I have no support/technical question and have seen the support category. (Be aware that direct support questions will be deleted.)
on
Which general topic do you have
This short little post is about modSecurity and a recommendation of configuration.
For 8 years I manually tweaked and tuned my modSecurity, yet I did not even come close to what should be covered in a production ready instance. The time I spent on trying to keep up, was tiring.
I have been hesitant on using OWASP CRS (Core Rule Set: GitHub - coreruleset/coreruleset: OWASP CRS (Official Repository) · GitHub) as the amount of rules in it is wild, and I could not imagine the hassle of trying to mitigate all the possible errors. Stupid me. Because it turns out that OWASP has a Nextcloud exclusion ruleset (GitHub - coreruleset/nextcloud-rule-exclusions-plugin: Rule exclusion plugin for Nextcloud · GitHub), and even though it is not all apps that are supported in the default rules, the remaining blockers was trivial to mitigate.
I must admit that I was so afraid of it that I consulted with Claude. However, that only acknowledged what I already knew.
I highly recommends to implement this ruleset. If you are unfamiliar with this, then Claude is very precise and accurate.
Disclaimer: I am not a big fan of AI. I do believe security is to important to neglect, so for those not strong in/with modSecurity, please use an AI to get you through it. When Clause mythos is released, then the time of scanning-building an exploit-implementing it and attack your NC installation, will be a matter of seconds. And it will be an AI bot doing all the work. As it will be automatic, it also no longer is a question in regard to be being a “juicy” target (worth investing time and resources for humans to crack a target), but a question of luck if not hit by a crawler bot or similar, and then attacked as part of a fully automated process that just try everything it finds.
if that isn’t exactly a technical question, then I dunno.
usually, I’d delete that posting (look what you agreed to in the first line of your own posting).
as a big exception i’m moving your posting over to “support”.
you’re right you didn’t ask for help.
Though it’s a technical matter, innit?
I’d - if I was looking for something like that - would look at a technical category. but that could be debated.
Do we need to debate that?
You are correct that it is technical. I sought for a better category that was still Technical yet not support as 1: There where no support request. 2: It is a recommendation and a warning. The Disclaimer states it pretty well:
This warning and recommendation - is in my oppinion, and yes, that is my own oppinion only - to anyone. Also the none-techies owning a Nextcloud instance. Thus I fealt the support category was either to narrow, or not really fitting.
What triggered my response to you, is that your comment was rather passive-agressive and not only did it reflect as if you where doing me a curtesy beyond what could be expected, but also that I should have known better, in a way that was almost like lecturing a child.
See you start like this:
It is not a technical question. It is a technical recommendation.
Open Source community driven projects have momentum with the contributions of the community. I can honostly say that next time I have something similar - which is actually a critical must-have for all unless they are enterprises with a WAF in front where all this is already taken care of - I will hesitate to contribute with it, as this is what I get for trying to contribute.
You could either have PM’et me and asked me to change it to Support, or moved it to support with a comment: “Mvoed to support as it is technical by nature”.
I would have learned that Support is not only for support, but for all technical matters in general. I would not be discuoraged to contribute in the future.
I think the main problem with your post is not so much that it was allegedly posted in the “wrong” category, but rather that it contains virtually no actual content. That being said, I’d argue that “General” actually fits quite well here, since it’s kept about as general as possible.
The forum also has a “How-To” category, but to fit there, the post would need to include at least some concrete guidance on how to do the things you claim are absolutely necessary. And no, “just ask an AI product how to protect yourself from another AI product that hasn’t even been released to the general public yet” isn’t really a how-to, but rather an opinion piece at best.
Yes. The thing is that to implement modSecurity rules, it is not enough with a single guide. I use Apache2, but it would be a different guide for NGINX and different also for Caddy. Thus I could write a guide of how I did it, but that - again - will be highly dependant on my excact system.
So. I wish to recommend people to implement the OWASP core ruleset as a minimum and to avoid all the trials and errors to tweak from scratch, import and activate the Nextcloud exclusion rules.
To write a guide that would be remotely usefull for any others than an almost excact copy of my own setup, is basically to refer to the OWASP own guides. Now we are back to start again.
So to give also the much-not-so-tech savy a chance to get started with this, I refered to asking an AI to help them. As I wrote: I am not, myself, a big fan of AI. Or I am using it every day, but I do not trust it blindly and I only use it to troubleshoot. In fact, I corrects the outputs it generates as it rarely sees the correct context. But are you “green” and you wish to get as-good-as-you-reasonably-can for security, then AI is actually not a bad thing. After all, you can provide it with the context of your own setup, and then it combine the public articles of how-to, with your specifics, and output a guide that is usually a much greater starting point than a generic article.
So your post was meant more as a general recommendation or a starting point for discussion? In that case, I’d say “General” would be the correct category, or at least that’s where I would have posted it as well. It might have helped to include a link to the ruleset or exclusion rules, and to explicitly ask what others think about it if your goal was to spark a discussion, just to make your intentions a bit clearer.
I wouldn’t call myself an expert on the topic, but I think ModSecurity and similar WAF-type technologies are all well and good, but also a bit of a double-edged sword. They can certainly help prevent attacks, but without proper tuning they tend to produce a lot of false positives, so they require ongoing monitoring and fine-tuning to be truly effective.
As for the current “Claude Mythos panic" that seems to be spreading all across the internet: I’d say let’s wait and see. AI will absolutely be used for attacks, no question, and it already is. But the idea of some near-future, super-powerful AI tool that can auto-magically compromise any Nextcloud instance (or similar service) within minutes unless you run a WAF like ModSecurity… I’m a bit skeptical about that. But hey, maybe I’m completely underestimating it
Claude has other models than Mythos. Where did I write that I consulted Claude 4.8 or Mythos? Claude is there and available alright.
In my everyday work I work in the Security domain of tech. We have industry CERTs funded by the industry and thus “private” and other collaboration fora, internationally and which also includes seats from authorities (Interpol, Europol, FBI etc). In those collaboration boards, new threats and recommendations are shared freely. It is also publicly announced that Claude Mythos is held back from public release, due to how powerfull it was in finding vulnerablities, that they have decided to give Google, Microsoft, Oracle and Amazon access to it so they could scan their own systems first, and to warn the public in regard to this threat. I fealt it as a good curtesy to do the same here.
That could also be a marketing stunt—at least to some extent. And if it actually is true and it really that powerful, I wonder if ModSecurity would still be able to protect you.
Seriously though, I think home users and SMEs should focus on general security best practices first before considering things like ModSecurity. The vast majority of successful attacks today still happen through social engineering, phishing and identity theft, and a WAF can only protect against these to a limited extent.
If an attacker obtains a valid session token or someone’s password — unfortunately, there are still people who think that things like 2FA or passkeys are unnecessary — then I have my doubts that a WAF would be able to protect those people or businesses effectively.
That is a very valid point. As soon as you expose a service, publicly, sadly you have to consider your risk appetite. Agree that you should always get the basics done, first. But that should not stop you from hardening.
I do see though that even the basics are rarely fully covered. Even in enterprises.
