Questions about enabling mod_security

[meeven]

I have a few questions on mod_security that puzzle me, so I thought I would ask for some help here to try and clarify them:

1. I have mod_security enabled at the server level and have the OWASP ModSecurity Core Rule Set enabled, with all the 22 rules active. Rules engine is set to be processed. However, all the cPanel accounts on the server have mod_security turned off for their domains. Does this offer any real protection? I see lots of warnings in the mod_sec logs in WHM, which seems to suggest the server is being protected, but I am not sure. We have never had an account or server compromise with these settings in the last three years.
2. Recently, I enabled OWASP ModSecurity Core Rule Set V3.0, in addition to the original Core Rule set. The idea was to protect some of our client sites from Drupalgeddon 2, but I haven't enabled any of the rules, yet, as I am unsure if this will clash with the existing rule set. Does anyone here have both the OWASP Core Rule sets (old and V3.0) working on their server?
3. The reason I turned off mod_security at the cPanel account level is that it always caused problems with redirects for every domain; the moment it was enabled, any request to a page on the domain would redirect the user to the domain's home page. Is there a proper way to set things up to avoid this? After all, there must be a reason why it's available at the domain level.

Thanks in advance for any insights anyone here can offer.

 

[cPanelMichael]

Hello @meeven,

I have mod_security enabled at the server level and have the OWASP ModSecurity Core Rule Set enabled, with all the 22 rules active. Rules engine is set to be processed. However, all the cPanel accounts on the server have mod_security turned off for their domains. Does this offer any real protection? I see lots of warnings in the mod_sec logs in WHM, which seems to suggest the server is being protected, but I am not sure. We have never had an account or server compromise with these settings in the last three years.

While it can help protect against generalized Apache traffic not directed to specific domain names, you're not getting the most out of the protection if Mod Security is disabled on your accounts.

Recently, I enabled OWASP ModSecurity Core Rule Set V3.0, in addition to the original Core Rule set. The idea was to protect some of our client sites from Drupalgeddon 2, but I haven't enabled any of the rules, yet, as I am unsure if this will clash with the existing rule set. Does anyone here have both the OWASP Core Rule sets (old and V3.0) working on their server?

This topic is discussed in more detail on the following thread:

Upgrading mod security to OWASP 3.0

The reason I turned off mod_security at the cPanel account level is that it always caused problems with redirects for every domain; the moment it was enabled, any request to a page on the domain would redirect the user to the domain's home page. Is there a proper way to set things up to avoid this? After all, there must be a reason why it's available at the domain level.

This topic is discussed in more detail on the following thread:

SOLVED - Stop ModSec redirecting on access denied

Thank you.

 

[meeven]

@cPanelMichael, sorry, I forgot to check back after posting my questions.

Thank you very much for the links. I will check them out and update this thread with the results.

 

[cPanelMichael]

Hello @Zardiw,

I'm sorry to see you're having trouble finding a solution to an issue. I'm happy to help answer any specific questions you have or to help point you in the right direction.

Regarding the use of links, we sometimes provide links to existing forum threads where similar topics are discussed. This is especially helpful with issues that fall outside our scope of support (e.g. custom Mod_Security rules) because it pushes the discussion to a thread that's more likely to receive feedback from other customers using a similar configuration.

Let me know if there's anything I can do to help.

Thanks!