If you’re struggling with ModSecurity, you need to read this!

ModSecurityThere’s certainly a real need for ModSecurity given the massive problems everyone in the industry is experiencing with setting rules to prevent malicious activity on their servers. There are literally hundreds of server owners and admins that are struggling to finalize one set of rules that actually works.

Rules that were rushed to market prematurely  

Going back to the beginning of this year, complaints started rolling in by the scores on the cPanel forum and numerous web hosting forums related to OWASP. The meat of those threads centered around rules that were rushed to market without being properly tested in a production environment. The result? Rules that threw up tons of false positive errors on websites AND that caused conflicts in PHP for software programs like WHMCS and WordPress, even to this day.

What generally happens when a server admin receives boatloads of false positives?

When false positives start impacting users in real world scenarios, folks start turning off the rules that are generating those errors. We all know that some of the largest firms in the world have been hacked and we all wondered how that happened. Surely Home Depot, Target and a number of well-known banks employed very competent cyber security staff, but warnings were lost in thousands of false positives. The worst case scenario is when rules are turned off to correct the issues those rules inflict.

Public feedback about OWASP

While fixing the bugs in OWASP is an ongoing effort, and rightfully so, issues remain that continue to haunt server admins and owners. Apparently, their rulesets continue to be the weakest part of the equation. Let’s not forget though that cybersecurity is a huge undertaking. OWASP rules are designed to detect generic attacks, so false positives will always be a reality. Knowing this, how can you know if your rules are still working? There is 3rd party software available like AuditConsole that aggregates audit logs enabling you to see rules being tripped in real time. This allows admins to see false positives as they occur and to see attacks being blocked.

At issue is the temptation to disable rules in some places, rather than globally, but in the end, broken rules are just that – broken rules. If they’re whitelisted in specific locations, they still may be broken in others, resulting in no protection from anything.

A word of caution

Even once ModSecurity rules have matured, no amount of rules will protect you if you don’t keep your scripts up-to-date AND verify that they are still reputable, meaning they’ve kept pace with the latest updates of WordPress itself. This includes all of WordPress’s extensions, themes, plugins and components. Note: Some plugins are buggy from the get go!

Think about this for a moment. Updates are regularly released for new WordPress versions and a number of plugins follow suit (but not all of them). Why? Sure, some of the new releases have to do with increased functionality, but some address security flaws – the kind of stuff that can and often does cause sites to get hacked. During the period of time that those updates are released and when you actually update them, you’re exposed to cyber security threats those patches were designed to address.

Brought to you by ProlimeHost

We’ve been in the web hosting industry for ten years, helping hundreds of clients succeed in what they do best and that’s running their business. We specialize in dedicated servers, with data centers in Los Angeles, Phoenix, Denver and Singapore. The E3 1270 v5 processor is now available at great pricing, giving you the ability to add up to 64GB of DDR4 ECC RAM. Call +1 877 477 9454 or email us at Sales@ProlimeHost.com. We’re here to help.

Steve

Leave a Reply