User Comments

Of course the problem is that very few hosts have enabled mod_security, particularly on shared boxes.

(my CAPTCHA image was the word “anal” - hope that’s nothing personal, eh Jon?) ;)

the problem is that very few hosts have enabled mod_security

I always forget this. You’re absolutely correct Matthew, if you’re on a shared box and your ISP hasn’t/won’t install ModSecurity then you’re not going to be able to use it. All I can suggest, if you are in this unfortunate position, is that you petition your ISP - perhaps pointing out the benefits of ModSecurity to their operations.

my CAPTCHA image was the word “anal”

Ah, so my specially programmed trigger worked and you (and only you) were abused by my web-server. Look out for other four-letter words specifically targetted at yourself Matthew! :-)

Sorry my friend. You were subject to the (purely random) luck of the draw there. I’ll edit that Captcha dictionary and remove the offensive word. Thanks for bringing this to my attention.

Okay. The Captcha dictionary has been revised. Please let me know if any other offensive words appear in the Captcha device.

Did anyone do any benchmarks? 10000 POST request, with or without mod_security? I’ve seen an article using it for spam, in the last 1-2 days… small world.

Why don’t I get a Captchas? Because I’m registered? Anyway, keep “anal”… I have more chances of getting it it, as a Captcha, than anywhere else ;-)

Did anyone do any benchmarks? 10000 POST request, with or without mod_security?

I haven’t run any benchmarks Gabriel, nor can I find any benchmarks via Google.

However, ModSecurity’s author, Ivan Ristic, has considered the performance issues. The following is quoted from Ristic’s ‘Introducing mod_security’:…

I have never had any performance problems with mod_security. In my performance tests the speed difference was around 10 percent. However, the practical performance penalty is smaller. On real web sites, a single page request may provoke many static requests for images, style sheets, and JavaScript libraries. Mod_security is smart enough not to look at those only if you tell it not to:

SecFilter DynamicOnly

The bottleneck is always in the IO operations. Make sure that the debugging mode is never turned on on a production server, and avoid using the full audit logging mode unless you really need to. In the configuration above, mod_security is configured to only log relevant requests, e.g., those that have triggered a filter.

I would add to that: Many of the websites that are advocating ModSecurity as a defence against the comment/referrer spammer advise you to configure ModSecurity in Apache’s “.htaccess” file. That’s not a good idea. ModSecurity should be configured in “httpd.conf” rather than “.htaccess” - using ModSecurity from “.htaccess” is definitely going to affect performance and simply will not scale, since the “.htaccess” file is parsed and processed at request time, for every single request (“httpd.conf” is processing only once, at server start up).

Why don’t I get a Captchas? Because I’m registered?

Exactly. Registered users never see the Captcha.

keep ‘anal’… I have more chances of getting it, as a Captcha, than anywhere else

And now I have tea all over my keyboard… :D

Mod_security is very problematic in protecting applications. Unlike networks which are (relatively) simple and static, applications are complex and dynamic. A real time application security solution has to provide some sort of a dynamic policy that adapts automatically to the application. Otherwise security configuration will have to be performed constantly during the application life cycle. There are commercial solutions (one of them by my company) that provide such dynamically learned policies.

In other words - for a security expert with application knowledge mod_security is a great solution. For an organization it is impractical.

There are commercial solutions … that provide such dynamically learned policies.

Sure, and these are great for the lazy sysadmin or one for whom security is not a major concern. But if I were running a major ecommerce website, or a secure repository of some sort, then I would be continually reviewing the security of my servers in order to meet new or evolving threats. I wouldn’t rely on automation to keep the clever, sophisticated and continually adapting hacker out.

In other words - for a security expert with application knowledge mod_security is a great solution. For an organization it is impractical.

I half agree, but it depends on the organisation (see above).

One must also consider the substantial cost of appliances such as those your company offers. The majority of webmasters don’t have the kind of budget required for such appliances - ModSecurity is free!

Just remember that time is money.

Lazy sysadmins that buy automated solutions may actually be efficient sysadmins who save on hiring extra people.

The price of our (and similar products) is a fraction of labor costs.

You’re absolutely right Ofer. As I wrote above, “it depends on the organisation.” Your appliance has certainly has a market.