Anyone using Web Application Firewalls successfully? What do you like?

[Derek Zeanah]

I'm just curious as to whether others are using WAFs with Xenforo successfully. I'm about to migrate the forums I host to a new server and the question is "Do I install a WAF, or not?"

I've tried protecting one forum with Imunify360, and it mostly works but occasionally it will trigger on innocuous things like uploading two files in a post. It seems much more tuned for Wordpress than for generic php applications.

I wonder if others like cPGuard are better, using the malware.expert ruleset.

Any success stories?

 

[Marcus]

it mostly works but occasionally it will trigger on innocuous things like uploading two files in a post.

that’s the essence of using generic WAF. The WAF does not know what is good or bad behavior out of the box. So either it blocks valid requests believing to be malicious or allows malicious requests believing it might be valid.

 

[Mouth]

"Do I install a WAF, or not?"

Cloudflare's site WAF has some neat inbuilt rules for malicious/needy bots and rate-limiting.

 

[Saarbruecken]

I use Cloudflare (free plan) and Sophos Firewall /w WAF (formerly known as XG). It takes a while until you figured out all the exceptions you must add, but it's really worth it. Admins must authenticate with their LDAP password before they can enter the Administrator Control Panel and IDS/IPS keeps the script kiddies at arm's length.