Before deploying mod_security we saw a lot of scripts (e.g. phpBB) being exploited through Cross Site Scripting (CSS) vulnerabilities. Hackers can exploit vulnerable scripts through CSS vulnerabilities by using carefully crafted URLs when hitting your scripts. E.g. script.php?post=hack-code-here etc. These exploited scripts can then be used to send Unsolicited Commercial Email (UCE) / SPAM or launch Denial of Service (DOS) attacks from your account. What mod_security does is filter incoming requests to Apache such as this and blocks them if the request contains a line of code which matches that in a rule list that we have defined. This means that when a vulnerability for a script such as phpBB is discovered then we can put in place a blocking rule to try and prevent installations on our servers being exploited.
One of the most common type of scripts we see getting exploited are form-to-email scripts containing the name “mail”. E.g. formmail.pl, formmail.php etc. Therefore, we have configured mod_security to block access to files with the name “formmail” contained in them. For this reason we advise customers to rename any scripts which may contain the string “formmail” to an alternate name so that the script can continue to function. E.g. rename “formmail.php” to “contactus.php”. At the same time as doing this we ask customers to check over their form-to-email script installations to ensure they are fully patched and secure.
While mod_security allows us to cut out most of the problems which arise from scripts being exploited, we are bound to see some problems arise with legitimate scripts. This is very easy for us to fix as we can simply amend the rule list to take account of your script and the system will no longer block the request to Apache. We have yet to see any widespread problems from our deployment of mod_security as we have managed to tune the rule list on our servers pretty well, but if you do see any issues with your scripts arise as a result of mod_security, then please open a support ticket via My Rochen at: https://my.rochen.com and we will be happy to look into the matter for you. You will know that a problem has arisen if a script you have been running for a while suddenly begins to produce 406 or 500 type errors when executing it.
All of the above being said, while mod_security helps us to stop a lot of the attacks we are see against script installations on our servers it is still very important that you keep all of your scripts updated and running the latest available stable releases. This system is not able to stop all forms of attacks. It is very much a two prong strategy the biggest part of which involves customers keeping script installations updated. We can not stress this highly enough.
You can read more about ModSecurity and the huge benefits it can bring to a shared hosting environment at: http://www.modsecurity.org