Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

ModSecurity SecResponseBodyLimit & SecResponseBodyLimitAction

Discussion in 'Security' started by osirion, Feb 9, 2018.

Tags:
  1. osirion

    osirion Well-Known Member

    Joined:
    Jan 16, 2007
    Messages:
    50
    Likes Received:
    4
    Trophy Points:
    158
    Hi Guys,
    I have ModSecurity installed with SecResponseBodyLimit at the default 512kb limit and SecResponseBodyLimitAction default 'block' setting.

    My question is as follows, in todays media rich web sites, is 512kb still reasonable? I have some customers running Wordpress that are hitting this limit then getting 500 ISE's and/or incorrectly rendered pages.

    Was thinking of upping the limit to 1.5mb with a SecResponseBodyLimitAction value of 'ProcessPartial' but I would like to know the full implications (security and resource usage wise since this is a shared hosting environment) before I do so.
    Any insight and help with this would be greatly appreciated!

    Thanks in advance...
     
  2. cPWilliamL

    cPWilliamL cP Technical Analyst II
    Staff Member

    Joined:
    May 15, 2017
    Messages:
    257
    Likes Received:
    29
    Trophy Points:
    103
    Location:
    America
    cPanel Access Level:
    Root Administrator
    That's a good question, and it's likely to vary widely on which applications your clients use. I found some interesting articles about the average page size, which doesn't fully correlate to response body size but may be a decent gauge:
    SpeedCurve | The average web page is 3MB. How much should we care?
    The Growth of Web Page Size - KeyCDN Support

    The command below can also be used to determine the average response size from your domlogs(this can be I/O intensive, consider nice/ionice on sytems with a large amount of domains):
    Code:
    # find /var/log/apache2/domlogs/ -maxdepth 1 -type f \! \( -name \*-bytes_log -o -name \*-ftp_log.offsetftpbytes \) -size +0 -exec cat '{}' \;|awk '$NF>=10 && $10 ~ /[0-9]/{sum+=$10;n++}END{if (n>0) print sum/n}'
    
    I'm not sure if there is a direct security concern with the setting; rather, it better addresses resource issues, particularly bandwidth or perhaps preventing Apache slots from being held longer than they should by spewing lots of data. Disregarding streaming sites/applications, a web server is typically not for distributing large data; S/FTP is better suited for that.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. osirion

    osirion Well-Known Member

    Joined:
    Jan 16, 2007
    Messages:
    50
    Likes Received:
    4
    Trophy Points:
    158
    Thanks for that, I did run the command on my servers and it returned 68606.2 and 22135.7 respectively; so I suppose 512kb then is more than sufficient 'on average'.

    However, I then tried to see a problem domain thats 'hitting' the above mentioned rule by tweaking the command like so:
    Code:
    find /var/log/apache2/domlogs/ -maxdepth 1 -type f \! \( -name thedomain.co.za-bytes_log -o -name thedomain.co.za-ftp_log.offsetftpbytes \) -size +0 -exec cat '{}' \;|awk '$NF>=10 && $10 ~ /[0-9]/{sum+=$10;n++}END{if (n>0) print sum/n}'
    And it only returned "22201.4" which then it should be fine? Am I doing it wrong or misunderstanding the result?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,378
    Likes Received:
    1,857
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    It returns the average response time, but that doesn't mean some requests don't come in higher than average and thus are blocked.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice