<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> <title></title> </head> <body text="#000000" bgcolor="#ffffff"> To clarify, I'm not entirely blaming LiquidWeb for these problems. They do provide excellent support, and the site is running smoothly otherwise. My results are probably typical of any site that accepts a lot of user input and is running on a hosting account with a similar ModSecurity ruleset. One of the reasons I'm so frustrated after being on their server less than a week with only a couple of issues reported is that LiquidWeb's configuration with ModSecurity seems to be similar to the configuration used by our first hosting company, Domatic. We had the exact same issues with them. 1. Users would encounter 403 errors due to false positive matches. 2. They would repeat their requests until the firewall blocked them. 3. The hosting company was either unwilling or unable to notify me or provide me a report of the blocked IPs. I had to rely on the individual to contact me. Now it seems like I have to deal with the same problem all over again, and I'm not looking forward to it. I realize that ModSecurity also blocks many real attacks, but the number of false positives seems excessive. Perhaps the dedicated or VPS route would be best. Our site doesn't generate that much traffic, so it always seemed a little overkill to me. Patrick Collora wrote: <blockquote cite="mid:4EB1F126.4050601@msu.edu" type="cite"> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> Hey Everyone, Do any of you have any recommendations regarding reasonably priced Linux/Apache web hosting without too may restrictions? I was previously using <a moz-do-not-send="true" href="http://www.a2hosting.com/">A2 Hosting</a>. They were a good host until recently when they began limiting our CPU usage and number of connections. Routinely our site would simply be inaccessible during peak hours, especially if a search engine was indexing the site. We never exceeded the 50GB transfer limit of the account. Now I'm using <a moz-do-not-send="true" href="http://www.liquidweb.com/">LiquidWeb</a>. Performance is excellent, but immediately we started having trouble with 403 errors and IP addresses being blacklisted. I discovered that the culprit is <a moz-do-not-send="true" href="http://www.modsecurity.org/">ModSecurity</a>. ModSecurity looks for patterns in form input and blocks the HTTP request if it appears malicious. For example, one site member had text like "system (blah blah blah...)" in a photo description. It was blocked because it looked like an attempt to call system(). I found I can't even type the text "/bin/bash" into a form input on their server because it looks like a command. If a user makes several attempts to submit a blocked request, they permanently blacklist the IP unless someone requests to have it removed. They were unwilling to provide me with a report of the IP addresses blocked, so I have no way of knowing how severe the problem is. Anyway, it looks like we may be leaving LiquidWeb soon. I was surprised because I've seen them get good reviews from people, even some on their list, but to have them start blocking legitimate users and requests because some text vaguely matches an attack signature is simply unacceptable. My website is <a moz-do-not-send="true" href="http://www.lighting-gallery.net">http://www.lighting-gallery.net</a> Thanks. <pre class="moz-signature" cols="72">-- Patrick Collora</pre> <pre wrap=""> <fieldset class="mimeAttachmentHeader"></fieldset> _______________________________________________ linux-user mailing list <a class="moz-txt-link-abbreviated" href="mailto:linux-user@egr.msu.edu">linux-user@egr.msu.edu</a> <a class="moz-txt-link-freetext" href="http://mailman.egr.msu.edu/mailman/listinfo/linux-user">http://mailman.egr.msu.edu/mailman/listinfo/linux-user</a> </pre> </blockquote> <pre class="moz-signature" cols="72">-- Patrick Collora</pre> </body> </html>