Current time: 11-23-2024, 12:34 PM Hello There, Guest! (LoginRegister)


Post Reply 
Do you think Mod_Security is needed?
Author Message
robmorin Offline
Junior Member
*

Posts: 208
Joined: Apr 2007
Reputation: 0
Post: #1
Do you think Mod_Security is needed?
Hello all... i was wondering with all the new fcgi, and the way Omega implements the use of php security, do you think mod_security would be any help? I use it now in my vhcs2 setup , but it can be a pain in the ass to setup...

Once i installed it i had virtually no hacks at all.... mind you once you CHOWN to root only files like this, a script i use on every machine..

chmod g-x,o-x /usr/bin/wget
chmod g-x,o-x /usr/bin/curl
chmod g-x,o-x /usr/bin/lwp-*
chmod g-x,o-x /usr/bin/lynx.stable
chmod g-x,o-x /usr/bin/fetch
chmod g-x,o-x /usr/bin/GET
chmod g-x,o-x /usr/bin/netkit-ftp
chmod g-x,o-x /usr/bin/lwp-request

There is not much a hacker can do to get scripts over to the web server for cross site scripting hacks....

Any opinions/comments?

Thanks

ROb..
10-24-2007 12:29 AM
Find all posts by this user Quote this message in a reply
raphael Offline
Member
***

Posts: 474
Joined: Apr 2007
Reputation: 8
Post: #2
RE: Do you think Mod_Security is needed?
it all depends on what you use mod_security for. But remember it doesn't provide full protection (and it can, sometimes, be really bogus)
10-24-2007 12:50 AM
Visit this user's website Find all posts by this user Quote this message in a reply
robmorin Offline
Junior Member
*

Posts: 208
Joined: Apr 2007
Reputation: 0
Post: #3
RE: Do you think Mod_Security is needed?
I wanted to use it to protect my web server from php programmers that do not program properly, and leave open exploitable scripts....

I do not have a good understanding of mod_security as its pretty confusing to use... never mind create excludes!

but with those mentioned files chowned to root , is there aything else i should worry about? Mind you i have had clients php scripts exploited to mass email or spam via that script, so i assumed mod_security would stop this too??

Rob..

raphael Wrote:it all depends on what you use mod_security for. But remember it doesn't provide full protection (and it can, sometimes, be really bogus)
10-24-2007 12:57 AM
Find all posts by this user Quote this message in a reply
monotek Offline
Junior Member
*

Posts: 65
Joined: Dec 2006
Reputation: 0
Post: #4
RE: Do you think Mod_Security is needed?
mod_security eats a lot of performance when it checks for unwanted patterns via regex if you have several sites configured.

therefore this shouldnt be more than optional...
10-24-2007 08:49 AM
Find all posts by this user Quote this message in a reply
raphael Offline
Member
***

Posts: 474
Joined: Apr 2007
Reputation: 8
Post: #5
RE: Do you think Mod_Security is needed?
Quote: do not have a good understanding of mod_security as its pretty confusing to use
you must first understand how it operates and how to use it; just like any other tool being used on a server

Quote:but with those mentioned files chowned to root
you didn't chown anything

Quote:is there aything else i should worry about?
a thousand things

Quote:Mind you i have had clients php scripts exploited to mass email or spam via that script, so i assumed mod_security would stop this too??
see my first answer in this post (not thread)
10-24-2007 09:26 AM
Visit this user's website Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #6
RE: Do you think Mod_Security is needed?
maybe the suhosin extension for php is better suited for you - it ships with several distributions...

http://www.hardened-php.net/suhosin.127.html
10-24-2007 09:27 AM
Visit this user's website Find all posts by this user Quote this message in a reply
robmorin Offline
Junior Member
*

Posts: 208
Joined: Apr 2007
Reputation: 0
Post: #7
RE: Do you think Mod_Security is needed?
Sorry i meant chmod , as they are already owned by root...

But hey thanks for pointing that out....

Rob..

raphael Wrote:
Quote: do not have a good understanding of mod_security as its pretty confusing to use
you must first understand how it operates and how to use it; just like any other tool being used on a server

Quote:but with those mentioned files chowned to root
you didn't chown anything

Quote:is there aything else i should worry about?
a thousand things

Quote:Mind you i have had clients php scripts exploited to mass email or spam via that script, so i assumed mod_security would stop this too??
see my first answer in this post (not thread)
10-25-2007 12:32 AM
Find all posts by this user Quote this message in a reply
robmorin Offline
Junior Member
*

Posts: 208
Joined: Apr 2007
Reputation: 0
Post: #8
RE: Do you think Mod_Security is needed?
Thanks joximu for that info and link i will check it out....

Have a great day/evening

Rob..

joximu Wrote:maybe the suhosin extension for php is better suited for you - it ships with several distributions...

http://www.hardened-php.net/suhosin.127.html
10-25-2007 12:34 AM
Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)