Package: libapache2-modsecurity Version: 2.6.6-2 Severity: important Hi,
By default all the rules from /etc/modsecurity/*.conf are activated by this line in mods-available/mod-security.conf: Include "/etc/modsecurity/*.conf" I'm proposing to remove the second paragraph completely because from my experince enabling all these rules for all web sites will cause too much noise in the log (like 99.9%) with entries like this: | Apache-Error: [file "/build/buildd-apache2_2.2.16-6+squeeze7-amd64- | Bh2irA/apache2-2.2.16/modules/aaa/mod_authz_host.c"] [line 311] | [level 3] client denied by server configuration: /var/www/ | Stopwatch: 1341144862689747 432 (- - -) | Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); | core ruleset/2.0.10. |Server: Apache/2.2.16 (Debian) Sure, the sysadmin can manually disable that line but it will defeat the reason why these rules were moved to /etc/modesecurity/ as stated in the same file: # Include all the *.conf files in /etc/modsecurity. # Keeping your local configuration in that directory # will allow for an easy upgrade of THIS file and # make your life easier In practice I find that ModSecurity should be enabled only for the public web sites, with common or specific rules for each one. I'm filling this bug with priority important as it has a major effect on the usability of a package on default configuration. Cheers -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: i386 (i686) Kernel: Linux 3.2.0-3-686-pae (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libapache2-modsecurity depends on: ii apache2.2-common 2.2.22-9 ii libapr1 1.4.6-3 ii libaprutil1 1.4.1-2 ii libc6 2.13-34 ii libcurl3-gnutls 7.26.0-1 ii liblua5.1-0 5.1.5-2 ii libpcre3 1:8.30-5 ii libxml2 2.8.0+dfsg1-4 Versions of packages libapache2-modsecurity recommends: ii modsecurity-crs 2.2.5-2 libapache2-modsecurity suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
