ModSecurity SecResponseBodyLimit & SecResponseBodyLimitAction

[osirion]

Hi Guys,
I have ModSecurity installed with SecResponseBodyLimit at the default 512kb limit and SecResponseBodyLimitAction default 'block' setting.

My question is as follows, in todays media rich web sites, is 512kb still reasonable? I have some customers running Wordpress that are hitting this limit then getting 500 ISE's and/or incorrectly rendered pages.

Was thinking of upping the limit to 1.5mb with a SecResponseBodyLimitAction value of 'ProcessPartial' but I would like to know the full implications (security and resource usage wise since this is a shared hosting environment) before I do so.
Any insight and help with this would be greatly appreciated!

Thanks in advance...

 

[cPWilliamL]

That's a good question, and it's likely to vary widely on which applications your clients use. I found some interesting articles about the average page size, which doesn't fully correlate to response body size but may be a decent gauge:
SpeedCurve | The average web page is 3MB. How much should we care?
The Growth of Web Page Size - KeyCDN Support

The command below can also be used to determine the average response size from your domlogs(this can be I/O intensive, consider nice/ionice on sytems with a large amount of domains):

# find /var/log/apache2/domlogs/ -maxdepth 1 -type f \! \( -name \*-bytes_log -o -name \*-ftp_log.offsetftpbytes \) -size +0 -exec cat '{}' \;|awk '$NF>=10 && $10 ~ /[0-9]/{sum+=$10;n++}END{if (n>0) print sum/n}'

I'm not sure if there is a direct security concern with the setting; rather, it better addresses resource issues, particularly bandwidth or perhaps preventing Apache slots from being held longer than they should by spewing lots of data. Disregarding streaming sites/applications, a web server is typically not for distributing large data; S/FTP is better suited for that.

 

[osirion]

Thanks for that, I did run the command on my servers and it returned 68606.2 and 22135.7 respectively; so I suppose 512kb then is more than sufficient 'on average'.

However, I then tried to see a problem domain thats 'hitting' the above mentioned rule by tweaking the command like so:

find /var/log/apache2/domlogs/ -maxdepth 1 -type f \! \( -name thedomain.co.za-bytes_log -o -name thedomain.co.za-ftp_log.offsetftpbytes \) -size +0 -exec cat '{}' \;|awk '$NF>=10 && $10 ~ /[0-9]/{sum+=$10;n++}END{if (n>0) print sum/n}'

And it only returned "22201.4" which then it should be fine? Am I doing it wrong or misunderstanding the result?

 

[cPanelMichael]

And it only returned "22201.4" which then it should be fine? Am I doing it wrong or misunderstanding the result?

It returns the average response time, but that doesn't mean some requests don't come in higher than average and thus are blocked.

Thank you.

 

[jmginer]

We have also some wordpress websites hitting:

/usr/local/apache/logs/error_log

ModSecurity: Output filter: Response body too large (over limit of 524288, total not specified).

 

[cPanelMichael]

We have also some wordpress websites hitting:

/usr/local/apache/logs/error_log

ModSecurity: Output filter: Response body too large (over limit of 524288, total not specified).

Hi @jmginer,

Are you using the OWASP rule set? If so, you may find the discussion on the following thread helpful:

OWASP mod_security breaking Wordpress page save

It references some exclusion options for WordPress you may want to implement.

Thank you.