Could you elaborate, please?

The stack I see Apache/NginX/IIS + ModSecurity + Libinjection + Core Rule Set. What am I missing? Apache has certainly had it's share of weaknesses, but with ModSec the track records seems quite clean; as is the case of Libinjection and the CRS.

[project committer here]

The ModSec Core Rule Set 3.0 (CRS3) comes with a reduction of at least 90% of false positives (more like 99% on my servers). The base setups of Wordpress and Drupal can be run without any FPs.

If you see FPs with a default install of the Core Rules, please report. The idea is to have next to no FPs in the standard deployment mode.

There is a series of tutorials, which explains the installation of ModSec, the inclusion of the Core Rule Set and the handling of False Positives (still important at higher Paranoia Levels).

The ModSec Core Rule Set 3.0 (CRS3) comes with a reduction of at least 90% of false positives (more like 99% on my servers). Time to give it another go.

Legally you are completely right:
> Solaris tools don't break your scripts, Linux tools prevent your scripts from being portable.

But I do not care about that. "tar xvzf" is a useful extension, "sed -i" too, as is "grep -r".
It helps me get my work done in shorter time. I am paid by the hour. My customer appreciates
speed.

I could write portable scripts, but this is not one of the goals of the projects I work in.
gnu/linux is the de facto standard these days. Not legally, but this is what most people
learn and use. There are dinosaurs around and they will live on for many years to come.
But

for F in `find . type d`; do echo $F; grep xxx $F; done

will look odder every day. (Maybe it is already very odd today, I am not very used to work
without "grep -r" ;-)