1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Dealing With Mod_Security With LightSpeed Web Server

Discussion in 'Server Configuration and Hosting' started by TheBigK, May 31, 2013.

  1. TheBigK

    TheBigK Well-Known Member

    I recently switched over to LightSpeed web server, thanks to help offered by Mike Edge. Everything's working fine, except that users complained about the 500 server error while making posts. Not everyone gets the error, so I tried analysing one of the posts that triggered the error.

    I found that if I removed the word 'select' from the post, I could post it without any issues. Apparently, the system thinks that 'select' is a dangerous keyword to be present in the post.

    I switched over to Apache web server and tried making the post without any changes - and the post was successful. It looks like Apache understood the content better than LightSpeed.

    I've several questions -

    1. Should I completely disable mod_security? Is it safe?
    2. How do I make sure that mod_security is in place and yet users don't get nasty errors while making posts?
    3. What's the best way to deal with such situation? Every time I face such issue, my web hosts folks whitelist the rule and we get going. But that's not a long-term solution.

    So, the bottom line is - how do I ensure that my board works error free and accepts right content and rejects bad one?
     
  2. MattW

    MattW Well-Known Member

    I totally removed mod_security from my server after installing XenForo. It was blocking members via IPTables randomly as I had it integrated into CSF.
     
  3. TheBigK

    TheBigK Well-Known Member

    That's one of my options; but I'm not very experienced on server security. On my server, the only issue I've faced is that it triggers 500 internal server error when the post has specific keywords. Not sure how to deal with it.
     
  4. Biker

    Biker Well-Known Member

    Why do people use the sledgehammer approach when it comes to mod_security? I'd truly like to know as I personally feel that to rip a security tool off your server because one rule isn't working properly isn't a proper mindset to be in when it comes to protecting your server.

    If you have an issue with a rule, fix the rule or disable the rule. But to turn off mod_security because you can't be bothered to fine tune it is plain silly IMO. That includes disabling it in .htaccess because you can't be bothered to find what rule is triggering issues in the forum.
     
    hellreturn likes this.
  5. MattW

    MattW Well-Known Member

    Because at the time, I couldn't be bothered trying to fix it, rather than having it IP banning my members. It's been gone for almost 18 months now.

    The problem for me at the time was mod_security was using the default rule set provided during the Cpanel set up.
     
  6. Biker

    Biker Well-Known Member

    I used the default rules for years before finally getting the Atomic Corp rules. Even with the old rule set, it wasn't difficult to find which rule was kicking in.

    Seems to me that "can't be bothered to fix it" isn't something I'd want to hear an admin say when my data is on their server. Especially when it deals with what I'd consider a required security layer for the server.
     
  7. TheBigK

    TheBigK Well-Known Member

    Just wondering if following rules are 'Okay'?


     
  8. Biker

    Biker Well-Known Member

    Are you using the gotroot rules?
     
  9. TheBigK

    TheBigK Well-Known Member

    My server admin asked if he should add these rules. I've absolutely no clue, sorry.
     
  10. Tracy Perry

    Tracy Perry Well-Known Member

    mod_security... what's that... oh, that's right, something I never installed. :D
     
  11. MattW

    MattW Well-Known Member

    I've also not re-enabled it because I run mod_ruid2 on my server, and it's not fully compatible:
    http://docs.cpanel.net/twiki/bin/view/EasyApache/Apache/ModSecurity#Incompatibility with mod_ruid2
     
  12. Biker

    Biker Well-Known Member

    Exactly. Which is why I haven't implemented mod_ruid2. Until mod_security works with it, I won't be using it.
     
  13. MattW

    MattW Well-Known Member

    I need something that can provide account level separation on the server, while allowing me to use an OPCode Cache, which is why I went with mod_ruid2.

    A well written application (such as XenForo), shouldn't need mod_security to protect it IMO
     
  14. Tracy Perry

    Tracy Perry Well-Known Member

    Are you using Apache or nginx for your web server? Almost everything I see applies to Apache.
     
  15. Biker

    Biker Well-Known Member

    Apache. And yes, there's a mod_security module for nginx as well.
     
  16. TheBigK

    TheBigK Well-Known Member

    By the way - the rules worked fine with Apache; but when I switch over to LightSpeed, I get mod_sec errors.
     
  17. Tracy Perry

    Tracy Perry Well-Known Member

    Yeah... I'm finding some stuff about it. Only thing I run on my server (that has outside interface) is xenForo (overkill for a forum with as few users as I have right now)... may look at integrating it. Looks like the @backend should point to php5-fpm, which then will handle the php requests.
     
  18. Biker

    Biker Well-Known Member

    It's my understanding there are minor differences in how Lightspeed works with mod_security. Unfortunately, I have absolutely no experience with using Lightspeed and wouldn't even begin to offer advice on how to fix your issue.
     
  19. TheBigK

    TheBigK Well-Known Member

    It's a drop replacement for Apache so far. What are the risks of eliminating mod_security entirely? I may ask my web host to completely whitelist the domain from Mod_sec.
     
  20. Slavik

    Slavik XenForo Moderator Staff Member

    My personal opinion is as long as you use a good IP Tables ruleset, keep your server and software up-to-date and don't use applications with terrible coding standards, you'll be fine.
     
    MattW likes this.

Share This Page