mod_security

gkontos

gkontos

Hi all,

I started using www/mod_security a few weeks ago and I must say that I am impressed by all the cool filtering features available.
Of course filtering all fault positives can sometimes be a pain, especially on a busy production site.

Anybody else using it? Tips maybe ?

George
 
mod_security is very good. I've been using it mostly to filter attempts to connect to vulnerable software which isn't even installed (control panels and such). At first, I tarpitted those by delaying fifteen seconds and then giving a 404. Probers were spending up to ten minutes to try a couple of dozen URLs.

That got boring, and now it just adds the probing IP to the firewall. It doesn't play a loud "Click!" at that point, but I considered it.

Like a lot of good software, mod_security is hampered by a lack of examples in their own documentation. It will do pretty much everything you could ask once you figure out how.
 
wblock said:
Like a lot of good software, mod_security is hampered by a lack of examples in their own documentation. It will do pretty much everything you could ask once you figure out how.
Click to expand...

I couldn't agree more here. There is also a lot of documentation that is very outdated.
I found that most false positives, in my case, came from the sql_injection rules.
Still it is a pretty amazing piece of software that can provide a good protection point against bad written applications.
 
You must log in or register to reply here.
Back
Top