I have a few questions on mod_security that puzzle me, so I thought I would ask for some help here to try and clarify them:
- I have mod_security enabled at the server level and have the OWASP ModSecurity Core Rule Set enabled, with all the 22 rules active. Rules engine is set to be processed. However, all the cPanel accounts on the server have mod_security turned off for their domains. Does this offer any real protection? I see lots of warnings in the mod_sec logs in WHM, which seems to suggest the server is being protected, but I am not sure. We have never had an account or server compromise with these settings in the last three years.
- Recently, I enabled OWASP ModSecurity Core Rule Set V3.0, in addition to the original Core Rule set. The idea was to protect some of our client sites from Drupalgeddon 2, but I haven't enabled any of the rules, yet, as I am unsure if this will clash with the existing rule set. Does anyone here have both the OWASP Core Rule sets (old and V3.0) working on their server?
- The reason I turned off mod_security at the cPanel account level is that it always caused problems with redirects for every domain; the moment it was enabled, any request to a page on the domain would redirect the user to the domain's home page. Is there a proper way to set things up to avoid this? After all, there must be a reason why it's available at the domain level.