2015-05-21, 04:40 PM
After many weeks of searching and reading about ModSecurity and OWASP core rule set I have come to several conclusions. I thought I would share these for other MyBB users who are thinking about using ModSecurity.
1. The default settings for 'Collaborative Detection Blocking' (anomaly scoring) do not work with MyBB, even when the inbound and outbound thresholds are raised from 5 to 20. Even logging in the front end causes a block and the back end causes a block so you do not even see a login page.
2. ModSecurity is not for beginners. There is no simple 'how to' or even simple explanations. I have established that the reason for this is you are expected to have a certain amount of knowledge on different types of attack vectors and the coding to prevent these types of attacks.
Although not recommended by OWASP you can bypass blocks by finding the rule id that is causing the block in your apache error log and placing the following in your httpd.conf file. For example rule id 200005.
For me personally, I think it defeats the object of using ModSecurity, especially if you have no idea what you are bypassing. As a matter of reassurance to me, I have encountered many attacks over the last 6 weeks with ModSecurity in DetectionOnly mode. All these attacks have failed which implies MyBB is very secure. Saying that my forum is live but not open to registration yet. I did remove the search field in the help documents leaving the contact form as the only input field for guests.
I am going to play around with the base rule set (with a lot more reading) to see if I can get a workable anomaly scoring mode. I would be interested to know if anyone has gone down this path.
If I do get a working base rule set I will upload it for others to use.
Talen
1. The default settings for 'Collaborative Detection Blocking' (anomaly scoring) do not work with MyBB, even when the inbound and outbound thresholds are raised from 5 to 20. Even logging in the front end causes a block and the back end causes a block so you do not even see a login page.
2. ModSecurity is not for beginners. There is no simple 'how to' or even simple explanations. I have established that the reason for this is you are expected to have a certain amount of knowledge on different types of attack vectors and the coding to prevent these types of attacks.
Although not recommended by OWASP you can bypass blocks by finding the rule id that is causing the block in your apache error log and placing the following in your httpd.conf file. For example rule id 200005.
<IfModule mod_security2.c>
SecRuleRemoveById 200005
</IfModule>For me personally, I think it defeats the object of using ModSecurity, especially if you have no idea what you are bypassing. As a matter of reassurance to me, I have encountered many attacks over the last 6 weeks with ModSecurity in DetectionOnly mode. All these attacks have failed which implies MyBB is very secure. Saying that my forum is live but not open to registration yet. I did remove the search field in the help documents leaving the contact form as the only input field for guests.
I am going to play around with the base rule set (with a lot more reading) to see if I can get a workable anomaly scoring mode. I would be interested to know if anyone has gone down this path.
If I do get a working base rule set I will upload it for others to use.
Talen