New "Extra Web Security" option

Mark · 2004-12-13 10:07:38 UTC

I noticed the new “Extra Web Security” option when creating a new domain. (According to the knowledge base entry on the subject, this checking this box turns on something called mod_security.)

From what I can tell, mod_security can be used to block everything from cross-site scripting and SQL injection attacks to server bug exploits. But since it’s up to the server admin to decide what filters to use, I’m wondering what it’s configured to do here. This information would help me figure out two things:

will my own scripts work with extra security enabled?
even if I don’t enable the option now, what programming techniques I should avoid if I want to ensure that future scripts will be compatible with mod_security?

Since I haven’t seen this feature announced anywhere, maybe it’s not “official” yet.

dallas · 2004-12-13 22:16:38 UTC

We will be announcing this today, actually! At this time, mod_security is configured to do some basic checks on the bounds of data being passed in as well as some specific checks for a couple of common PHPbb exploits we have seen a lot of. We will be changing the rules periodically to help keep out the most common web attacks we see being launched against our users. From what we have seen so far, the vast majority of web scripts work fine with it enabled. You may want to set up a separate test subdomain with Extra Web Security enabled to see if your applications will break before enabling it on your live website.

Dallas
DreamHost Honcho

TorbenGB · 2004-12-14 09:17:13 UTC

It would be really useful if you could make a known bad list, so that users who run Solution XYZ will know that they shouldn’t even try to enable this. I’m sure the customer base will help you compile this list. The list should be linked from the panel right next to the checkbox:

[ ] Extra Web Security? (recommended) Which scripts won’t work with this?

TorbenGB
Try out DreamHost with a free WebID – Prices, options

dallas · 2004-12-14 18:31:58 UTC

We are working on this list, yep. Such a list does not exist to my knowledge so we have to figure it out from our users. The main thing that broke for the most people is a PHP-based BitTorrent tracker.

Dallas
DreamHost Honcho

artgeek · 2004-12-15 16:26:47 UTC

How about PHPnuke, Gallery or Coppermine? These are heavily used scripts with known vunerabilities. Has enabling mod_security been tested with them yet? Any problems? If not… Thank You Dreamhost for helping us nukers sleep better at night.

dallas · 2004-12-15 18:38:53 UTC

We have not yet gathered any specific information about those applications. At this point we have only gathered some information on what doesn’t work as that’s all we find out about. If you (or anyone) sets up these applications with Extra Web Security enabled and it is known to work, let us know and we’ll get a list together. Thanks for the interest!

Dallas
DreamHost Honcho

artgeek · 2004-12-16 01:36:38 UTC

I’ll do some testing during the Holiday break and get back to you. thx.

macmanx · 2004-12-16 06:18:20 UTC

So far, no problems with WordPress or general FTP uploads and downloads (using Binary and ASCII).

MacManX.com

TorbenGB · 2004-12-20 12:27:33 UTC

The CMS tool TWiki also works fine with the new security options turned on.

TWiki: http://twiki.org

TorbenGB
Try out DreamHost with a free WebID – Prices, options

haggis · 2004-12-20 22:37:00 UTC

I’m somewhat timid about breaking a working site. If I set up a subdomain to ‘mirror’ the live domain and set the extra security on the mirror, will that actually test anything useful?

macmanx · 2004-12-21 00:18:07 UTC

I’m sure that you can always disable it if it “breaks” your site. But don’t quote me on that.

MacManX.com

TorbenGB · 2004-12-21 09:02:17 UTC

Depending on your number and demography of visitors of course, but you could just enable the security for a few hours and check things out, then if you’re not happy simply disable the extra security again. Most users won’t ever notice any difference.

TorbenGB
Try out DreamHost with a free WebID – Prices, options

Mark · 2004-12-22 02:26:19 UTC

I haven’t noticed any problems with Coppermine, although I’ve only done a couple of test uploads.

artgeek · 2005-01-10 17:16:34 UTC

PHPnuke and Gallery seem to be working fine with mod_security enabled.

schweb · 2005-01-10 18:23:05 UTC

ExpressionEngine also works fine with it on.

bryan | website

dallas · 2005-01-11 19:14:40 UTC

You can’t enable the web security on a mirrored domain since the mirrored domain shares its configuration with the main domain. It doesn’t have its own settings.

Dallas
DreamHost Honcho

Mag · 2005-01-12 02:14:09 UTC

If you’re using any of the SolidClient “goodies”, enabling mod_security will “break” your site–I don’ think mod_security likes scripts that access other domains.

I took out all the calls to the SolidClient stuff and it seemed to work OK; but just to be sure, I disabled mod_security for the time being.