Looking for JPC Tweaked mod_security rules

[Frank Broughton]

mod_security for apache 1x not 2x

Searched here and also googled for a good set of mod_security rules. Good meaning not too aggressive but strong enough to block most exploits.

Wondering if anyone on a VPS here has a good set of rules tweaked for JPC's VPSs?

If Masood is reading this, does Jag use mod_security of its shared servers or sdx or do you have a set for a vps you may have?

Is so, can ya'all post them here in the thread.

Thanks,
-=Frank=-

[Daniel_DBS]

I'm using the ones from gotroot.com:

http://www.gotroot.com/mod_security+rules

They have a set for apache 1.x and 2.x

[Daniel_DBS]

BTW, if you want to try those, you need to download the modsec 1.9 package because the 2.x doesnt support apache 1.3.x

[Frank Broughton]

I know about gotroot.com but their rules are complex and would bring a VPS to its knees - no?

Here is a good thread on mod_security: http://forum.myriadnetwork.com/showthread.php?t=239

[Daniel_DBS]

Hmmm... Wheres Thisisit and Jason?!? They would know where to get decent rules...

I just noticed something... Amongst my slough of enhancements, I uploaded those rules as a tarball to my /tmp directory and never installed them...

[thisisit3]

I'll tell you what i think, there is no panacea, it all depends on what you have to protect (how valuable) and how far you are willing to go to protect it.

I believe you should first secure your underlying system (suexec, open_basedir tweak, etc), then go through your web applications and secure/update them as much as possible and finally, decide if you are going to do some HTTP filtering based on mod_security and friends.

If your underlying system is secure, then a compromised account won't affect you, find the vulnerability, reload that account from a backup and fix the "hole".

If you think you should go for mod_security, if you think it warrants the effort, then you should probably create your own rules.

Based on my tests, most of the published rules are totally outdated (you shouldn't be running old software anyway, so don't try to protect it with mod_security), so try to create or find rules based on your system.

[Frank Broughton]

I am interested in the same type or rules that catch the apache exploits your rules for BFD do.

[thisisit3]

My rules are not explicit to apache, but cover a wide range of applications. I guess if you want the "apache-exploits" only then you'd have to convert them manually. They are a bunch of regex rules, so it shouldn't be that hard.