Is anyone using the OWASP ModSecurity Core Rule Set with their Xenforo installs?

[iaresee]

Related to my other post, I've already bumped the PCRE limits on my setup but I'm reluctant to drop ModSecurity settings entirely.

Is anyone using the OWASP ModSecurity Core Rule Set with their Xenforo setup? I could switch to a standard setup like that and possibly have less troubles.

 

[iaresee]

For the time being I'm rolling without ModSecurity and some restrictive IPTables rules.

 

[iaresee]

Just to follow up on this, I disabled ModSecurity and I have a script combing logs and banning IPs at the network layer using IPTables rules now. Seems to be functioning well-enough.

 

[Moscato]

Have you considered cloudflare?

 

[TPerry]

Have you considered cloudflare?

Unless it's changed - for me the free version ended up slowing the site down and kept getting their "cached" page to frequently. All I use them for now is their DNS.

 

[Moscato]

They add a small amount of time to my site's time to first byte, but the big advantage is the anti evil built in.

Tradeoffs are a thing. Your call.

 

[TPerry]

Slowing down isn't that bad.. but getting your cached page(s) is NOT okay. And that was the issue I kept facing. It ended up not being worth it.

 

[iaresee]

They add a small amount of time to my site's time to first byte, but the big advantage is the anti evil built in.

Tradeoffs are a thing. Your call.

Yea, I'm looking to remove ModSecurity from the mix altogether. CloudFlare just curates OWASP rule sets AFAIK.

 

[Moscato]

Cloudflare does 4 major things

One, it validates the integrity of a browser, to see if it *should* be allowed to connect to your server

That means BS poorly crafted scripts will fail

Two, they keep a log of evil IP addresses to just block before they even get to you

Three, they offer owasp protections

Four, they add additional WAF protection for various types of things not in owasp
This breaks down to 3 categories
General protections not in owasp that could break some websites, though it it does, it'd be logged to know exactly what went wrong
Language specific protections (php protections, flash protections, etc)
App specific protections (wordpress, joomla, etc)