Mod Security in Critical Systems, Install?
Hello All :)
I have crtitical systems working in WHM where if I get down my service just by 5 min a lot of website would too. So, my question is, [COLOR="#A9A9A9">be or not to be, no, seriusly, in case of install Mod Security there is some type of timeout which can I expect or all config is empty?
Regards!
-
ModSecurity, like most security related features, has the potential to block users from visiting sites. The goal, as always, is to only block malicious traffic. But as with any blocking feature (brute force, anti-spam, etc) you run the risk of false positives. In short, yes, it is possible for you to cause downtime for clients if you have a ModSecurity rule that inadvertently blocks good traffic. This is just the same risk as having an anti-spam rule or anti-spam software that might block a good piece of email. The best advice I have is for you to set the ModSecurity engine to the "report only" mode (so it will log what it WOULD have blocked, but not actually block the traffic). From there, you can review if you would've been blocked when viewing the website(s) normally. If everything looks good after a few days/weeks of testing, then you could switch it over to enforce the blocks. As of 11.46, cPanel & WHM does not distribute a default set of ModSecurity rules, so you'll need to look into 3rd party ModSecurity rulesets if you are looking to deploy rules. In a future release, we plan to include a distribution of the OWASP ruleset with cPanel & WHM. 0 -
Thank you for clarify :) Very useful! I would put it like "report only". PS: Sometimes I do not show the pop-up about activation, where I can find it at WHM dashboard? 0 -
In the event you change your mind with the decision you made in the Feature Manager or didn't see the Feature Showcase, you can manually enable the ModSecurity Domain Manager through the below option: - ]
- Go to: WHM
- Go to: Feature Manager
- Edit the "default" feature list
- Check "Mod_Security" Domain Manager"
0 -
]In the event you change your mind with the decision you made in the Feature Manager or didn't see the Feature Showcase, you can manually enable the ModSecurity Domain Manager through the below option:
- ]
- Go to: WHM
- Go to: Feature Manager
- Edit the "default" feature list
- Check "Mod_Security" Domain Manager"
You are the man!0 -
You will usually find with most rulesets that one or two rules need to be whitelisted for your application. That slight nuisance is well worth the benefits of running a good web application firewall, especially on critical or production systems. The recommended method of processing but not disrupting (at first) is a good one. Use the features of your site, and make sure your IP does not show up with any rules being tripped. If it does not, you should be OK to deploy ModSecurity normally. If you notice rules being logged during normal use, disable or adjust the rules (or your code) to stop that. Once you can use the site normally without any ModSecurity notices, then go ahead and deploy. If you do run into issues with production it's likely to only affect very specific requests (like long blog posts that contain SQL commands like SELECT, DROP, etc.). Typically all you need to troubleshoot that is the IP of the legitimate visitor who experienced the error, and you can adjust the rule for everyone. 0
Please sign in to leave a comment.
Comments
5 comments