Apache security & phpBB Forum Hosting

[Frazer]

After installing RC1 I've had a couple of small problems and, apparently, this is apache mod_security setup filtering all attempts to submit HTML tags.

Apparenty I should ask my host to remove the filter or reduce the strictness.

Is this something I can request in here?

Thanks
Frazer

[WelshTom]

Quote:

Originally Posted by Frazer

After installing RC1 I've had a couple of small problems and, apparently, this is apache mod_security setup filtering all attempts to submit HTML tags.

Apparenty I should ask my host to remove the filter or reduce the strictness.

Is this something I can request in here?

Thanks
Frazer

It's good to see your using phpBB .

eUKHost should be able to resolve this issue for you, although if you have a shared hosting account, they might not. P.S I suggest you don't use phpBB3 RC's for a live environment

[DPS Computing]

I doubt eUKhost will do this on a shared account as Thomas said as it will compromise server security. So maybe even if your not on a shared account you shouldn't do this anyway!

[jc8654]

Is there not one server which they can put shared hosting people on if they need certain security things activated? I seem to remember reading about it when there was all the problems with the new security measures.

[WelshTom]

Not to my knowledge. Anyway, I'm running mod_Security on my Dedicated Server and phpBB RC1 is working fine.

[DPS Computing]

Quote:

Originally Posted by jc8654

Is there not one server which they can put shared hosting people on if they need certain security things activated? I seem to remember reading about it when there was all the problems with the new security measures.

Quote:

Originally Posted by Thomas

Not to my knowledge. Anyway, I'm running mod_Security on my Dedicated Server and phpBB RC1 is working fine.

jc is right. There is a server reserved for customers with unsecure code on shared plans.

You could ask for a transfer to it if that is the problem.

A brownie point for jc .

[jc8654]

Huzzzzaaaahhh for me! Lol.

[eUKhost.com]

Quote:

Originally Posted by Frazer

After installing RC1 I've had a couple of small problems and, apparently, this is apache mod_security setup filtering all attempts to submit HTML tags.

Apparenty I should ask my host to remove the filter or reduce the strictness.

Is this something I can request in here?

Thanks
Frazer

disable mod_security from your .htaccess file. I've explained this procedure in other posts as well so take a look and see if that helps. other option would be to contact our CTO and give him necessary information to look into the rules. open ticket for him with subject "Attn : Nick J" and he will see if mod_security is blocking some genuine code.

Your feedback is the best thing that helps us to differentiate between good code and bad code.

[DPS Computing]

Glad to see it is getting all sorted.

Maybe as this is such a common problem it is worth stickying a new topic with the information in about mod_security? Then people might have an automatic solution to their problem?

[eUKhost.com]

Quote:

Originally Posted by DPS Computing

Glad to see it is getting all sorted.

Maybe as this is such a common problem it is worth stickying a new topic with the information in about mod_security? Then people might have an automatic solution to their problem?

nope. reason we have mod_security on our servers is to keep website hostings secure. If everyone starts disabling mod_security then one day we will again go through multiple website hostings injection attack. last time I managed to get their domain removed from Registry so they are quite now but we cannot underestimate them. They will come back someday to test our security settings.

[DPS Computing]

Quote:

Originally Posted by eukhost.com

nope. reason we have mod_security on our servers is to keep website hostings secure. If everyone starts disabling mod_security then one day we will again go through multiple website hostings injection attack. last time I managed to get their domain removed from Registry so they are quite now but we cannot underestimate them. They will come back someday to test our security settings.

I suppose your right about that.

Are all accounts that disable mod_security moved to the unsecure server to keep the other servers secure then? - or does it just affect their own account or could gaining access to one unsecure account be used to attack another secure account on the same server? .

[Frazer]

OK thanks for all the replies. I've done the mod_security change and it's all working, and Nick J has a new ticket with some details.

Presumably every webhost is going to get this trouble with phpBB 3? I guess this is a simplistic analysis but if so why doesn't phpBB make the necessary information available for webhosts to update their security rules?

p.s. Thomas thanks for the warning - I'm just using it to test and compare with another messageboard

[DPS Computing]

Quote:

Originally Posted by Frazer

OK thanks for all the replies. I've done the mod_security change and it's all working, and Nick J has a new ticket with some details.

Presumably every webhost is going to get this trouble with phpBB 3? I guess this is a simplistic analysis but if so why doesn't phpBB make the necessary information available for webhosts to update their security rules?

eUKhost arn't upateing their security rules as doing the mod_security thing you have done makes your website hosting vulnerable - so if they did it server wide it would make everyones account on every server insecure which would not be good!

I prefer to know my account is secure! Plus phpBB3 is only at RC (release candidate) stage isn't it? - they might iron out their security problems with the first proper release .

[Frazer]

Hi David congrats on topping 1,000 posts!

I get the impression that by looking into the new code they can let phpBB's 'good code' through their mod_security's rules. Or something. Then I can switch back on mod_security in my .htaccess file.

If this interpretation is correct then every webhost has its own mod_security rules, and all of these need to be updated.

We there's the theory anyway

[DPS Computing]

Quote:

Originally Posted by Frazer

Hi David congrats on topping 1,000 posts!

I get the impression that by looking into the new code they can let phpBB's 'good code' through their mod_security's rules. Or something. Then I can switch back on mod_security in my .htaccess file.

If this interpretation is correct then every webhost has its own mod_security rules, and all of these need to be updated.

We there's the theory anyway

Thanks for the congrats! . Much appreciated!

Maybe, I'm not sure whether it is possible to modify the security rules in that manner and keep it safe - I will have to leave it to someone from eUKhost to answer that one for you, but hopefully .

[eUKhost.com]

There are only 3 people with us who have expertise in mod_security so the best option to have something modified in mod_security is to open a ticket and have one of our senior person to look into it. best option would be to open it with subject "Attn :: Nick J"

[DPS Computing]

Quote:

Originally Posted by eukhost.com

There are only 3 people with us who have expertise in mod_security so the best option to have something modified in mod_security is to open a ticket and have one of our senior person to look into it. best option would be to open it with subject "Attn :: Nick J"

Sounds like a plan - so phpBB3 might be able to be integrated after all!

[Frazer]

Mark, below is the answer I got from Nick.

Re: Attn : Nick J
Hello,

We have checked and found that mod_security is off now for your website hosting. Hope that you are not facing re-direct problem now.

We have enabled mod_security, so that no one can hack the server through php script. If anyone is facing the problem, due to mod_security enabled then he has to make mod_security off.

Kindly revert to us in case of any query or problem, we will be glad to assist you.


Regards,
Jeet N,
Support Department.

[eUKhost.com]

thats not replied by Nick. let me know the ticket number. I am not sure why Jeet touched it as it was suppose to be handled by Nick only.