Dealing With Mod_Security With LightSpeed Web Server

[TheBigK]

I recently switched over to LightSpeed web server, thanks to help offered by Mike Edge. Everything's working fine, except that users complained about the 500 server error while making posts. Not everyone gets the error, so I tried analysing one of the posts that triggered the error.

I found that if I removed the word 'select' from the post, I could post it without any issues. Apparently, the system thinks that 'select' is a dangerous keyword to be present in the post.

I switched over to Apache web server and tried making the post without any changes - and the post was successful. It looks like Apache understood the content better than LightSpeed.

I've several questions -

1. Should I completely disable mod_security? Is it safe?
2. How do I make sure that mod_security is in place and yet users don't get nasty errors while making posts?
3. What's the best way to deal with such situation? Every time I face such issue, my web hosts folks whitelist the rule and we get going. But that's not a long-term solution.

So, the bottom line is - how do I ensure that my board works error free and accepts right content and rejects bad one?

 

[MattW]

I totally removed mod_security from my server after installing XenForo. It was blocking members via IPTables randomly as I had it integrated into CSF.

 

[TheBigK]

I totally removed mod_security from my server after installing XenForo. It was blocking members via IPTables randomly as I had it integrated into CSF.

That's one of my options; but I'm not very experienced on server security. On my server, the only issue I've faced is that it triggers 500 internal server error when the post has specific keywords. Not sure how to deal with it.

 

[Biker]

I totally removed mod_security from my server after installing XenForo. It was blocking members via IPTables randomly as I had it integrated into CSF.

Why do people use the sledgehammer approach when it comes to mod_security? I'd truly like to know as I personally feel that to rip a security tool off your server because one rule isn't working properly isn't a proper mindset to be in when it comes to protecting your server.

If you have an issue with a rule, fix the rule or disable the rule. But to turn off mod_security because you can't be bothered to fine tune it is plain silly IMO. That includes disabling it in .htaccess because you can't be bothered to find what rule is triggering issues in the forum.

 

[MattW]

Because at the time, I couldn't be bothered trying to fix it, rather than having it IP banning my members. It's been gone for almost 18 months now.

The problem for me at the time was mod_security was using the default rule set provided during the Cpanel set up.

 

[Biker]

I used the default rules for years before finally getting the Atomic Corp rules. Even with the old rule set, it wasn't difficult to find which rule was kicking in.

Seems to me that "can't be bothered to fix it" isn't something I'd want to hear an admin say when my data is on their server. Especially when it deals with what I'd consider a required security layer for the server.

 

[TheBigK]

Just wondering if following rules are 'Okay'?

SecRule REQUEST_URI "/posts/*"
phase:1,nolog,allow,ctl:ruleEngine=Off,id:3000000

SecRule REQUEST_URI "/forums/*"

phase:1,nolog,allow,ctl:ruleEngine=Off,id:3000000

 

[Biker]

Are you using the gotroot rules?

 

[TheBigK]

Are you using the gotroot rules?

My server admin asked if he should add these rules. I've absolutely no clue, sorry.

 

[TPerry]

I totally removed mod_security from my server after installing XenForo. It was blocking members via IPTables randomly as I had it integrated into CSF.

mod_security... what's that... oh, that's right, something I never installed.

 

[MattW]

I used the default rules for years before finally getting the Atomic Corp rules. Even with the old rule set, it wasn't difficult to find which rule was kicking in.

Seems to me that "can't be bothered to fix it" isn't something I'd want to hear an admin say when my data is on their server. Especially when it deals with what I'd consider a required security layer for the server.

I've also not re-enabled it because I run mod_ruid2 on my server, and it's not fully compatible:
http://docs.cpanel.net/twiki/bin/view/EasyApache/Apache/ModSecurity#Incompatibility with mod_ruid2

 

[Biker]

Exactly. Which is why I haven't implemented mod_ruid2. Until mod_security works with it, I won't be using it.

 

[MattW]

Exactly. Which is why I haven't implemented mod_ruid2. Until mod_security works with it, I won't be using it.

I need something that can provide account level separation on the server, while allowing me to use an OPCode Cache, which is why I went with mod_ruid2.

A well written application (such as XenForo), shouldn't need mod_security to protect it IMO

 

[TPerry]

Exactly. Which is why I haven't implemented mod_ruid2. Until mod_security works with it, I won't be using it.

Are you using Apache or nginx for your web server? Almost everything I see applies to Apache.

 

[Biker]

Apache. And yes, there's a mod_security module for nginx as well.

 

[TheBigK]

By the way - the rules worked fine with Apache; but when I switch over to LightSpeed, I get mod_sec errors.

 

[TPerry]

Apache. And yes, there's a mod_security module for nginx as well.

Yeah... I'm finding some stuff about it. Only thing I run on my server (that has outside interface) is xenForo (overkill for a forum with as few users as I have right now)... may look at integrating it. Looks like the @backend should point to php5-fpm, which then will handle the php requests.

 

[Biker]

By the way - the rules worked fine with Apache; but when I switch over to LightSpeed, I get mod_sec errors.

It's my understanding there are minor differences in how Lightspeed works with mod_security. Unfortunately, I have absolutely no experience with using Lightspeed and wouldn't even begin to offer advice on how to fix your issue.

 

[TheBigK]

It's a drop replacement for Apache so far. What are the risks of eliminating mod_security entirely? I may ask my web host to completely whitelist the domain from Mod_sec.

 

[Slavik]

It's a drop replacement for Apache so far. What are the risks of eliminating mod_security entirely? I may ask my web host to completely whitelist the domain from Mod_sec.

My personal opinion is as long as you use a good IP Tables ruleset, keep your server and software up-to-date and don't use applications with terrible coding standards, you'll be fine.