In the Virtualmin Security FAQ (http://www.virtualmin.com/documentation/security/faq) mod_security is mentioned.
Does anyone have a FAQ on “how to install/use/configure mod_security for Virtualmin” that doesn’t break most websites/Wordpress/etc???
Howdy,
We don’t have a tutorial regarding mod_security. However, any of the tutorials you find out on the Internet should apply to a server with Virtualmin as well.
Distros like Ubuntu and Debian provide a mod_security package with a basic set of security rules configured.
If you’re using one of those distros, you could always install the mod_security package and see it things continue to work well afterwards. You may want to install it on a test server first – though if it doesn’t work, it should just be a matter of uninstalling it, or disabling the mod_security Apache module.
Did you have any problems trying to get it working?
-Eric
Oh, I got it installed and working (had to use the 2.2.5 version of the OWASP CRS found at https://github.com/SpiderLabs/owasp-modsecurity-crs/zipball/v2.2.5)…
The problem is THE RULES… even just the “base_rules” would cause Wordpress to mess up when installing/running plugins.
The optional_rules and slr_rules messed up even more, and the experimental_rules… nearly break everything.
I guess I’m gonna have to purchase the mod_security rules package from Atomic Turtle, because I can’t find anyone that has a “safe” base_rules set.
Thx