+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Support Area (/forum-30.html)
+--- Forum: System Setup & Installation (/forum-32.html)
+--- Thread: Do you think Mod_Security is needed? (/thread-1596.html)
Do you think Mod_Security is needed? - robmorin - 10-24-2007 12:29 AM
Hello all... i was wondering with all the new fcgi, and the way Omega implements the use of php security, do you think mod_security would be any help? I use it now in my vhcs2 setup , but it can be a pain in the ass to setup...
Once i installed it i had virtually no hacks at all.... mind you once you CHOWN to root only files like this, a script i use on every machine..
chmod g-x,o-x /usr/bin/wget
chmod g-x,o-x /usr/bin/curl
chmod g-x,o-x /usr/bin/lwp-*
chmod g-x,o-x /usr/bin/lynx.stable
chmod g-x,o-x /usr/bin/fetch
chmod g-x,o-x /usr/bin/GET
chmod g-x,o-x /usr/bin/netkit-ftp
chmod g-x,o-x /usr/bin/lwp-request
There is not much a hacker can do to get scripts over to the web server for cross site scripting hacks....
Any opinions/comments?
Thanks
ROb..
RE: Do you think Mod_Security is needed? - raphael - 10-24-2007 12:50 AM
it all depends on what you use mod_security for. But remember it doesn't provide full protection (and it can, sometimes, be really bogus)
RE: Do you think Mod_Security is needed? - robmorin - 10-24-2007 12:57 AM
I wanted to use it to protect my web server from php programmers that do not program properly, and leave open exploitable scripts....
I do not have a good understanding of mod_security as its pretty confusing to use... never mind create excludes!
but with those mentioned files chowned to root , is there aything else i should worry about? Mind you i have had clients php scripts exploited to mass email or spam via that script, so i assumed mod_security would stop this too??
Rob..
raphael Wrote:it all depends on what you use mod_security for. But remember it doesn't provide full protection (and it can, sometimes, be really bogus)
RE: Do you think Mod_Security is needed? - monotek - 10-24-2007 08:49 AM
mod_security eats a lot of performance when it checks for unwanted patterns via regex if you have several sites configured.
therefore this shouldnt be more than optional...
RE: Do you think Mod_Security is needed? - raphael - 10-24-2007 09:26 AM
Quote: do not have a good understanding of mod_security as its pretty confusing to useyou must first understand how it operates and how to use it; just like any other tool being used on a server
Quote:but with those mentioned files chowned to rootyou didn't chown anything
Quote:is there aything else i should worry about?a thousand things
Quote:Mind you i have had clients php scripts exploited to mass email or spam via that script, so i assumed mod_security would stop this too??see my first answer in this post (not thread)
RE: Do you think Mod_Security is needed? - joximu - 10-24-2007 09:27 AM
maybe the suhosin extension for php is better suited for you - it ships with several distributions...
http://www.hardened-php.net/suhosin.127.html
RE: Do you think Mod_Security is needed? - robmorin - 10-25-2007 12:32 AM
Sorry i meant chmod , as they are already owned by root...
But hey thanks for pointing that out....
Rob..
raphael Wrote:Quote: do not have a good understanding of mod_security as its pretty confusing to useyou must first understand how it operates and how to use it; just like any other tool being used on a server
Quote:but with those mentioned files chowned to rootyou didn't chown anything
Quote:is there aything else i should worry about?a thousand things
Quote:Mind you i have had clients php scripts exploited to mass email or spam via that script, so i assumed mod_security would stop this too??see my first answer in this post (not thread)
RE: Do you think Mod_Security is needed? - robmorin - 10-25-2007 12:34 AM
Thanks joximu for that info and link i will check it out....
Have a great day/evening
Rob..
joximu Wrote:maybe the suhosin extension for php is better suited for you - it ships with several distributions...
http://www.hardened-php.net/suhosin.127.html