If you are your own host and use and have control over Apache, I suggest that you install mod_security.
If you are on a shared host, I suggest you ask your host to install mod_security.
mod_security is an Apache module that stops or prevents 99.999% of attacks on a site. The recent MyBB exploit is rendered useless with a properly configured default mod_security installation. This is because it blocks inputs to the web server that contain dangerous or malicious code, bad cookie contents, SQLi, XSS, requests for htpsswd, proc, base64, and thousands of other attack methods.
Very rarely does it block legitimate requests and if it does, its fairly easy to whitelist specific cases. Notice that most of the "hacked" threads are smaller sites on shared hosts or VPS? No big sites have been compromised as far as I know, and I am sure most are running mod_security
I've run modsec but honestly I hate their syntax and huge amount of rules required to run it well. I've gotten it running before but basically had to gut the ruleset. If your shared host can deal with it that's great though.
Also consider Cloudflare's paid service for $20 a month which will include WAF and other security measures.
yes it can be complex to setup but there are some very good rulesets out there already to simply install. I have only had to modify two rules in the 5 years I have been running it.
plus its free. there are plenty of folks here that don't want to spend a dime, so CloudFlare is not an option and if their host will install mod_sec, then they get some good protection.
Free is relative. If you're using a dedicated well that's not exactly cheap. And if you're on shared hosting they either run modsec2 or they don't. I'm very doubtful they will install it per request because it does require fine tuning and might wreak havoc with a lot of their clients. It's a powerful tool.
So imho if you're already spending $80+ a month for a dedicated (probably more) then the CF $20 a month tag that includes a lot more than just WAF is well worth it. Their DNS and reverse proxy service alone and worth $20 a month. But then add their caching technology an WAF and it's a steal.
But overall yes modsec2 should be considered for a dedicated. Like I said I've used it and at times I will run it but I just don't think it's as set it and forget it as something like CF.
By default it blocks a lot of common scripts like some cPanel/WHM pages, phpMyAdmin, Webmail, etc...
I suggest installing the GotRoot rules if you want any real protection.
I don't recall what rulesets I am using, but I actually had ConfigServer install it for me and they specialize in cPanel stuff so it worked right away without any issues.
The gotrules are probably best but I still had issues. Maybe because I run FREEBSD but I just have issues with this module. The BSD support is weak.
What would be awesome is someone figuring out a perfect MyBB ruleset.
I really wish I saved my custom rules from my last cPanel server, I used GotRoot's rules and then customized them based on months of monitoring the logs. I'm kicking myself now.
(2011-10-18, 07:06 PM)pavemen Wrote: [ -> ]yes it can be complex to setup but there are some very good rulesets out there already to simply install. I have only had to modify two rules in the 5 years I have been running it.
plus its free. there are plenty of folks here that don't want to spend a dime, so CloudFlare is not an option and if their host will install mod_sec, then they get some good protection.
"plus its free. there are plenty of folks here that don't want to spend a dime, so CloudFlare "
Just want to clarify that CloudFlare actually offers basic protection for free (the WAF is part of a package that currently costs more).
Note: You can use mod_security with CloudFlare as well. You just need to make sure that mod_security doesn't have any rules blocking or limiting requests from CloudFlare.