Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: add rfdos warning #166

Merged
merged 3 commits into from
Dec 7, 2024
Merged

docs: add rfdos warning #166

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2f33562
docs: add rfdos warning
fzipi Dec 5, 2024
ea5f55a
Apply suggestions from code review
fzipi Dec 6, 2024
f039b66
Merge branch 'main' into docs/add-rfdos-warning
fzipi Dec 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion content/_index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ The project endeavors not to make breaking changes in **minor releases** (i.e.,

New functionality and breaking changes are made in **major releases** (i.e., 3.3).

For information about what has changed in recent versions of the software, refer to the project's [CHANGES](https://github.com/coreruleset/coreruleset/blob/v4.0/dev/CHANGES.md) file on GitHub.
For information about what has changed in recent versions of the software, refer to the project's [CHANGES](https://github.com/coreruleset/coreruleset/blob/main/CHANGES.md) file on GitHub.

## Documentation Source

Expand Down
14 changes: 14 additions & 0 deletions content/deployment/install.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,20 @@ Other aspects of ModSecurity, particularly engine-specific parameters, are contr

In many scenarios, the default example CRS configuration will be a good enough starting point. It is, however, a good idea to take the time to look through the example configuration file *before* deploying it to make sure it's right for a given environment.

{{% notice warning %}}
In particular, _Response_ rules are enabled by default. You must be aware that you might DoS yourself depending on the text your
application is sending back to the client. See [this blog
post](https://blog.sicuranext.com/response-filter-denial-of-service-a-new-way-to-shutdown-a-website/)
about the problems you might have.
There is an [experimental scanner](https://github.com/edoardottt/RFDos-Scanner) that uses [nuclei](https://github.com/projectdiscovery/nuclei?tab=readme-ov-file#install-nuclei) to find out if you could be affected. So if
you are unsure, first test your application before enabling or you will be definitely blocked.
Response rules can be easily disabled by uncommenting the rule with id 900500 in crs-setup file,
since CRS version 4.10.0.

**The CRS team thinks that the prevalence of the RFDoS attack mentioned here at this particular moment
(end of 2024) is less that the possible impact you might have by a webshell being embedded in your environment.**
{{% /notice %}}

Once any settings have been changed within the example configuration file, as needed, it should be renamed to remove the .example portion, like so:

```bash
Expand Down
Loading