On Thu, Sep 24, 2009 at 11:00:35AM +0200, Paul de Weerd wrote: > On Thu, Sep 24, 2009 at 10:42:58AM +0200, Joachim Schipper wrote: > | On Wed, Sep 23, 2009 at 08:09:53PM -0500, Matthew Young wrote: > | > Hello, > | > > | > The website of gotroot.com states for their apache1 rules: "Retired Rules > | > (No longer updated) " > | > > | > > | > The initial question prevails: Is this the best appoach? How secure are > | > these "old" rules? > | > | Adding mod_security shouldn't decrease your security; it only increases > | it if you have otherwise-insecure software installed, and you can only > | hope that it plugs all holes in that case. > > Adding pieces of software means more code. More code generally means > more bugs. Maybe it's just me, but going by the name, "mod_security" > seems like a REALLY bad idea to me.
> (a module that adds security ? why not have security in the first > place ?) There's a reason why I wrote "should". See http://osvdb.org/search?search[vuln_title]=mod_security&search[text_type]=alltext. But yes, mod_security is usually a bad idea. It can be helpful on a shared host where people are allowed to install (and not maintain) their own Wordpress installations and such. In that case, it doesn't provide security but is likely to reduce the frequency of compromise. Joachim
