

Because every website and application has slightly different circumstances, which will require some fine-tuning of the rules, there is no "best" ruleset. However, I want to share the rules below, which are a good basic set to use on a web server to enhance security.

You should copy the entire text of these rules (or whichever rules you would like to activate) into your-modsec2.user.conf-configuration file, or the configuration file your mod_security installation has setup for user-configurable rules.

If you do not have mod_security installed, it's very easy to configure with ConfigServer's free ModSecurity plugin for cPanel: http://configserver.com/cp/cmc.html

Try the rules below, for example:

SecRule ARGS {php} "severity:4,log,deny,id:6624001"
SecRule ARGS eval "severity:4,log,deny,id:6624002"
SecRule ARGS base64_decode "severity:4,log,deny,id:6624003"
SecRule REQUEST_URI|ARGS|REQUEST_BODY "base64_decode" "severity:4,log,deny,msg:'Access Denied'id:'6624009'"
SecRule REQUEST_URI|ARGS|REQUEST_BODY "eval" "severity:4,log,deny,msg:'Access Denied'id:'6624010'"
SecRule REQUEST_URI|ARGS|REQUEST_BODY "{php}" "severity:4,log,deny,msg:'Access Denied'id:'6624011'"
For the full ruleset, which is difficult to post due to its "explicit" content, and additional rules for securing against SQL injection attacks, check the updated mod_security rules in our knowledgebase.

Of course, like I mentioned, every application has different web security needs. What do you think about mod_security's effectiveness and ease of use?
 
mod_security is great if you're running a server that is only used for yourself, but I've found that on shared boxes, mod_security poses a problem. It doesn't matter what rule set is used, or how much it's fine tuned, there's ALWAYS people complaining that their site isn't working, or they can't do something, or their visitors uploads are being blocked, etc etc. Finding a "happy medium" is nearly impossible.
 
Indeed it is very complicated to implement mod security rules without making customers unhappy. It's seen that for genuine code too sometims mod security creates problem and customer complaints about their sites. in such cases either you need to exclude that rule or disable the mod_security for that specific domain.

However it is too helpful for avoiding cross site scripting attack or any web base intrusion.
 
Comodo's WAF are quite good and regularly updated. I've had to disable quite a few rules as they're too strict for shared hosting, but still a good ruleset.
 
[JSH]John;1184940 said:
Comodo's WAF are quite good and regularly updated. I've had to disable quite a few rules as they're too strict for shared hosting, but still a good ruleset.

We haven't had much luck with Comodo's WAF. It broke our WHMCS until after we uninstalled it.
 
We haven't had much luck with Comodo's WAF. It broke our WHMCS until after we uninstalled it.
You could have just checked the logs and disabled the rule(s) causing the problems. We disabled quite a few rules that aren't really suitable for a shared hosting environment.
 
[JSH]John;1185369 said:
You could have just checked the logs and disabled the rule(s) causing the problems. We disabled quite a few rules that aren't really suitable for a shared hosting environment.

With some tweaking, the Comodo WAF does do a decent job, but yes, you have to disable quite a few rules that are not suitable for a shared environment.

But then there really isn't any "out-of-the-box" mod security ruleset that doesn't require some tweaking for your setup, because there are just too many variables in a shared environment.

For the price (FREE), you really can't complain though. ;)
 
Back
Top