The default config for mod_security is not all that helpful. It still requires you to read quite a lot and understand quite a lot. Not likely to encourage wider adoption of this useful security tool There is a very good basic example set of rules at: http://www.gotroot.com/mod_security+rules ...which locks down quite a lot of issues, detects quite a few current security issues in major applications, and seems to work quite well out of the box (well I didn't need to tweak anything to keep my current www applications running) Attached is a replacement for the current: /usr/lib/apache2/conf/modules.d/99_mod_security.conf file, and also a tiny script to download the latest set of rules from the above URL. Please consider changing the current default config to use the scripts above, possibly distributing the current scripts as of today + the updater script, so that at least the user has a useful system even if the source website is temporarily unavailable. I haven't attached those configs as of today since one can simply download them directly. Grateful if someone would consider this and commit the changes (note that I put my files into /etc/modsecurity - is this the best location?) Thanks Reproducible: Always Steps to Reproduce:
Created attachment 60626 [details] update mod_security default config
Created attachment 60627 [details] Download new mod_security rules
Hehe, thanks for this. :) I'm no longer in the Apache herd, so I'm not sure if I can continue maintaining this - Cc'ing apache-bugs@g.o. :)
I believe beu is retired, bringing this back to apache-bugs chtekk: you recently did a version bump for mod_security, perhaps you want to look into this?
Yup, I'll take a look at this. Best regards, CHTEKK.
While this would certainly be nice, the latest rules appear to depend on mod_security 2, which is not yet in portage (see #151826). It's not clear whether the default ruleset package versioning matches mod_security versions.
since 2.1.1 mod_security includes the default ruleset, starting with 2.1.2 (in cvs now) this core ruleset also works ;)