<div dir="ltr">Hi Nathan (and anyone else interested)<div><br></div><div>Just a quick email regarding installing ModSecurity on the new server, which we spoke about briefly at the meeting yesterday. I am happy to install ModSecurity and help any other server administration, but I am new to the group so I will understand if you don't want to give me access right away</div>
<div><br></div><div>In case you've not come across it before, ModSecurity is an opensource (GPL) web application firewall. Basically, it sits between Apache and any server side scripting/CGI and runs all requests against a list common exploits (negative security) and/or a list of valid requests (positive security) - depending on the ruleset used.</div>
<div><br></div><div>There are two common rules-sets. Breach's (the company behind ModSec) core rules, which is fully opensource and GotRoot's rules which is more proprietary - still plain text but it is released to non-subscribers after 30 days delay. </div>
<div><br></div><div>As I understand it, the core rules are quite generic and offer good protection against a lots of common known and unknown exploits - however it errs on the side of security, so it can some times break parts of a web app. (usually because they are doing something a little unwise). Got Root seem to be built around common applications and is (probably) more actively developed, however this does mean the ruleset is larger and there will probably more of a performance hit. It might be best to start of using both rulesets (I think Got Root is designed to be able to work) and change this if we run into problems (I will check the modsec lists to see if anyone sees a problem with this).</div>
<div><br></div><div>The is also another product from Breach which is worth considering, ModSecurity Console. It is a proprietary app. but it is free for none up to 3 nodes (servers). It basically makes life easier if you want to actively monitor your logs. I haven't tried it, so far I have been happy greping the log files when I have a problem.</div>
<div><br></div><div>I don't pretend to know a lot about ModSec (probably not even 5% of all there is to know), but I am confident that I can set it up and drastically improve the security of the web server. I have been using it for more than two years on our dedicated remote host at work and we haven't had any problem despite running horribly insecure PHP (horde, mambo (now joomla), amongst others).</div>
<div><br></div><div>Regards.</div><div><br></div><div>Jeremy.</div></div>