I am running Apache 2.2 on CentOS. I really want to install mod_security to lock things down. But I saw where there were some issues with mod_security and forums. I plan on having a forum live on my site shortly. I found this bit of info:
If you install mod security on the server, some forums will not work properly as this will compare each pattern which is posted against the rule set and will block it if found matching.
Is anyone using mod_security with a forum currently?
I run a small vb forum that is quickly expanding beyond the shared hosting plan we currently have with GoDaddy. So far we have been looking at VPS as a solution that would allow us to grow as we grow.
I hope I'm allowed to ask this, but I am looking for examples of vb forums that have about 100 concurrently logged in members and examples of vb forums with 200 members concurrently logged in and are running on either KnownHost or WiredTree (or an alternative service).
Please provide a link to your forum, the name of the host, and the VPS package you currently have. Finally, please let me know if you are utilizing Litespeed.
I'm hoping this will become a great resource for growing community owners looking to take the next step.
Over the past 4 years I have had 5 different hosting companies. I run a small forum (400 to 1k page vies per day) and is a nuke forum. It usually runs flawlessly on the new host for 7 to 9 months and then the db bogs down and I switch to a new host and install the complete db again to the days postings and it runs gr8 yet again.
Im no expert but Im no newb either. I have worked for 2 hosting companies (Hostgator & Applied Innovations) and I have my Bachelors in IT. I know enough to be dangerous! Is there anyone who can tell me if there is a host that I can put my little forums on that doesnt charge an arm and a leg and is reliable enough to stay with.
I have seen all the reviews all over the place, but from working at hostgator I know they have their level 2 support people logging in to these types of forums as different people and posting great reviews every day, I dont think they have stopped doing that.
Is there any one who has been with their hosting co for years and have a site like mine that can say that they recommend it?
Alot of VB forums have hacking every day In fact All hackers couldn't hack databases or files
They only edit one template in style like header or forumhome So Uploading style again resolve the problem But How can I disallow them to to edit templates
I want to know that my main site smsbucket.com and smsbucket.com/forums are both hosted on same server.
But in future when my forum will grow I will need to switch host because my current hosting provider doesn't provide big disk space so in future can I just host /forums on different server? and keep smsbucket.com on my current server?
I'm an owner and manager of a server running about a year ago, and everything was fine till three months ago.
Many VBulletin forums hacked from one hacer.
i hired a technical to re-setup security of the server upgrading for ( OS , php , apache ) done. and other setting... after that he said every thing is ok now. 3 weeks later , hack back again from another hacker on 3 VBulletin forums put in your concideration all hacked forums are secured enough and using 3.6.8 patch level 2.
what possible reasons assist the hacker to reach config file? is this a gab from the server or VB version?
OS : Fedore 5 .. upgraded from Fedora 4 php Version : 5.2.4 Apache Version : 1.3.39 PERL version 5.8.8
some of my user , have problem by sending activate email , from their forums and sites such as Vbulletin and phpnuke
this issue happen since i checked (Prevent the user "nobody" from sending out mail to remote addresses) box in Tweak setting , for preventing Spammers.
Suexec was enabled in my server , but i dont enable PhpSuexec in apache build .
-----Original Message----- From: Mail Delivery System [mailto:Mailer-Daemon@swh1.sellwebhost.com] Sent: December 29, 2007 6:05 AM To: nobody@swh1.sellwebhost.com Subject: Mail delivery failed: returning message to sender
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:
alakeneex@mail.ru SMTP error from remote mail server after RCPT TO:<alakeneex@mail.ru>: host mxs.mail.ru [194.67.23.20]: 550 Access from ip address 72.55.156.210 blocked. Visit http://win.mail.ru/cgi-bin/support_bl?ip=72.55.156.210
------ This is a copy of the message, including all the headers. ------
Return-path: <nobody@swh1.sellwebhost.com> Received: from nobody by swh1.sellwebhost.com with local (Exim 4.68) (envelope-from <nobody@swh1.sellwebhost.com>) id 1J8ZV7-0001oN-QQ for alakeneex@mail.ru; Sat, 29 Dec 2007 06:05:09 -0500 To: alakeneex@mail.ru Subject: Welcome to hidden.com Forums Reply-to: jim@hidden.com From: jim@hidden.com Message-ID: <4448804740c38716c8c65ef3203108b3@hidden.com> MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 8bit Date: Sat, 29 Dec 2007 06:05:09 -0500 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: PHP X-MimeOLE: Produced By phpBB2
Welcome to hidden.com Forums
Please keep this email for your records. Your account information is as follows:
Please do not forget your password as it has been encrypted in our database and we cannot retrieve it for you. However, should you forget your password you can request a new one which will be activated in the same way as this account.
This is only one exemple from one forum but many of our users use forums as well and we receive dozens of similar mails.. Is there a way to stop this or to make the mail rebound to the user instead to nobody?
Staminus Communications has been hosting a botnet forum, which distributes bots, worms, trojans, illegal clickers, and tons more, 95% of the site is illegal, and is forbidden by Staminus's provider yet they could care less as long as they get there money, I sent an abuse letter August 17th 2009, they even admitted things were illegal on the site, I pointed out several like the Google Adsense clicker bot which is highly illegal and which is nothing close to the other content hosted and/or linked to.
They are hosting unkn0wn.ws they refuse to remove the site or make them remove the illegal content which is most of the forum, which now forces me to send a letter to there provider and the cybercrime which I am now doing.
Now I guess they do not care about what they host, only if the person pays, so I guess I'm just going to expose it here for everyone to notice, because it's just going to get there data center raided over time by hosting illegal content and not removing it.
Let's see what you guys think, or what the admins have to say when they read this post.
What do you guys think when a provider does nothing about illegal content do you think it's the employee's that are at fault or the customer?
I have spent several hours on this forum over the past few days doing some research and have officially confused myself. I am a volunteer with a nonprofit organization and our online forums (running on vbulletin) are maxing out the database SQL connections several times per day. The host has a max_user_connections limit of 15 but doesn't have an intermediary step from shared hosting to dedicated hosting. Dedicated hosting is cost-prohibitive and the rest of our site has more than enough room to grow on our current hosting plan (including traffic bandwidth, disk space, etc).
We are planning to register a new domain name for the forums and move them off to another hosting provider. I donate the hosting fees to the organization and I don't have much of a budget to work with ($20/mo or so ideally). I am looking for recommendations for a hosting provider that will support a somewhat busy forum (usually only between 30-50 users online at once but anywhere between 1,000 and 2,500 pageviews per day) and also allow a stepped growth plan (instead of from shared straight to dedicated.)
I've seen Hawk Host, Siteground and URLJet mentioned frequently on posts here and over at vBulletin but I don't want to just jump into a new host and face a similar problem in the future.
Email on server working fine, I can send mails from webmaster@xxx.com to any email only forums like VB don't send emails to hotmail & yahoo ! but emails from forums arrive to emails like webmaster@xxx.com
I'll second what is said about Lunarpages. They are an absmal McHost whose priority is to lure in as many customers as possible without bothering about the quality of their service. I challenge anybody to ring their telephone support line and see if somebody picks it up. I have tried to call ten times in the last six months and never been able to get through once, despite hanging on for ages.
Just today my entire website was down because Lunarpages moved it to a new server (without asking me) and screwed up. The website, Azam.biz has over 17,000 references to it in Google and is critical to my business. I sat drowing in sweat for hours. I couldn't get hold of anybody at Lunarpages by telephone or live chat and the one support response I received ws addressing an unrelated issue.
Worse thing of the lot is Lunarpages censors criticism them on their forums more so than any webhost I have ever know. Every time I post a comment about downtime or not being able to get hold of anybody on the telephone, they delete the post saying it is "incorrect". I have never met a company with such a Stalinesque censorship policy.
I have feared posting anything negative about Lunarpages on other forums because I've been worried about them closing down my account. But, after having suffered so much stress because of them today, I don't care any more.
I am going to back up by entire site now, because I'm worried they will close down my account after reading this. They are not the type of company to take on board criticism and use it to improve their offerings; their obsession is to stifle any criticism.
I am now suffering pain in my heart for the first time in my life because of how badly Lunarpages have treated me today. Their arrogance shows no bounds - they are smug, full of hype and don't give a damn about ruining customers' businesses.
I have been using mod_security 1.9.x since it first release on apache 1.3 and apache 2.0.x, rules are great and they work perfect with no issues at all with any php-mysql website. Do you recommend using mod_security 2.0 or 2.5 ? (I do know that 2.5 does not work with apache 1.3).
using mod_security, but I believe that I have it installed correctly with some rules that should be generating entries in the security audit log. No matter what I do, I can't seem to get mod_security to generate any sort of log entries.
I am using version 2.1.7. I compiled it with no problems. In my httpd.conf file, I have the following relevant lines:
LoadFile /usr/lib/libxml2.so LoadModule security2_module modules/mod_security2.so Include conf/modsecurity/*.conf
I don't think there are any problems here, as I know it is running directives from the configuration file I edited. This is the file I'm working with:
modsecurity_crs_10_config.conf
Here are the relevant lines from the config file:
SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyLimit 524288 SecDefaultAction "phase:2,auditlog,log,pass,status:500" SecAuditEngine On SecAuditLogType Serial SecAuditLog logs/modsec_audit.log SecAuditLogParts "ABIFHZ" SecRequestBodyInMemoryLimit 131072 SecDebugLog logs/modsec_debug.log SecDebugLogLevel 3
I know that the config file is being read because when I start apache, the log files (modsec_audit.log and modsec_debug.log) are created. The problem is that the files are empty and remain empty no matter what I do. I have even tried setting permissions on the files to 777.
Here are a couple of rules I created in an attempt to generate log entries:
I put these in the same config file mentioned above. As far as I understand, the first rule should examine the request body (which would include data in POST requests) for the word, "viagra". Since my default action is phase:2,auditlog,log,pass,status:500, such requests should end up in the audit log. However, when I use a form on my site to post the word "viagra", nothing is generated in the log file.
The second rule, as far as I understand, should generate a log entry any time the IP address 1.2.3.4 is sent in the request headers. Instead of 1.2.3.4, of course, I have put in my real IP address. However, when I visit my server and browse pages, nothing is logged. I assume that my requests should generate log entries since I match the IP address.
I am currently running a few small websites that use a CMS. Two are Dragonfly and one is Joomla.
I am getting sporadic errors with both systems that, upon research, seem to be related to Apache and the mod_security module. I am getting the following error:
Code: Not Acceptable
An appropriate representation of the requested resource /somefolder/index.php could not be found on this server.
Well, I'm no idiot (although some people may tend to disagree ) and after some searching, I found that this most likely points to an Apache error. Most solutions suggest to put the following in my .htacess file for the site:
Code: <IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule>
It was noted that "SecFilterScanPOST Off" may or not be necessary. I have added the above to the .htaccess for each site (all 3 sites are subdomains) and have also added it to the .htaccess that is in the root folder for the site. Nothing has worked.
So my question is, is it possible that my webhost can override my .htaacess settings with their own? This is the only explanation that I can think of. But of course, I am no expert, which is why I turn to you good folks for help once again.
I installed modsecurity from Addone module in Cpanel
When I try to apply phpshell woork good without a mistakes and I can do anything despite of the presence of protection modsecurity and disable_functions in php.ini.
Is there a particular settings add to the httpd.conf to prevent application phpshell or prevent upload it to the site?
I tried using mod_security and mod_filter together. However, when I try to filter js files, I noticed that certain pages stop working, especially those using ajax.
I have installed a new server with debian lenny 5, ISPConfig 3.0.1.1 and the newest mod_security and implemented the default rules.
I deactivated the rule detecting IP in pageheaders.
Then I got another problem. Some actions of ISPConfig are detected as "remote file access attempt", severity "critical", tag "web attack/file injection" data "/etc/"
detected by rule file crs_40 line 114, id 950005
question: how do I authorize ISPConfig and only ISPConfig to perform such requests on the server?
Trying to use an RBL with ModSecurity but this matches everything whether listed or not. SecRule REMOTE_ADDR "@rbl bb.barracudacentral.org" "log,deny,msg:'POST RBL Comment Spammer'"
What I would like to do is do an RBL lookup and any POST operations.
