Support

vivek · #1 04-20-2008, 08:16 AM

Hello

I have a good set of Mod_security 1.9 rules. But when I swap the webserver, ie, when I run Apache , I will get lot of IP block mails from the firewall. From that, I can see the IP address as well as the domain name. But when I switch to litespeed, it is not working with mod security rules. and not reporting the errors in error_log file such that the CSF can read it.

Recently one of my client's site which was a Joomla site, got hacked. I checked the account and found 10 copies of c99.php files as well as a file called sniper.php files. ClamAV antivirus found this as trojans.

Why c99 and snipper codes worked with litespeed+modsec ? I am sure it will not work in the case of apache+modsec

My question is , Why litespeed isnt processing modsec.conf ?
I know the the old version of lsws worked with modsec, but why the new version isnt working with it?

I am using enterprise version since 3+ months now.

My server is handling around 300 http connections ( 500+ on peak time )
I am sure litespeed isnt working with modesec+CSF because when I change to apache, I can see it apache is working fine with those set of rules.

Vivek

mistwang · #2 04-20-2008, 06:15 PM

We need more specific information to investigate this.
The Request URL and security rule that should work but not.
We can try it on your server with mod_security log enabled.

vivek · #3 04-20-2008, 07:39 PM

Quote:

Originally Posted by mistwang

We need more specific information to investigate this.
The Request URL and security rule that should work but not.
We can try it on your server with mod_security log enabled.

PMed you the server login. Please check it.

Regards
Vivek

mistwang · #4 04-20-2008, 07:56 PM

Please send me an example URL along with the mod_security rule that should block it. However, it has not been blocked in your server environment, and we can reliably reproduce it on your server, then I will start investigate.

Without those information, I don't know where to start.

vivek · #5 04-20-2008, 08:32 PM

Quote:

Originally Posted by mistwang

Please send me an example URL along with the mod_security rule that should block it. However, it has not been blocked in your server environment, and we can reliably reproduce it on your server, then I will start investigate.

Without those information, I don't know where to start.

Hello

I just uploaded a c99 script to my account. I can see litespeed is not working with modsec in this case.

I changed to apache and it blocked the script.

PMing you the details.

Vivek

mistwang · #6 04-21-2008, 08:39 AM

checking it now.

mistwang · #7 04-21-2008, 10:32 AM

OK, find a problem with handling "SecFilter" directive, the request URI has not been checked. Uploaded 3.3.11 release package, and it works properly now.

If you find any other issue mod_security rules, please let us know.

vivek · #8 04-21-2008, 11:19 AM

Quote:

Originally Posted by mistwang

OK, find a problem with handling "SecFilter" directive, the request URI has not been checked. Uploaded 3.3.11 release package, and it works properly now.

If you find any other issue mod_security rules, please let us know.

Thank you
I think there are also some other rules other than secFilter, which arent working. I will let you know when I get more info.

Vivek

vivek · #9 04-28-2008, 10:51 PM

secFilter is not working again,

Litespeed Web Server Enterprise v4.0b1 :

anewday · #10 04-28-2008, 11:18 PM

Hope George didn't forget to apply all bugfixes (from 3.3 versions) to the beta, I'm waiting for beta2 to test it.