[mikegotroot]

Quote:

If I'm setting up a new server with LiteSpeed right now (under cPanel/WHM), what do I need to do in order to get the best mod_security protection? Given that not all the 2.x rules are compatible, will the gotroot set break LiteSpeed?

My two cents, I dont know if it will "break" LiteSpeed (I doubt it), but if LiteSpeed doesnt support the full rule language you will not be as secure against web attacks and many of the rules written for modsecurity may not even work correctly. You really need the full feature set in modsecurity 2.5.13 to use either the gotroot or OWASP rules which are written for modsecurity. Those rules might "load" but without all the features they won't work correctly, they probably won't even detect attacks properly. 2.5.x rules are very different from the simplistic 1.9.x "look for this regexp" rules, its like night and day. So even though 1.9.x rules worked in the past does not mean modern 2.5.x rules will, the whole syntax of the language changed between 1.9.x and 2.0, and 2.5.x has added tons of new things.

Quote:

Also, will ASL Lite work in a cPanel situation with LiteSpeed installed? (I mean, assuming that the rules will work, will the ASL Lite autoupdater also work...or does it not coexist with LiteSpeed?

ASL Lite works great with cpanel, and the autoupdater will work just fine with cpanel and litespeed. The issue is does LiteSpeed understand the rules, and your guess is as good as mine. As I understand it, I thought LiteSpeed was a drop in replacement for Apache, and if it is then the answer should be yes. However, we don't know what LiteSpeed supports in its modsecurity like implemenation (I cant find any documentation, if someone could point me to it that would be awesome!) and we have had lots of reports that the 2.x rulesets don't work right, ours, OWASPs or anyone elses.

So the LiteSpeed implementation appears to not be feature complete, and I'd like nothing more than to be wrong about that and to say yes it will work. So if someone from LiteSpeed could explain what they do support, we'd all apreciate that.

Without knowing what it does support its very difficult to even begin to write rules for it, and with reports that things don't work right, all I can say is no the gotroot and OWASP rules will not work right (may not even load correctly) with LiteSpeeds WAF. With that said, I hope LiteSpeed is close to full 2.5.13 compability, because if all it had is 1.9.x compatibility then no it won't be as secure as Apache. :-(

Quote:

I love LiteSpeed but I also need security. So any advice will be appreciated.

Me too! :-)