mod_security

[markb1439]

Hello,

I've heard a good bit of concerning talk about LiteSpeed's support (or lack of support) for mod_security.

For example, the gotroot people say that LS does not fully support mod_security, and therefore many of the rules and protections are ineffective.

I've seen similar claims, and various partial answers here and there, but nothing definitive.

With security growing even more important every day, I am wondering if LiteSpeed staff can address this issue definitively and let me know how secure LS is, especially in regard to mod_security.

If you can outline how to best set up LS with effective mod_security on a cPanel server, that would be appreciated. That was asked in a post several months ago that was never responded to.

Thanks,

Mark

[markb1439]

To clarify, here is what gotroot says about LiteSpeed and mod_security:

Quote:

As may already know, Litespeed does not use or support mod_security. It does not include it or use, rather they created their own undocumented WAF module module that supposedly supports mod_security rules, but does not. It supports an undocumented subset of the mod_security rule language, and another subset (also undocumented) of modsecurity features and it also may not even work the same as modsecurity. Did I mention its undocumented?

Is this true? If so, this is very concerning because LiteSpeed is advertised as a completely Apache-compatible, drop-in replacement. However, if the comments above are true, LiteSpeed ignores an important, major part of Apache functionality. An omission such as this should be disclosed, IMHO.

Or am I missing something? I look forward to a definitive answer about LiteSpeed and mod_security (and security in general).

Thanks.

[mistwang]

mod_security makes big changes from release 1.9 to 2.x, our implementation is based on 1.9, so not all features in 2.x are support. We will add more 2.x features in the future. those features are probably only used in 5% of rules.

But if you require 100% compatibility with mod_security, you may have to stay with Apache.

[markb1439]

Of course, it is concerning that these differences were not spelled out prominently. LiteSpeed is advertised as "APACHE INTERCHANGEABLE". That implies that it is functionally equivalent, however this is not the case in terms of mod_security. And, of course, security is critical in today's climate.

The biggest question is how secure LiteSpeed is (in terms of mod_security) compared to Apache. Please feel free to explain further, so we can decide whether LiteSpeed is safe to use.

[mikegotroot]

I'm the lead developer of one of the two modsecurity projects out there and maybe I can help explain.

All the current rulesets out there (Gotroot, OWASP, etc.) require support for the 2.5.x rule language. Those rules have a different syntax from the older 1.9.x rules, and also use lots of features that the older implementation (1.9.x) does not have - which means 2.5.x rules are WAY WAY more robust but also, incompatible with 1.9.x implementations.

This is all good stuff. There are things we can do in 2.5.x that are simply not possible in 1.9.x (the features don't exist, like lua scripts, branching logic, DOS protections, anti-obfuscation countermeasures, transforms, etc.). There are things we can do in 2.5.x that are really fast, which in 1.9.x were painfully impossibly slow, such as the ability to do Aho-Corasick matching - which made it possible to do matches against large lists super fast (think big blacklists of malicious domains, IPs, etc.). We can also do branching logic in 2.5.x, which we can't do 1.9.x - think of if then else statements, which are used by both the OWASP and GotRoot rules for huge performance gains (if I dont see X in this payload, skip all these rules). In fact, both rule sets won't even work correctly with a 1.9.x implementation because of the lack of branching logic, which is a real biggie. Probably 100% of the rules won't work right without that logic alone.

We can also do anomaly detection in 2.5.x, again, this doesnt exist in 1.9.x, so if you use either ruleset in anomaly detection mode 100% of the rules don't work in 1.9.x implemenations. So its really a square peg in a round hole trying to get 2.5.x rules to work in the less capable 1.9.x implementation. It just won't work.

And finally, the new rule language lets us do things that massively reduces false positives. Its like night and day from a reliability point of view. The improvements in this area were so great that 1.9.x was dropped by rule authors for probably that reason alone! :-)

So, the advantages of the 2.5.x implementation are just worth so much its not worth maintaining rulesets for 1.9.x. We retired our 1.9.x rules many years ago for just those reasons. So, the 2.5.x change was a big positive change well worth the adoption.

Unfortunately, thats means 1.9.x implementations such as LiteSpeeds are left in the cold because the big rule projects moved onto 2.5.x years ago. Its like being forced to support something you know is just out of date, inefficient and not powerful enough to solve the problems you know you need to solve to protect your users. No security guy wants that. :-)

So, I hope that Litespeed can support 2.5.x soon, we'd love to be able to help out LiteSpeed users with our rules. If you must use 1.9.x rules, we do still publish 1.9.x rules at www.gotroot.com, but they are totally EOL and I wouldn't rely on any 1.9.x rules to protect you from modern attacks and expect FPs too, we just cant do all the things we've been doing for years with the 2.5.x rules in 1.9.x. Too many things can get past an older implementation, but something is probably better than nothing.

I hope this information helps everyone to understand where things are, and I wish LiteSpeed all the success in the world getting a 2.5.x implementation in place!

[mistwang]

We have been adding 2.5 features into our modsec engine, @pm, @pmFromFile are supported in our 4.1RC4 release already. We will continue adding more features based on popularity and importance.