This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.

mod_security

3 posts / 0 new

Topic locked

Last post

#1 Wed, 05/27/2015 - 06:07

jimdunn

mod_security

In the Virtualmin Security FAQ (http://www.virtualmin.com/documentation/security/faq) mod_security is mentioned.

Does anyone have a FAQ on "how to install/use/configure mod_security for Virtualmin" that doesn't break most websites/Wordpress/etc???

#2 Wed, 05/27/2015 - 10:01

andreychek

Howdy,

We don't have a tutorial regarding mod_security. However, any of the tutorials you find out on the Internet should apply to a server with Virtualmin as well.

Distros like Ubuntu and Debian provide a mod_security package with a basic set of security rules configured.

If you're using one of those distros, you could always install the mod_security package and see it things continue to work well afterwards. You may want to install it on a test server first -- though if it doesn't work, it should just be a matter of uninstalling it, or disabling the mod_security Apache module.

Did you have any problems trying to get it working?

-Eric

#3 Wed, 05/27/2015 - 17:22

jimdunn

Oh, I got it installed and working (had to use the 2.2.5 version of the OWASP CRS found at https://github.com/SpiderLabs/owasp-modsecurity-crs/zipball/v2.2.5)...

The problem is THE RULES... even just the "base_rules" would cause Wordpress to mess up when installing/running plugins.

The optional_rules and slr_rules messed up even more, and the experimental_rules... nearly break everything.

I guess I'm gonna have to purchase the mod_security rules package from Atomic Turtle, because I can't find anyone that has a "safe" base_rules set.

Thx

Topic locked