What are ModSecurity best practices?
-
Hi @sandeep, I've got something else today, the server is running and working like a charm, but when I install ModSecurity and enable OWASP or COMODO rules, if I try to work in the site everything stops working properly... First 403, then Uploading files..., then database migration..., then wordpress...
What I did was to to white list some of the rules I was finding in ModSecurity log by its ID, for example:
SecRuleRemoveById 980130 SecRuleRemoveById 949110 SecRuleRemoveById 941100 SecRuleRemoveById 911100 SecRuleRemoveById 920350 SecRuleRemoveById 913100 SecRuleRemoveById 920280
I haven't even started to work full on the site, I'll I have been doing is setting it up and all these trouble......!!
My real question is how can I better handle ModSecurity, so all my sites don't get all these false positive?? is there a known false positive list, just to add and let it be?? Can I just white list IP's, my IP and the servers IP maybe??.
Thanks in advance.
PS (IT'S UNINSTALLED FOR NOW..!!)
-
@jesu-villawolf hello
there are no specific rule list for WordPress i recommend you to use comodo WAF which have lower numbers of false positive. Probably youi'll get 3-4 max false positive (for me, as websites are all different) which you need to disable. -
@jesu-villawolf said in What are ModSecurity best practices?:
Hi @sandeep, I've got something else today, the server is running and working like a charm, but when I install ModSecurity and enable OWASP or COMODO rules, if I try to work in the site everything stops working properly... First 403, then Uploading files..., then database migration..., then wordpress...
What I did was to to white list some of the rules I was finding in ModSecurity log by its ID, for example:
SecRuleRemoveById 980130 SecRuleRemoveById 949110 SecRuleRemoveById 941100 SecRuleRemoveById 911100 SecRuleRemoveById 920350 SecRuleRemoveById 913100 SecRuleRemoveById 920280
I haven't even started to work full on the site, I'll I have been doing is setting it up and all these trouble......!!
My real question is how can I better handle ModSecurity, so all my sites don't get all these false positive?? is there a known false positive list, just to add and let it be?? Can I just white list IP's, my IP and the servers IP maybe??.
Thanks in advance.
PS (IT'S UNINSTALLED FOR NOW..!!)
We work with the rules of comodo and what we do is teach customers to disable rules that affect them. So far we have no problems and they are managing themselves
-
Thanks @josepp, that is just what I have been doing, ModSec learning curve, so far enabled COMODO and disabled ModSecurity from the local accounts, my working team is just two people, we have to finish migrating and then tune up ModSec site by site, what I do know is that ModSecurity will be in our lives from now on.