Why are modsecurity rules not installed by default?

[::Gomez::]

Hey! how are you guys! I was just wondering if there is any specific reason why ModSecurity rules comes uninstalled on all cpanel servers... did you have any kind of issue after enabling it? wordpress/joomla are fully compatible? its a must to have it enabled/installed or there is no big difference in regards to security ?


THanks!

 

[DennisMidjord]

My guess is that it could be causing issues with different types of software. We've seen a lot of false positives in PrestaShop and Wordpress.

 

[Tearabite]

There is the potential for a LOT of issues. Mod_Security requires a lot of care and feeding and customizing to work with your software (Wordpress, Drupal, Joomla, etc) - more than a lot of people want to deal with.. But once it's dialed-in, it's worth it.

 

[::Gomez::]

Great! that´s what I imagined...

There is the potential for a LOT of issues. Mod_Security requires a lot of care and feeding and customizing to work with your software (Wordpress, Drupal, Joomla, etc) - more than a lot of people want to deal with.. But once it's dialed-in, it's worth it.

Also with the modsecurity rule set provided/modified by cPanel ?


THanks a lot guys!

 

[cPanelMichael]

Hello,

Yes, the OWASP ModSecurity Core Rule Set can lead to false positives and may require some additional configuration. We document this at:

OWASP ModSecurity CRS - cPanel Knowledge Base - cPanel Documentation

Thank you.

 

[::Gomez::]

Hello,

Yes, the OWASP ModSecurity Core Rule Set can lead to false positives and may require some additional configuration. We document this at:

OWASP ModSecurity CRS - cPanel Knowledge Base - cPanel Documentation

Thank you.

Thanks! that was clear enaugph! I will start using it with low traffic servers and then expand the deployment to others. Thanks!

 

[quizknows]

ModSecurity, as with any Firewall (it is a web app firewall after all) is only as good as its rule set.

Owasp is a very in depth rule set, and as noted well in this thread, requires some customization. This is a caveat of OWASP more than ModSecurity itself. Some rule sets like Comodo require much less pruning.

At this point in the industry, there are several amazing providers out there that offer managed/cloud WAF with a much more hands off experience. Of course I guess like anything there are trade offs to open source vs commercial solutions. However if you are a shared hosting provider, it's very worth looking at companies like cloudflare, sucuri, or sitelock. They see every hack going on across many customers, and it's much more efficient to offload that work to people who have done the research for you and can clean it reliably.

I personally recommend a combination of both, modsec by default, and 3rd party layers as an added service option.