September 19th, 2004, 05:13 PM
I'm considering installing mod_security ( http://www.modsecurity.org/ ). I'm just wondering if anyone else here has used this. From what I understand, this Apache module will help fight off Cross Site Scripting and SQL Injection Attacks.
If you've used it, what was the impact on your server? Performance? Did it prevent any attack you might have tested?
Thanks for your comments, advice, post in advance.
September 19th, 2004, 06:11 PM
It's quite a useful piece of kit. But you have to use it with care.
Its performance impact is negligible, and it does stop a lot of SQL injection or traversal attacks etc.
However, the big drawback is having it blocking legitimate traffic. This is worse on forums, particularly IT-related ones, where the keywords its rules are looking for tend to get triggered accidentally.
The default rules are quite unsuitable for general use - particularly the XSS blocking rules, which are so generic they effectively block everything.
My advice is to disable all rules EXCEPT for ones which deal with SQL injections - particularly if that's where your problems lie.
A lot of the stuff it ends up blocking is IIS/win32 worms - which is entirely pointless as Apache isn't vulnerable to these attacks in the first place.
Just disable any rule which could possibly generate false positives.
September 19th, 2004, 06:17 PM
That being said, this product sounds like more of a hassle then what it's really worth.
Any other experiences?
September 19th, 2004, 10:36 PM
I wasn't trying to dissuade you from using it - just a warning. It's a configurable piece of kit, with a lot of rules available. If you turn the wrong ones on, you damage your own site.