The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

references for learning to understand Mod Security from square one...

Discussion in 'Security' started by phendyr, Sep 2, 2012.

  1. phendyr

    phendyr Registered

    Joined:
    Sep 1, 2012
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Hey all,
    First time poster, I appreciate anyone's time to respond and help point me in the right direction. I apologize if I'm asking questions that are already answered, my knowledge in this arena is very limited, so I'm not sure of the terminology to search on just yet.

    I have a small e-commerce business venture that I and 2 partners are working hard to get off the ground. My role has usually been front-end web design, but I am quickly becoming our resident server manager - it's a role I'm quite unfamiliar with... I can usually poke around and figure out what I need to set or modify, but server security is proving to be a difficult learning curve.

    Enter Mod Security - with advice from our host provider (We're currently on a VPS, but planning to upgrade to fully-dedicated soon), we began looking at Mod Security to help keep the intruders at bay.

    Is there any books, documentation, guidelines, etc, that can help me learn & understand from a complete beginner standpoint, how to manage, modify, test and adjust as necessary the ins and outs of Mod Security? Are there any 'rules' that a person could comfortable use as a starting point, and not risk hosing the site?

    Thanks again in advance, I appreciate your time.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,449
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Forums search via Google: site:forums.cpanel.net mod_security

    The results there should get you going in the right direction. Be sure to read those threads and the links in them to ruleset suggestions, best practices etc. If you'd like to learn and understand mod_sec more, there's lots of reading to do I'm afraid. ;)
     
  3. srpurdy

    srpurdy Well-Known Member

    Joined:
    Jun 1, 2011
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Really for a beginner I would suggest taking a look at Atomic Secured Linux. As it will do a lot for you without you knowing much, and it's a good place to start. That doesn't mean though that you should not increase your knowledge, as it's likely under a custom platform like you have that you'll probably want custom rules, and there is other levels of security you would want besides what's included in ASL. Really getting used to regex is mainly what you would need to write your own rules.

    They're is also other things you need to consider than most security packages won't include is bad configuration setting with default cpanel. For example the default ciphers for SSL to be PCI compliant is not so good. You could also consider additional layers. Cloudflare is a good option for that. SSL by default ciphers is vulnerable to beast attack for example.

    However you may also consider hiring a security professional to get you started as like you said security is a steep learning curve. I've been pouring myself in information for over a year and still plenty to learn, and software is changing consistently which means security is as well. Being on top of it is really a full time job in itself. (well sort of) :)

    If your concerned about card information which is definitely something to be paranoid about as you can lose your shirt from something like that. Rule #1 never store anything related to card information EVER. Unless your hiring a big security firm I've heard big companies paying as much as 6 figures Yearly for. It's not worth the risk. Infact personally I'd avoid using any credit card gateway at all. I know it's eCommerce but there is so many options now it's really not needed to be successful imo. Infact a big majority of buyers won't even enter credit card information these days. (including myself) If you use a payment gateways that also support credit cards you win people that will use that information. without having to deal with the stress that comes with keeping that information safe. It's just one less thing to worry about. :)

    Make sure your application is protected as well. From XSS, CSRF to name a few. Properly encrypt sensitive data like passwords with Salts, and use secure cookies. Even with a good set of rules it's always good to make sure the application itself is protected as well. Like I've seen some people write applications insecurely because they know mod_security can handle mysql injection prevention. That's completely ridiculous. You need to have sql injection prevention at the application level as well. If mod_security stops working properly from a bug or something you may not know until it's too late. You always have to be prepared for anything as much as possible. :)

    Always make backups, preferably off-server.

    That's just my 2 cents worth. :)

    Sorry for the long post lol :D
     
    #3 srpurdy, Sep 5, 2012
    Last edited: Sep 5, 2012

Share This Page