Dear all,

I recently installed mod_security on a very busy Apache server running a number of forums similar to AO. It is an Apache plugin which scans requests for intrusion attempts, and blocks and logs them.

It's working well, but requires some fieldishly difficult tuning to prevent it from blocking legit requests. Some of the example rules given in the doc filter out a lot of legitimate traffic.

Anyway, I'm wondering

:: What experience does anyone have with this piece of kit?
:: Any tips for rules for security with minimum false positives?
:: Any common pitfalls in rule writing for mod_security, and how to fix them

I can see that there are some undesirable behaviours, such as scanning the entire contents of a binary upload for SQL injection attacks, which can make false positives rather easily.

Otherwise, it's a good piece of kit.