DeveloperSide.NET Forums
November 18, 2018, 05:25:54 PM *
Welcome, Guest. Please login or register.

Login with username, password and session length
News:
 
   Home   Help Search Login Register  
Pages: [1]
  Print  
Author Topic: ModSecurity Settings  (Read 14779 times)
0 Members and 1 Guest are viewing this topic.
TazDevilLooney
Customer, Basic Support
Jr. Member
*****
Posts: 30



View Profile
« on: March 30, 2010, 12:23:12 AM »

Hi,

I'm just about to start hosting my first forum - Vbulletin V4 Suite -, but before i make it live would anyone have any recommendations for the security of the site.

From what i have read on these forums the web-developer suite contains the mod_security but is not active (logging only).

Would it be a good idear to turn in on, or is there otherthings i have to look into before i do that.

Because this is a MYSQL and PHP based software is there anything i can do to minimize any attack.

Any advice would be gratefully received

Taz
Logged
admin
Administrator
Master of All Subjects
*****
Posts: 3272


View Profile WWW Email
« Reply #1 on: March 30, 2010, 12:30:07 AM »

The problem w/ mod_sec is that the general ruleset that comes with it will catch allot of false positives ... and if active, will prevent your site from working for visitors.

To use mod_sec properly you have to start from scratch and enter our own rules, or test the general rules and remove the ones causing false positives.

So you can turn it on, but do go through all your urls, file uploading, posting, etc and see what breaks. Then check the error log to see which rules came up and disable them.
Logged

DeveloperSide.NET
Advanced PHP and MySQL Solutions for your Web Design and Development needs with Web.Developer Server Suite.
TazDevilLooney
Customer, Basic Support
Jr. Member
*****
Posts: 30



View Profile
« Reply #2 on: March 30, 2010, 12:35:04 AM »

Thankyou for the quick reply.

1.Were would i go to enable this?
2.Will it affect any crawling for google/yahoo ect, by me enabling this without changing the rules?

I am also running a html site on another domain

This mod_security is new to me LOL.

I have had a quick look at my error_mass.log and there seems to be a lot of errors logged.


Taz
« Last Edit: March 30, 2010, 01:20:29 AM by TazDevilLooney » Logged
admin
Administrator
Master of All Subjects
*****
Posts: 3272


View Profile WWW Email
« Reply #3 on: March 30, 2010, 01:12:34 AM »

Quote
1.Were would i go to enable this?

C:\www\Apache22\conf\extra\mod_security2\rules\modsecurity_crs_10_config.conf
SecRuleEngine DetectionOnly

To: On

Quote
2.Will it affect any crawling for google/yahoo ect, by me enabling this without changing the rules?

Maybe. Depends on what's crawled and what rules are triggered.
Logged

DeveloperSide.NET
Advanced PHP and MySQL Solutions for your Web Design and Development needs with Web.Developer Server Suite.
TazDevilLooney
Customer, Basic Support
Jr. Member
*****
Posts: 30



View Profile
« Reply #4 on: March 30, 2010, 01:18:14 AM »

I'll have a go at that. I guess when this is enabled it reads all the .conf files in that directory, or have you got to tell it what .conf files to include?

Just trying to get a picture of how this all works

« Last Edit: March 30, 2010, 01:39:57 AM by TazDevilLooney » Logged
TazDevilLooney
Customer, Basic Support
Jr. Member
*****
Posts: 30



View Profile
« Reply #5 on: March 30, 2010, 08:34:26 AM »

Hi,

What if i move this file from the directory, would this work?

modsecurity_crs_35_bad_robots.conf
Logged
admin
Administrator
Master of All Subjects
*****
Posts: 3272


View Profile WWW Email
« Reply #6 on: March 30, 2010, 04:19:02 PM »

You should edit file : C:\www\Apache22\conf\extra\suite-global\suite-mod_security2.conf

This file "includes" all the mod_sec rule files into the config.

Comment out the robots file in the above.
Logged

DeveloperSide.NET
Advanced PHP and MySQL Solutions for your Web Design and Development needs with Web.Developer Server Suite.
TazDevilLooney
Customer, Basic Support
Jr. Member
*****
Posts: 30



View Profile
« Reply #7 on: March 30, 2010, 06:11:54 PM »

Thankyou your a star, that was just what i was after. :)

cheres Taz

« Last Edit: March 30, 2010, 09:16:17 PM by TazDevilLooney » Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.9 | SMF © 2006-2009, Simple Machines LLC Valid XHTML 1.0! Valid CSS!