| I've been using the commercial mod_security WAF rules from AtomiCorp for just under a year. I've been very impressed, and thought that it was time to leave a review. I can recommend them highly to any server administrator wanting to have mod_security as an extra layer to their security. Mod_security is of course only as good as the rules you give it, and that's where AtomiCorp come into their own.
What you get
You pay either $15 a month or $100 a year for just the rules, or you can pay double that for "Atomic Secured Linux", which is a much more comprehensive suite. I haven't used ASL, so I can't comment on it. ASL handles updating everything for you, and you can report issues from within it's UI, and so on - so it may be much easier to use than the half-price edition I went for. I didn't want more modifications to the server's configuration than were needed to get the WAF rules.
Your subscription means you can then access the download area for the mod_security rules. The process is a little fiddly. They have a VERSION.txt file that you can look at to see the latest version of the rules. When you see that's changed, you can then download those rules and move them into location. They could have had a "latest" version of the rules, but that makes it much harder for them to offer support when server admins won't know the exact version they're using.
That's all a bit of a fiddle, so I wrote a bash script that loads the VERSION.txt file and downloads the rules if they've changed. Since I did that, AtomiCorp have written an automatic rules updating tool, so new users should probably use that instead.
Having downloaded your rules, there's a whole page on their Wiki that tells you how to set them up. You put all their rules in one directory, and then load them into your mod_security configuration in Apache. On a cPanel server, you don't modify modsec2.conf as that gets overwritten, but instead modify modsec2.user.conf. There are other steps to setting everything up, but it is well-documented. They advise you use ASL if you don't want the hassle of this - up to you. All those setup steps only need doing when you first set up the server - after that, it's just a matter of replace the rules with the latest version and reload Apache.
Their rules are granular. You get 48 different .conf files, and it's up to you which ones you enable. Anti-spam rules are in one file, URI spamming in another, and so on. Again, their Wiki makes a recommendation of the rules to use for a typical server.
Fast Reaction
One real benefit of their paid rules is that they react fast as new threats emerge. One of my favourite files is 99_asl_jitp.conf, which contains "just in time" patches. As specific threats come out targeting specific threats, new rules appear in here that will block those attacks. Many attacks would already be blocked by generic sql-injection rules and so on, so they only add new rules to block attacks that wouldn't be caught already.
Typically, those patches appear within a few hours of in-the-wild exploits appearing. That's fast, and it's all carefully tested by them and seems to generate very few false positives.
In terms of updates, you typically get about 1 or 2 updates a day, with weekend updates being rarer. Last week I picked up 6 updates in total.
Clam AV Signatures
They also produce signatures for ClamAV that pick up a lot that the stock "freshclam" ones miss. If you subscribe to the WAF rules, you also get access to the ClamAV signatures. Whether you use those is entirely up to you. These typically update less often, maybe 2 or 3 times a week.
Support
One of the main reasons I'm so keen to recommend them is their excellent support system. (Their SugarCRM-based ticket system is practically unusable, but the people handling the tickets are first rate, so it's worth persevering with learning how to use it. You create a "case" instead of a ticket, then updates come by adding "notes" to your case.)
I've got 22 tickets in my account over a year of use. Usually, there is a fresh update in a few hours (they only offer support during their office hours unless you pay for a support contract). There has been one or two that have proved really knotty for them to untangle, and one false positive for ClamAV took them nearly a month - but they got there. Normally, it's very fast provided you supply the information they ask for with your request. (Again, it's in the Wiki. They want the full audit log for a false positive, the malicious file for a false negative, and so on).
They've picked up numerous things for me:
Malicious files being received over email, for which there wasn't yet a signature in ClamAVFalse positives on their WAF rules. (For example, an innocent CMS page update triggering a SQL injection rule)False negatives on their WAF rules. I've only had one of those; I spotted something in my web analytics that didn't look quite right in terms of the browser / OS combination. They weren't being overtly malicious, but they clearly were neither a normal human visitor or a responsible bot. I reported it, and a new rule was written within hoursFalse positives in ClamAV - something looked like a virus when it clearly wasn't, so they tuned the relevant signature.
They seem to recognise that the only way they'll stay at the top of their game is by responding to the support requests as they come in. They can run all the honeypots and test suites you want, but at the end of the day they need real user feedback too. I'm sure this is why their support is responsive - they need to be.
Overall
9/10.
Why 9/10 not 10/10?
I'd love a better ticket system than Sugar CRM.I'd also love a better ordering and billing system too. Recurring billing is only handled via PayPal subscription, and I find the client area counter-intuitive in terms of keeping track of what I've ordered and how to manage / cancel / update my products.
Overall, though: It's good to have well-written and properly tested rules, that are current and react to in-the-wild threats, and that come with proper support that really does work with you.
Link: https://www.atomicorp.com/products/modsecurity.html
|
Shared Hosting
Shared Hosting
Add to Favourites 
Print this Article