mod_security and vBulletin

Portal Home > Knowledgebase > Articles Database > mod_security and vBulletin

Posted by WilliamP, 11-03-2010, 06:15 PM
It seems a fair amount of vBulletin servers have mod_security disabled because it apparently causes issues with vBulletin's functionality. I know we have had our share of issues with it, not only with vBulletin issues, but with other sites as well. I know there have been some security issues floating around over the years... and it is my understanding that mod_security, while not the end all of defense, it is historically good at preventing malicious database info disclosure/injection type of attacks. I am curious... do you have mod_security turned on for your vBulletin server... and if you do, is there a certain set of rule exceptions that you have in place that prevents mod_security from hindering vBulletin's functionality? Thanks!
Posted by Steven, 11-04-2010, 03:47 AM
Mod_security is enabled on every server we manage, and some of those servers are extremely large vbulletin forums. It all depends on your ruleset and how restrictive and thought out it is. Mod_security should not be your fix all. There are many other layers that should be implemented, such as frequent (or real time) malware checks, suhosin, proper server software updates.
Posted by david510, 11-04-2010, 09:22 AM
You can indeed install modsec on webserver where it serves vbulletin board. What you need to do is to find out the error causing rules from the webserver logs and disable them in the mod_security configuration. Also, we can modify the specific modsec rule to cope up with the existing setup. But it is not that easy. When thinking of tight security this can be considered. It will be always better to null out the specifuc rules rather than disabling the modsec as a whole on the server. Modsec prevents a lot of exploit attempt through web browser.
Posted by HostingFields, 01-11-2011, 05:12 PM
How to make mod_security config for vbulletin website? Thanks
Posted by david510, 01-12-2011, 02:05 AM
We can add a basic ruleset to the modsec initially and then add the rules slowly with less numbers. You will need to constantly monitor the web server logs for specific errors. What we can do it to write a script to check the logs continuously mail you when it encounters a mod_sec error. With this, you can modify the offending rules very fast.
Posted by nonmal, 01-14-2011, 04:28 AM
This answer makes me feel so happy!
Posted by HostingFields, 01-19-2011, 08:54 PM
How much you guys usually charge to setup mod_security on server?
Posted by nonmal, 01-19-2011, 09:19 PM
Usually, people who have been in the server management business, can charge $50-$150 for a small job. Obviously the actual amount of time and the config of the server will also play a role into how much effort it will take. But just a ball park number, from what I know. Hope this helps.
Posted by funkywizard, 01-27-2011, 10:10 AM
definitely appreciate the reply. Are there any certain mod_security settings that you would consider generally appropriate?