var sidebar_align = 'right';
var content_container_margin = parseInt('350px');
var sidebar_width = parseInt('330px');
Is mod_security worth it?
I've installed mod_security but had to turn most of the secfilters off because when they are on simple things like forums dont even work without getting 500's.
I'm just wondering, is mod_security really worth having as overhead on apache if most of the secfilters arent on? Does mod_security still filter bad requests even without having secfilter tags for specific things?
We've found that if you have the time and the experience going through log files, that the proper set up of mod_security can be worth while.
OK thank you, but lets say I have these rules enabled:
SecFilterForceByteRange 1 255
# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
So my question is, will mod_security only filter what I have in the rules above or does it provide additional security that isnt based on rules (ie, defaults in program).
With the rules I have above, is having mod_security installed worth the overhead on apache?
1. Read the manual at http://www.modsecurity.org/documenta...nual-1.7.4.pdf to find out what mod_security does and does not filter.
2. We find the overhead is not even noticible on the servers we manage (approximately 50).