ModSecurity and MyBB
After many weeks of searching and reading about ModSecurity and OWASP core rule set I have come to several conclusions.  I thought I would share these for other MyBB users who are thinking about using ModSecurity.

1.  The default settings for 'Collaborative Detection Blocking' (anomaly scoring) do not work with MyBB, even when the inbound and outbound thresholds are raised from 5 to 20.  Even logging in the front end causes a block and the back end causes a block so you do not even see a login page.

2.  ModSecurity is not for beginners.  There is no simple 'how to' or even simple explanations.  I have established that the reason for this is you are expected to have a certain amount of knowledge on different types of attack vectors and the coding to prevent these types of attacks.

Although not recommended by OWASP you can bypass blocks by finding the rule id that is causing the block in your apache error log and placing the following in your httpd.conf file.  For example rule id 200005.

<IfModule mod_security2.c>
SecRuleRemoveById 200005
Be aware that more than one rule id block. may exist

For me personally, I think it defeats the object of using ModSecurity, especially if you have no idea what you are bypassing.  As a matter of reassurance to me, I have encountered many attacks over the last 6 weeks with ModSecurity in DetectionOnly mode.  All these attacks have failed which implies MyBB is very secure.  Saying that my forum is live but not open to registration yet.  I did remove the search field in the help documents leaving the contact form as the only input field for guests.

I am going to play around with the base rule set (with a lot more reading) to see if I can get a workable anomaly scoring mode.  I would be interested to know if anyone has gone down this path.

If I do get a working base rule set I will upload it for others to use.

Well honestly, there are so many systems in a server that you'd be expected to know what you're doing in order to keep everything as safe and secure as possible. If that isn't you, there are providers that offer managed packages and companies that offer server management packages for unmanaged servers.

These should be willing to manage this for you on request (ie. someone with experience on how to manage a server properly).
Wondering if anyone has updated recommendations for mod security rules packages.  Due to some severe attacks resulting in a complete bottle-necking of our forum, we're facing similar decisions.


Forum Jump:

Users browsing this thread: 1 Guest(s)