Performance of mod_security2, mod_unique_id, and modsec2-rules-owasp-crs

GoWilkes

Well-Known Member
Sep 26, 2006
611
24
168
cPanel Access Level
Root Administrator
I'm setting up a new VPS, and I'm strongly considering turning off mod_security2 and mod_unique_id. I understand that there's a significant performance hit from them, and I don't use mod_unique_id in any of my written applications. When I turned it off, though, it took mod_security2 with it.

Since I'm using CSF, do I really need mod_security2?

Then today I see that WHM recommends setting up modsec2-rules-owasp-crs... which, of course, requires mod_security2 and mod_unique_id.

So now I'm back to same question... since I'm using CSF, do I even need this? Is it worth the performance hit?

For me, my main sites make money through Adsense and I've found that the faster the site runs, the more pages per session I get. So if each page load speeds up by 500ms, that could result in a significant bump in revenue for me... but it's not worth it if I'm going to get hit by a ton of scams or viruses.
 

andrew.n

Well-Known Member
Jun 9, 2020
617
179
43
EU
cPanel Access Level
Root Administrator
I think mod_security could definitely help as it can prevent malicious codes to be run while CSF is more protecting you from attacks and brute forces so both have different use. You can of course install and activate different ruleset so it's not a must to you owasp. If you use strong passwords, make sure your CMS are up to date, maybe utilise even WorldFence then you might be able to get rid of mod security. If I can ensure my scripts/softwares are up to date and modsec influence my performance I would happily get rid of it :)
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,974
921
313
cPanel Access Level
Root Administrator
CSF and ModSecurity definitely perform different functions, so I wouldn't base the decision on both of these being present.

I would try this: make sure your site code is up to date and do a series of tests, both with and without ModSec enabled. This will let you know if you see a performance hit on your machine. I'm not sure it's fair to say overall that *every* server will have a noticeable performance change with or without ModSec running, so it's best to check this in real-time on the actual machine in question. That will give you the best results possible, and then you'll have real data to back up your choice.