New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
No one?!
I don't think many people use mod_security. I remember once I tried it and downloaded all OWASP mod_security rules, and manually removed some because they were causing false positives, so you should test your website before adding mod_security into production to make sure no essential functionality is broken. From a secure programmers's point of view, I don't use mod_security because I trust the code I write. I can't say the same for other coders though.
So, if you use WordPress (+ tons of plugins) and are afraid of getting hacked, sure, mod_security wouldn't be a bad idea. If you're a programmer and are confident that you're writing secure code, then just say "f*** the
policehackers" and sleep well.I use it. I make my own rules as I need them.
mod_security is a waste of time
it just helps secure your site :P
if rules configured incorrectly, you could get false positives
Who else is thinking this person is trying to get the provider tag by posting redundant and really everyone already knows the answer to(useless) posts?
...maybe not here, but it's widely used. Both KnownHost and WiredTree put their own mod_security recipes (and some standard ones) into their standard cpanel setups. I bet you'd find a lot of the big shared hosting companies use it.
And that's exactly where big shared hosting providers are. They can't check all customers' code, but bank on mod_security stopping a lot of the obvious attacks and protecting the most common platforms like WP.
That's true in virtually any context, no?
A lot of people use premade sets. cPanel actually comes with premade sets now. Generic premades are good for a shared server since you really don't benefit from basing it around a single application's code.
For me, I make bad code and I secure at the web server. It's unconventional but it works, as long as you know your strengths and weaknesses
Yes I use Mod_Security
I am using comodo free rules
It can slow down a little your app and can cause an error . you have to test your app with Mod_Security and remove any rules cause you a problem or modify your app
lol what the hell is wrong with people here?! I wanted to know the rules people use. I don't want the provider tag because i don't provide anything. wtf lol
I heard about comodo free rules. Should i use them? What's your experience?
Depends on what you're hosting. I don't think there is a yes or no answer to that. You should install them and see how it works.
Mod_Security is good and yes, I do recommend free rules from comodo. Just remember that mod_security only provide a base level of protection for any web application. Also, if you find any problem with any of your applications after enabling mod_security then you need to check the web server logs and remove that particular problem causing rule.
Modsecurity is not good for production server. Its a good option to do not use any code unless you know what you are doing or what your code will do. A simple blocking code can affect other sites and block them.
That's not a very educated statement. I keep seeing people reference it as though "using mod_security" and "using publicly available third party generic rules" are equal statements. They are not, at all.
One server might have mod_security installed specifically to combat xmlrpc attacks, for example. That may be the only rule loaded into Apache. Is mod_security bad for a production server then?
I didn't mean that. I said that using any code without proper test can create lot of issue and resolving it will take long time.
@DewlanceVPS
Your statement was difficult to understand
Hell, you could be the best developer in the world and still make a mistake that leaves a vulnerability in your code.
mod_security is more or less a security measure to prevent these holes from being abused in my opinion - it can be customized to prevent WordPress attacks, etc and I use it for many of my production websites as a precaution.