SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Zealot
    Join Date
    Apr 2010
    Location
    West Kent, UK
    Posts
    118
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Host does not run mod_security

    Hello,

    I recently changed my hosting and had a problem with one of my domains. I raised a ticket with the host and they fixed it and this is what they said the problem was:

    The SecFilter line in your htaccess was causing a 500 error - I've removed it (it's not needed as we don't run mod_security)

    Well, whatever they did got the site up OK but now I don't know if it is a good thing or a bad thing that this host does not run mod_security. I have tried reading up on it but it is a bit too techie for me.

    If anyone could tell me a bit about it I would be grateful and failing that, on a scale of 1 to 10, how much should I be concerned?

    Thanks

    Martin

  2. #2
    SitePoint Member
    Join Date
    May 2007
    Location
    Chicago
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'd be at a 3 but you should familiarize yourself with a bit of what mod_security did for you in the past and make sure your website code is safe from things like sql injection and cross site scripting. Many hosts do not run mod_security because it can be a pain to manage. It can impose limits to how much data a form can submit for example which would make many clients admin tools or wysiwyg page editors break.

  3. #3
    SitePoint Zealot
    Join Date
    Apr 2010
    Location
    West Kent, UK
    Posts
    118
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Thanks

    Thank you for taking the time to reply.

    A 3 isn't bad!

    I'm steadily learning this stuff and have done what I can to make the site secure so with the other things in place, I think I'll sleep easy.

    Martin

  4. #4
    One website at a time mmj's Avatar
    Join Date
    Feb 2001
    Location
    Melbourne Australia
    Posts
    6,282
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Security is unfortunately very complex and just enabling a module cannot solve all your security problems. As has been mentioned, look out for SQL injection and cross site scripting vulnerabilities in your code, as those are some of the most common security problems. While mod_security claims to be able to help prevent these, it cannot ultimately be responsible for preventing all SQL injection or CSS attacks since it would need to make assumptions about your application - more than anything, when it does work it's just as likely to interfere with your site's ability to accept certain input (may not be noticed on certain sites). If you are using scripts you've obtained from elsewhere, be very sure you always keep them updated with the latest security updates. And keep good backups.
    [mmj] My magic jigsaw
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    The Bit Depth Blog Twitter Contact me
    Neon Javascript Framework Jokes Android stuff

  5. #5
    SitePoint Zealot
    Join Date
    Apr 2010
    Location
    West Kent, UK
    Posts
    118
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for chipping in...

    I have done my best with security and followed as much of the advice that I can understand. I have some plugins like the password lock-down, security scan and a firewall. I've moved my wp-config, password protected my admin folder, got rid of the admin login username and use long, meaningless passwords. Phew!

    Oh, and I take back-ups and keep things updated.

    Martin

  6. #6
    SitePoint Zealot
    Join Date
    Apr 2010
    Location
    West Kent, UK
    Posts
    118
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by mmj View Post
    Security is unfortunately very complex...
    Oh yeah!

  7. #7
    SitePoint Enthusiast
    Join Date
    May 2005
    Posts
    79
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If the host doesn't run mod_security, they're ignorant about security, or don't care.

    Mod_security is useful as it's another layer of protection - it covers you against 0-day exploits until you get time to update your website's code.

    A good host can also couple mod_security with the firewall so that multiple hits cause an IP to be blocked.

    We're a host and we do run mod_security, and it is coupled with our firewall; I'm sure we're not along although I realize many hosts don't do stuff like this.

    By the way, they should also have the server hardened, and if they haven't you should choose another host. Just my opinion
    Last edited by brianoz; Sep 24, 2011 at 09:17. Reason: expand a little

  8. #8
    SitePoint Zealot
    Join Date
    Apr 2010
    Location
    West Kent, UK
    Posts
    118
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks

    Martin

  9. #9
    SitePoint Enthusiast
    Join Date
    May 2005
    Posts
    79
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Just to clarify - mod_security is not an all-in-all solution, but it does help. It's an important layer in a multi-layered solution, including keeping your software up to date as well as ensuring you watch for sql injection and other forms of attack.

    Mod_security can impact sites, no question of that, though a good host can minimize impact by switching off the rules your site is hitting. Unfortunately the typical approach to mod_security issues is to turn it off for the entire site, usually a pity.

    It's a battlefield out there these days, keeping sites secure requires a variety of solutions.


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •