How to use Mod Security & ClamAV with Litespeed 4.0
PLEASE REMEMBER TO RATE THIS THREAD SO IT WILL GAIN STICKY STATUS AND REMAIN A CONSTANT THREAD OF ASSISTANCE. THANK YOU.
I believe this post will help the greater LSWS community of users. Over and over I see many people asking the same questions, and multiple duplicates throughout the forum. For this reason I am compiling those queries into this thread in the hopes that a few of you Subject Matter Experts may help us.
FIRST: PEOPLE WISH TO KNOW HOW TO FULLY INTEGRATE MOD_SECURITY 2.5.X INTO LSWS WITH LOGGING THAT WORKS.
I have added the following line into httpd.conf, which is used by LSWS:
Having already built mod_security within the Easy Apache build prior to building matching php in LSWS and then switching to LSWS; it has come with the default mod_security rules.
modsec2.user.conf (see attachment for default rules)
LoadModule security2_module modules/mod_security2.so
# See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf
# "Add the rules that will do exactly the same as the directives"
# SecFilterCheckURLEncoding On
# SecFilterForceByteRange 0 255
SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
::::: Now I can only assume most people use CSF :::::
You will see from the two illustrations below that mod security is installed and integrated with CSF, however, when you click to view the log, nothing is showed.
How can this be fixed?
Here are screenshots of the LSWS Admin Console for logging and request filter. Please advise if anything needs to be set there to properly incorporate better logging and/or mod_security integration:
::::: Now on to the final topic :::::
I have ClamAV included, however I do not believe it has been properly integrated to process all files received or perhaps uploaded through ftp -> through -> the mod_security rules, and logged. To make a long story short. Let's say I have a few erroneous shell scripts. I can presently upload them via ftp to one of my sites. I do not want anyone to be allowed to do this, as my computer antivirus has to be shut off just to download them, however my server allows them to be uploaded, which no one wants. Here are some screenshots:
FTP SHELL UPLOADED (THIS IS A SAFE MODE BYPASS SHELL)
HERE IS THE RESPONSE OF THE SHELL BEING STOPPED DUE TO PHP FUNCTIONS BEING DISABLED, BUT I WOULD LIKE THIS TO BE STOPPED PRIOR TO BEING UPLOADED, AND LOGGED IN MOD_SECURITY, CAUGHT BY CLAMAV, AND LOGGED ALSO FOR THAT ADDED PROTECTION, AS WELL AS BEING USEFUL TO LEGALLY PROSECUTE THOSE WHOM ARE ATTEMPTING TO CRACK MY SERVER.
For those of you whom do not have a proficient list of php functions to disable in "usr/local/lib/php.ini" - build matching php in lsws - or add to "usr/local/lsws/php/php.ini" ----- I have provided them here:
another good one to add is "ini_set", however I am using a constantly updating shoutcast radio script, so I do not have that in my list. If you don't have such a need, simply add ----> ,ini_set to the list.
disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict,psockopen,php_ini_scanned_files,hell-exec,system,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software,get_current_user,HTTP_HOST,php_uname,ini_restore,popen,pclose,exec,shell_exec,suExec,passthru,proc_open,proc_nice,proc_terminate,proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod,posix_strerror,posix_initgroups,posix_setsidposix_setuid,show_source
In closing I am hoping some of you Master System Admins can help us less knowledgeable individuals secure our servers by providing some helpful responses to my requests above.
Last edited by grniyce; 05-14-2009 at 11:51 AM..