# mod_security



## gkontos (Sep 14, 2011)

Hi all,

I started using www/mod_security a few weeks ago and I must say that I am impressed by all the cool filtering features available.
Of course filtering all fault positives can sometimes be a pain, especially on a busy production site.

Anybody else using it? Tips maybe ?

George


----------



## wblock@ (Sep 14, 2011)

mod_security is very good.  I've been using it mostly to filter attempts to connect to vulnerable software which isn't even installed (control panels and such).  At first, I tarpitted those by delaying fifteen seconds and then giving a 404.  Probers were spending up to ten minutes to try a couple of dozen URLs.

That got boring, and now it just adds the probing IP to the firewall.  It doesn't play a loud "Click!" at that point, but I considered it.

Like a lot of good software, mod_security is hampered by a lack of examples in their own documentation.  It will do pretty much everything you could ask once you figure out how.


----------



## gkontos (Sep 14, 2011)

wblock said:
			
		

> Like a lot of good software, mod_security is hampered by a lack of examples in their own documentation.  It will do pretty much everything you could ask once you figure out how.



I couldn't agree more here. There is also a lot of documentation that is very outdated.
I found that most false positives, in my case, came from the sql_injection rules.
Still it is a pretty amazing piece of software that can provide a good protection point against bad written applications.


----------

