Testing with Apache mod_security

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
User avatar
volomike
Forum Regular
Posts: 633
Joined: Wed Jan 16, 2008 9:04 am
Location: Myrtle Beach, South Carolina, USA

Testing with Apache mod_security

Post by volomike »

There's a new development in the world of PHP that's making life extremely tough for PHP developers. It's called Apache mod_security and it has bugs where it creates a lot of false positives. What will happen is your PHP will suddenly 404 or 403 without a clear understanding of what's wrong. If you never heard of mod_security, then those 404 or 403 errors would throw you for a loop like they did me for a couple weeks until HG tech support explained what's going on. This thing is super hard to install in my opinion on Linux, and unfortunately HostGator and a few other shared hosting plans are installing this.

I have Ubuntu Linux Desktop 10.04 LTS and I need to start getting used to Apache mod_security. I need to know how to install and configure it properly so that I can test all my PHP applications I code against it, and then if there's a false positive going on, I need to figure out what's the workaround or submit the false positive report to the mod_security team so that they can fix their rules.

I understand the premise of Apache mod_security, but the trouble is that so far its implementation of it seems clumsy to me with all its false positives. In fact, the guys who make WordPress are active on the mod_security mailing list, reporting all the false positives so that at least WordPress doesn't go nuts.

How do I properly install and configure Apache mod_security on Ubuntu Linux Desktop 10.04 LTS?

How do I troubleshoot to know what rule number it might be triggering on a false positive?

Have you been able to do any .htaccess tricks on HostGator shared hosting to completely turn off Apache mod_security?
User avatar
twinedev
Forum Regular
Posts: 984
Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio

Re: Testing with Apache mod_security

Post by twinedev »

While it isn't a new development, been around for years, yes it can be a pain in the rump to track what happened, best advice is to make sure you have access to the log files, (and those can be fun till you get used to them as well).

One you get used to it, it isn't so bad, the sad part is some people throw this onto their server instead of fixing true script vulnerabilities. (Where I used to work did this, and boy the first two weeks was a learning curve as sites crashed until the settings got tweaked to teh right level, there are TONS of options

-Greg
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Testing with Apache mod_security

Post by requinix »

I installed it on my dev server but ultimately removed it because it was such a pain to have to remote in every time there was a problem and find out what little thing it tripped up on and wouldn't tell me about. I can't remember if I installed it on my live server and I'm not decided on whether I want it.

There are definitely some rules that have been more harmful to me than not:
* 403 if the request body contains script
- Backfires if I wanted to post something to my blog
* 403 if the request body contains potential sql injection - this includes words like "and" and "or", though only under certain (fairly common) conditions
- Backfires if I wanted to post something to my blog
* 403 for directory listings
- I have a subdomain where I put random stuff and it's all shown with directory listings (don't care about something more user friendly)

To install and configure: is it not in the package manager? I do remember installing it from their site at one point.
Troubleshoot: error logs and the mod-security log both mention the rule number that triggers the error response. Then SecRuleRemoveById it.
To deal with it: you really should try to disable the individual rules that are causing problems, but otherwise I think you can pass a huge range to SecRuleRemoveById (like 0-999999).
Post Reply