2009/9/24 Joachim Schipper <joac...@joachimschipper.nl>: > On Thu, Sep 24, 2009 at 11:00:35AM +0200, Paul de Weerd wrote: >> On Thu, Sep 24, 2009 at 10:42:58AM +0200, Joachim Schipper wrote: >> | On Wed, Sep 23, 2009 at 08:09:53PM -0500, Matthew Young wrote: >> | > Hello, >> | > >> | > The website of gotroot.com states for their apache1 rules: "Retired Rules >> | > (No longer updated) " >> | > >> | > >> | > The initial question prevails: Is this the best appoach? How secure are >> | > these "old" rules? >> | >> | Adding mod_security shouldn't decrease your security; it only increases >> | it if you have otherwise-insecure software installed, and you can only >> | hope that it plugs all holes in that case. >> >> Adding pieces of software means more code. More code generally means >> more bugs. Maybe it's just me, but going by the name, "mod_security" >> seems like a REALLY bad idea to me. > >> (a module that adds security ? why not have security in the first >> place ?) > > There's a reason why I wrote "should". > > See > http://osvdb.org/search?search[vuln_title]=mod_security&search[text_type]=alltext. > > But yes, mod_security is usually a bad idea. It can be helpful on a > shared host where people are allowed to install (and not maintain) their > own Wordpress installations and such. In that case, it doesn't provide > security but is likely to reduce the frequency of compromise. > > Joachim > >
Yes, that's the idea, in shared host its a lifeguard but always its more safe a good code and configuration like chroot and disable functions in PHP fastcgi mode.
