Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSecurity SecResponseBodyLimit & SecResponseBodyLimitAction

Discussion in 'Security' started by osirion, Feb 9, 2018.

Tags:
  1. osirion

    osirion Well-Known Member

    Joined:
    Jan 16, 2007
    Messages:
    47
    Likes Received:
    3
    Trophy Points:
    158
    Hi Guys,
    I have ModSecurity installed with SecResponseBodyLimit at the default 512kb limit and SecResponseBodyLimitAction default 'block' setting.

    My question is as follows, in todays media rich web sites, is 512kb still reasonable? I have some customers running Wordpress that are hitting this limit then getting 500 ISE's and/or incorrectly rendered pages.

    Was thinking of upping the limit to 1.5mb with a SecResponseBodyLimitAction value of 'ProcessPartial' but I would like to know the full implications (security and resource usage wise since this is a shared hosting environment) before I do so.
    Any insight and help with this would be greatly appreciated!

    Thanks in advance...
     
  2. cPWilliamL

    cPWilliamL cP Technical Analyst II
    Staff Member

    Joined:
    May 15, 2017
    Messages:
    257
    Likes Received:
    27
    Trophy Points:
    103
    Location:
    America
    cPanel Access Level:
    Root Administrator
    That's a good question, and it's likely to vary widely on which applications your clients use. I found some interesting articles about the average page size, which doesn't fully correlate to response body size but may be a decent gauge:
    SpeedCurve | The average web page is 3MB. How much should we care?
    The Growth of Web Page Size - KeyCDN Support

    The command below can also be used to determine the average response size from your domlogs(this can be I/O intensive, consider nice/ionice on sytems with a large amount of domains):
    Code:
    # find /var/log/apache2/domlogs/ -maxdepth 1 -type f \! \( -name \*-bytes_log -o -name \*-ftp_log.offsetftpbytes \) -size +0 -exec cat '{}' \;|awk '$NF>=10 && $10 ~ /[0-9]/{sum+=$10;n++}END{if (n>0) print sum/n}'
    
    I'm not sure if there is a direct security concern with the setting; rather, it better addresses resource issues, particularly bandwidth or perhaps preventing Apache slots from being held longer than they should by spewing lots of data. Disregarding streaming sites/applications, a web server is typically not for distributing large data; S/FTP is better suited for that.
     
  3. osirion

    osirion Well-Known Member

    Joined:
    Jan 16, 2007
    Messages:
    47
    Likes Received:
    3
    Trophy Points:
    158
    Thanks for that, I did run the command on my servers and it returned 68606.2 and 22135.7 respectively; so I suppose 512kb then is more than sufficient 'on average'.

    However, I then tried to see a problem domain thats 'hitting' the above mentioned rule by tweaking the command like so:
    Code:
    find /var/log/apache2/domlogs/ -maxdepth 1 -type f \! \( -name thedomain.co.za-bytes_log -o -name thedomain.co.za-ftp_log.offsetftpbytes \) -size +0 -exec cat '{}' \;|awk '$NF>=10 && $10 ~ /[0-9]/{sum+=$10;n++}END{if (n>0) print sum/n}'
    And it only returned "22201.4" which then it should be fine? Am I doing it wrong or misunderstanding the result?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,396
    Likes Received:
    1,605
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    It returns the average response time, but that doesn't mean some requests don't come in higher than average and thus are blocked.

    Thank you.
     
Loading...

Share This Page