How to use Mod Security & ClamAV with Litespeed 4.0
PLEASE REMEMBER TO RATE THIS THREAD SO IT WILL GAIN STICKY STATUS AND REMAIN A CONSTANT THREAD OF ASSISTANCE. THANK YOU.
I believe this post will help the greater LSWS community of users. Over and over I see many people asking the same questions, and multiple duplicates throughout the forum. For this reason I am compiling those queries into this thread in the hopes that a few of you Subject Matter Experts may help us.
FIRST: PEOPLE WISH TO KNOW HOW TO FULLY INTEGRATE MOD_SECURITY 2.5.X INTO LSWS WITH LOGGING THAT WORKS.
I have added the following line into httpd.conf, which is used by LSWS:
::::: Now I can only assume most people use CSF :::::
You will see from the two illustrations below that mod security is installed and integrated with CSF, however, when you click to view the log, nothing is showed.
How can this be fixed?
Here are screenshots of the LSWS Admin Console for logging and request filter. Please advise if anything needs to be set there to properly incorporate better logging and/or mod_security integration:
::::: Now on to the final topic :::::
I have ClamAV included, however I do not believe it has been properly integrated to process all files received or perhaps uploaded through ftp -> through -> the mod_security rules, and logged. To make a long story short. Let's say I have a few erroneous shell scripts. I can presently upload them via ftp to one of my sites. I do not want anyone to be allowed to do this, as my computer antivirus has to be shut off just to download them, however my server allows them to be uploaded, which no one wants. Here are some screenshots:
FTP SHELL UPLOADED (THIS IS A SAFE MODE BYPASS SHELL)
HERE IS THE RESPONSE OF THE SHELL BEING STOPPED DUE TO PHP FUNCTIONS BEING DISABLED, BUT I WOULD LIKE THIS TO BE STOPPED PRIOR TO BEING UPLOADED, AND LOGGED IN MOD_SECURITY, CAUGHT BY CLAMAV, AND LOGGED ALSO FOR THAT ADDED PROTECTION, AS WELL AS BEING USEFUL TO LEGALLY PROSECUTE THOSE WHOM ARE ATTEMPTING TO CRACK MY SERVER.
For those of you whom do not have a proficient list of php functions to disable in "usr/local/lib/php.ini" - build matching php in lsws - or add to "usr/local/lsws/php/php.ini" ----- I have provided them here:
In closing I am hoping some of you Master System Admins can help us less knowledgeable individuals secure our servers by providing some helpful responses to my requests above.
First, please upgrade to 4.0.3,
Second, add a testing mod_security rule,
third, try to hit the testing rule with a crafted request
You should not use chroot with a hosting control panel unless the control panel support chroot.
For the security rule, if you want to block something like a URL "/blabla"
Just add a rule in modsec2.user.conf like
SecRule REQUEST_URI "/blabla"
then create a file to serve url "/blabla". remember, if file not found (404), LSWS will not go through the security rules.
then hit the URL, you will see 406 response, means that the request was blocked by security rule. check the audit_log, it should be logged.
thank you this seems to work pretty well, however I get an error 403 when I click it but at least things are being blocked now.
|All times are GMT -7. The time now is 12:46 AM.|