Recommended mod_security Rules to Secure Apache Web Servers

Discussion in 'General Server' started by Gaiacom_LC, Feb 20, 2014.

  1. Gaiacom_LC

    Gaiacom_LC New Member

    Messages:
    1
    Likes Received:
    1
    Trophy Points:
    1
    We often have requests to configure the “best rules” for mod_security. Mod_security is a popular Apache plugin that serves as a Web Application Firewall, screening requests coming in to the webserver based on a set of configurable rules.



    Because every website and application has slightly different circumstances, which will require some fine-tuning of the rules, there is no "best" ruleset. However, I want to share the rules below, which are a good basic set to use on a web server to enhance security.



    You should copy the entire text of these rules (or whichever rules you would like to activate) into your*modsec2.user.conf*configuration file, or the configuration file your mod_security installation has setup for user-configurable rules.



    If you do not have mod_security installed, it's very easy to configure with ConfigServer's free ModSecurity plugin for cPanel.



    Try the rules below, for example:



    For the full ruleset, which is difficult to post due to its "explicit" content, and additional rules for securing against SQL injection attacks, check the updated mod_security rules in our knowledgebase.



    Of course, like I mentioned, every application has different web security needs. What do you think about mod_security's effectiveness and ease of use?
    DevynCJohnson likes this.
  2. Trakomil

    Trakomil New Member

    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    I cannot find these rules, only this page

Share This Page