[mod-security-users] .htaccess includes considerations

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

hi,

What are the considerations and implications of allowing virtual hosting
clients to protect their applications using mod_security filters, in .htaccess level?

The -DISABLE_HTACCESS compile options seems very reasonable but allowing server users, specially with PHP
applications to harden their sites security can be a big plus, and, help the total security of the server.
Sites with PHPBB, Nuke and alike will be able to add rules on their own and most important - restrict access
to admin areas per IP. Even if they're on dynamic IP, before they go admining the site, they put in the .htaccess
their IP and get access.
This is a big security improvement. Lets say a hacker gets a cookie and has a login, that's fine maybe to post something
on the site but he won't get access to the /admin area and mess up things pretty bad.

Also, from my experience I need to shut off cookies, URL and Unicode checks on nearly every shared server.
The ability to add these per site can be great.

Lastly, such setup should reduce server load. Now many of us hosters have most of gotroot's rules since we need
to protect many applications and we never know what applications our users have and we can't keep track of it for
sure.
We could provide protection for basic apps like phpBB, Nuke, Mambo and a bunch of others, while keeping out the
vast amount of rules to all other php/cgi apps on a per need, per site rules.

Now what are the cons of allowing "unknown - untrusted" users adding stuff to mod_security? I believe we can make
all important rules mandatory. I wouldn't want to have a user disabling mod_security totally for example, neither
mess with the audit_log.

thanks,
	Justin