mod-security-users

[mod-security-users] Which Rules to use?

[Alex <gra...@we...>]

Hello,

we´re using Plesk 7.5 for Unix on Fedora Core2 Server, and my question is:

Which rules is prefered to us:

 Application protection rules
 UserAgent rules
 Comment spam rules
 RootKit/Owned boxes blacklist
 Proxy scan rules
 Additional Apache 2.x rules

Must we all take to the httpd.conf?

Thanks for help

Re: [mod-security-users] Which Rules to use?

[Ivan R. <iv...@we...>]

Alex wrote:
> Hello,
> 
> we´re using Plesk 7.5 for Unix on Fedora Core2 Server, and my question is:
> 
> Which rules is prefered to us:
> 
>  Application protection rules
>  UserAgent rules
>  Comment spam rules
>  RootKit/Owned boxes blacklist
>  Proxy scan rules
>  Additional Apache 2.x rules
> 
> Must we all take to the httpd.conf?

  There is no such thing as the "right set". The answer is different
  for each Apache installation. If you don't have the time to look into
  the rules, understand them, monitor their effectivenes and customise
  them for your needs - you are much better not running mod_security.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] Which Rules to use?

[Michael S. <mi...@go...>]

I've added a page that explains what each of the rulesets do:

http://www.gotroot.com/tiki-index.php?page=3DWhich+mod_security+rules

Everyones system is unique, so may have to adapt the some of the rules
to your environment.  I would love it if everyone ran with all the rules
- if its any consolation, I run with all the rules on my servers - so
they can get as much testing as possible in as many real environments as
possible as I can't test for everything. =20

So, if you can, run with all the rules and lemme know if something
breaks, be it false positives or negatives.  If you can't afford any
false positives, then you need to look at the rules, understand them and
adapt to your specific environment. =20

So selfishly, I'd say "run them all!", but realistically you should only
run with those rules that work for your system, which may require some
tweaking, twisting and groaning over false alarms.  In short, nothing is
perfect. =20

With all that said, I do try to make sure the rules have the lowest
probability for a false positive that I can test for (but I'm only
human) and I do run with all these rules on my server, so I never
release a rule I'm not comfortable running on my machines.  But, my
machines might be different from yours.  :-)

So, If you have the time to monitor them, and can stand a few false
positives, run with all the rules and post any problems you might have
with them so we can fix them, if not, then you will need to understand
the rules and modify them for your system to fit your specific
needs.  :-)

Oh, also, I run Plesk 7.5.x on some my machines, so for the most part I
would expect that the rules should work fine with the basic Plesk
software, but keep in mind that your users may upload their own custom
apps to your PSA server and there may be a conflict in the rules.  If
you do run into a problem, please let me know and I'll take a look at it
to see if the rule(s) can be modified in general to take that new
application into account.

--=20
Michael T. Shinn                                    KeyID:DAE2EC86
Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xDAE2EC86
=20
Got Root?  http://www.gotroot.com
ModSecurity WebServer Firewall: http://www.modsecurityrules.com
Troubleshooting Firewalls:  http://troubleshootingfirewalls.com