• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Is anyone using the OWASP ModSecurity Core Rule Set with their Xenforo installs?

#3
Just to follow up on this, I disabled ModSecurity and I have a script combing logs and banning IPs at the network layer using IPTables rules now. Seems to be functioning well-enough.
 

Moscato

Active member
#6
They add a small amount of time to my site's time to first byte, but the big advantage is the anti evil built in.

Tradeoffs are a thing. Your call.
 

Tracy Perry

Well-known member
#7
Slowing down isn't that bad.. but getting your cached page(s) is NOT okay. And that was the issue I kept facing. It ended up not being worth it.
 
#8
They add a small amount of time to my site's time to first byte, but the big advantage is the anti evil built in.

Tradeoffs are a thing. Your call.
Yea, I'm looking to remove ModSecurity from the mix altogether. CloudFlare just curates OWASP rule sets AFAIK.
 

Moscato

Active member
#9
Cloudflare does 4 major things

One, it validates the integrity of a browser, to see if it *should* be allowed to connect to your server

That means BS poorly crafted scripts will fail

Two, they keep a log of evil IP addresses to just block before they even get to you

Three, they offer owasp protections

Four, they add additional WAF protection for various types of things not in owasp
This breaks down to 3 categories
General protections not in owasp that could break some websites, though it it does, it'd be logged to know exactly what went wrong
Language specific protections (php protections, flash protections, etc)
App specific protections (wordpress, joomla, etc)