How to use Mod Security & ClamAV with Litespeed 4.0

[grniyce]

PLEASE REMEMBER TO RATE THIS THREAD SO IT WILL GAIN STICKY STATUS AND REMAIN A CONSTANT THREAD OF ASSISTANCE. THANK YOU.

I believe this post will help the greater LSWS community of users. Over and over I see many people asking the same questions, and multiple duplicates throughout the forum. For this reason I am compiling those queries into this thread in the hopes that a few of you Subject Matter Experts may help us.

FIRST: PEOPLE WISH TO KNOW HOW TO FULLY INTEGRATE MOD_SECURITY 2.5.X INTO LSWS WITH LOGGING THAT WORKS.

I have added the following line into httpd.conf, which is used by LSWS:

Code:

Include "/usr/local/apache/conf/modsec2.conf"

Having already built mod_security within the Easy Apache build prior to building matching php in LSWS and then switching to LSWS; it has come with the default mod_security rules.

modsec2.conf

Code:

LoadFile /opt/xml2/lib/libxml2.so
 LoadFile /opt/lua/lib/liblua.so
LoadModule security2_module  modules/mod_security2.so
<IfModule mod_security2.c>
SecRuleEngine On
# See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf 
#  "Add the rules that will do exactly the same as the directives"
# SecFilterCheckURLEncoding On 
# SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log 
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
SecDefaultAction "phase:2,deny,log,status:406"
SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
Include "/usr/local/apache/conf/modsec2.user.conf"
</IfModule>

modsec2.user.conf (see attachment for default rules)

::::: Now I can only assume most people use CSF :::::

You will see from the two illustrations below that mod security is installed and integrated with CSF, however, when you click to view the log, nothing is showed.

How can this be fixed?




Here are screenshots of the LSWS Admin Console for logging and request filter. Please advise if anything needs to be set there to properly incorporate better logging and/or mod_security integration:




::::: Now on to the final topic :::::

I have ClamAV included, however I do not believe it has been properly integrated to process all files received or perhaps uploaded through ftp -> through -> the mod_security rules, and logged. To make a long story short. Let's say I have a few erroneous shell scripts. I can presently upload them via ftp to one of my sites. I do not want anyone to be allowed to do this, as my computer antivirus has to be shut off just to download them, however my server allows them to be uploaded, which no one wants. Here are some screenshots:



FTP SHELL UPLOADED (THIS IS A SAFE MODE BYPASS SHELL)


HERE IS THE RESPONSE OF THE SHELL BEING STOPPED DUE TO PHP FUNCTIONS BEING DISABLED, BUT I WOULD LIKE THIS TO BE STOPPED PRIOR TO BEING UPLOADED, AND LOGGED IN MOD_SECURITY, CAUGHT BY CLAMAV, AND LOGGED ALSO FOR THAT ADDED PROTECTION, AS WELL AS BEING USEFUL TO LEGALLY PROSECUTE THOSE WHOM ARE ATTEMPTING TO CRACK MY SERVER.


For those of you whom do not have a proficient list of php functions to disable in "usr/local/lib/php.ini" - build matching php in lsws - or add to "usr/local/lsws/php/php.ini" ----- I have provided them here:

Code:

disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict,psockopen,php_ini_scanned_files,hell-exec,system,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software,get_current_user,HTTP_HOST,php_uname,ini_restore,popen,pclose,exec,shell_exec,suExec,passthru,proc_open,proc_nice,proc_terminate,proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod,posix_strerror,posix_initgroups,posix_setsidposix_setuid,show_source

another good one to add is "ini_set", however I am using a constantly updating shoutcast radio script, so I do not have that in my list. If you don't have such a need, simply add ----> ,ini_set to the list.

In closing I am hoping some of you Master System Admins can help us less knowledgeable individuals secure our servers by providing some helpful responses to my requests above.

Sincerely,

Anthony

[mistwang]

First, please upgrade to 4.0.3,
Second, add a testing mod_security rule,
third, try to hit the testing rule with a crafted request
fourth, checklogs/modsec_audit.log

[grniyce]

Quote:

Originally Posted by mistwang

First, please upgrade to 4.0.3,
Ok I have successfully upgraded to 4.0.3 with chRoot enabled. No other settings have been changed. They all migrated to the new version.

Second, add a testing mod_security rule,
I do not know how to do this. That's what my inquiry above was about please.

third, try to hit the testing rule with a crafted request
I don't exactly know how to do this either, and will require assistance. What I have done is downloaded c100.php. I had to turn off my computer antivirus to even download it; however, I have uploaded it to a site on my server and I have successfully navigated the entire directory by accessing that file. This I do not want to happen. I don't even want a user to be allowed to upload these erroneous scripts.

fourth, checklogs/modsec_audit.log
I am going to send you a site pm with my login and pw to root on my machine. If you can find time to review the above information and provide a solution understandable at my novice level, I truly do believe this will help everyone.

Thank you.

[mistwang]

You should not use chroot with a hosting control panel unless the control panel support chroot.

For the security rule, if you want to block something like a URL "/blabla"

Just add a rule in modsec2.user.conf like
SecRule REQUEST_URI "/blabla"

then create a file to serve url "/blabla". remember, if file not found (404), LSWS will not go through the security rules.

then hit the URL, you will see 406 response, means that the request was blocked by security rule. check the audit_log, it should be logged.

[grniyce]

thank you this seems to work pretty well, however I get an error 403 when I click it but at least things are being blocked now.