1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is anyone using the OWASP ModSecurity Core Rule Set with their Xenforo installs?

Discussion in 'Server Configuration and Hosting' started by iaresee, Nov 7, 2015.

  1. iaresee

    iaresee Member

    Related to my other post, I've already bumped the PCRE limits on my setup but I'm reluctant to drop ModSecurity settings entirely.

    Is anyone using the OWASP ModSecurity Core Rule Set with their Xenforo setup? I could switch to a standard setup like that and possibly have less troubles.
  2. iaresee

    iaresee Member

    For the time being I'm rolling without ModSecurity and some restrictive IPTables rules.
  3. iaresee

    iaresee Member

    Just to follow up on this, I disabled ModSecurity and I have a script combing logs and banning IPs at the network layer using IPTables rules now. Seems to be functioning well-enough.
    Marcus likes this.
  4. Moscato

    Moscato Active Member

    Have you considered cloudflare?
  5. Tracy Perry

    Tracy Perry Well-Known Member

    Unless it's changed - for me the free version ended up slowing the site down and kept getting their "cached" page to frequently. All I use them for now is their DNS.
  6. Moscato

    Moscato Active Member

    They add a small amount of time to my site's time to first byte, but the big advantage is the anti evil built in.

    Tradeoffs are a thing. Your call.
  7. Tracy Perry

    Tracy Perry Well-Known Member

    Slowing down isn't that bad.. but getting your cached page(s) is NOT okay. And that was the issue I kept facing. It ended up not being worth it.
  8. iaresee

    iaresee Member

    Yea, I'm looking to remove ModSecurity from the mix altogether. CloudFlare just curates OWASP rule sets AFAIK.
  9. Moscato

    Moscato Active Member

    Cloudflare does 4 major things

    One, it validates the integrity of a browser, to see if it *should* be allowed to connect to your server

    That means BS poorly crafted scripts will fail

    Two, they keep a log of evil IP addresses to just block before they even get to you

    Three, they offer owasp protections

    Four, they add additional WAF protection for various types of things not in owasp
    This breaks down to 3 categories
    General protections not in owasp that could break some websites, though it it does, it'd be logged to know exactly what went wrong
    Language specific protections (php protections, flash protections, etc)
    App specific protections (wordpress, joomla, etc)

Share This Page