Support

markb1439 · #1 01-23-2011, 03:27 PM

Hello,

I've heard a good bit of concerning talk about LiteSpeed's support (or lack of support) for mod_security.

For example, the gotroot people say that LS does not fully support mod_security, and therefore many of the rules and protections are ineffective.

I've seen similar claims, and various partial answers here and there, but nothing definitive.

With security growing even more important every day, I am wondering if LiteSpeed staff can address this issue definitively and let me know how secure LS is, especially in regard to mod_security.

If you can outline how to best set up LS with effective mod_security on a cPanel server, that would be appreciated. That was asked in a post several months ago that was never responded to.

Thanks,

Mark

markb1439 · #2 01-23-2011, 03:54 PM

To clarify, here is what gotroot says about LiteSpeed and mod_security:

Quote:

As may already know, Litespeed does not use or support mod_security. It does not include it or use, rather they created their own undocumented WAF module module that supposedly supports mod_security rules, but does not. It supports an undocumented subset of the mod_security rule language, and another subset (also undocumented) of modsecurity features and it also may not even work the same as modsecurity. Did I mention its undocumented?

Is this true? If so, this is very concerning because LiteSpeed is advertised as a completely Apache-compatible, drop-in replacement. However, if the comments above are true, LiteSpeed ignores an important, major part of Apache functionality. An omission such as this should be disclosed, IMHO.

Or am I missing something? I look forward to a definitive answer about LiteSpeed and mod_security (and security in general).

Thanks.

mistwang · #3 01-23-2011, 06:43 PM

mod_security makes big changes from release 1.9 to 2.x, our implementation is based on 1.9, so not all features in 2.x are support. We will add more 2.x features in the future. those features are probably only used in 5% of rules.

But if you require 100% compatibility with mod_security, you may have to stay with Apache.

markb1439 · #4 01-23-2011, 09:20 PM

Of course, it is concerning that these differences were not spelled out prominently. LiteSpeed is advertised as "APACHE INTERCHANGEABLE". That implies that it is functionally equivalent, however this is not the case in terms of mod_security. And, of course, security is critical in today's climate.

The biggest question is how secure LiteSpeed is (in terms of mod_security) compared to Apache. Please feel free to explain further, so we can decide whether LiteSpeed is safe to use.

mikegotroot · #5 02-01-2011, 01:55 PM

I'm the lead developer of one of the two modsecurity projects out there and maybe I can help explain.

All the current rulesets out there (Gotroot, OWASP, etc.) require support for the 2.5.x rule language. Those rules have a different syntax from the older 1.9.x rules, and also use lots of features that the older implementation (1.9.x) does not have - which means 2.5.x rules are WAY WAY more robust but also, incompatible with 1.9.x implementations.

This is all good stuff. There are things we can do in 2.5.x that are simply not possible in 1.9.x (the features don't exist, like lua scripts, branching logic, DOS protections, anti-obfuscation countermeasures, transforms, etc.). There are things we can do in 2.5.x that are really fast, which in 1.9.x were painfully impossibly slow, such as the ability to do Aho-Corasick matching - which made it possible to do matches against large lists super fast (think big blacklists of malicious domains, IPs, etc.). We can also do branching logic in 2.5.x, which we can't do 1.9.x - think of if then else statements, which are used by both the OWASP and GotRoot rules for huge performance gains (if I dont see X in this payload, skip all these rules). In fact, both rule sets won't even work correctly with a 1.9.x implementation because of the lack of branching logic, which is a real biggie. Probably 100% of the rules won't work right without that logic alone.

We can also do anomaly detection in 2.5.x, again, this doesnt exist in 1.9.x, so if you use either ruleset in anomaly detection mode 100% of the rules don't work in 1.9.x implemenations. So its really a square peg in a round hole trying to get 2.5.x rules to work in the less capable 1.9.x implementation. It just won't work.

And finally, the new rule language lets us do things that massively reduces false positives. Its like night and day from a reliability point of view. The improvements in this area were so great that 1.9.x was dropped by rule authors for probably that reason alone! :-)

So, the advantages of the 2.5.x implementation are just worth so much its not worth maintaining rulesets for 1.9.x. We retired our 1.9.x rules many years ago for just those reasons. So, the 2.5.x change was a big positive change well worth the adoption.

Unfortunately, thats means 1.9.x implementations such as LiteSpeeds are left in the cold because the big rule projects moved onto 2.5.x years ago. Its like being forced to support something you know is just out of date, inefficient and not powerful enough to solve the problems you know you need to solve to protect your users. No security guy wants that. :-)

So, I hope that Litespeed can support 2.5.x soon, we'd love to be able to help out LiteSpeed users with our rules. If you must use 1.9.x rules, we do still publish 1.9.x rules at www.gotroot.com, but they are totally EOL and I wouldn't rely on any 1.9.x rules to protect you from modern attacks and expect FPs too, we just cant do all the things we've been doing for years with the 2.5.x rules in 1.9.x. Too many things can get past an older implementation, but something is probably better than nothing.

I hope this information helps everyone to understand where things are, and I wish LiteSpeed all the success in the world getting a 2.5.x implementation in place!

mistwang · #6 02-01-2011, 07:42 PM

We have been adding 2.5 features into our modsec engine, @pm, @pmFromFile are supported in our 4.1RC4 release already. We will continue adding more features based on popularity and importance.

mikegotroot · #7 02-02-2011, 03:27 PM

Thats a good start. I look forward to when your implementation is feature complete.

If you want a suggestion for your next feature to add, as both the OWASP and Gotroot/Atomicorp rule require the new branching logic directives to work I recommend you add in those in next. Neither ruleset is going to work properly without that.

If you could also document what you do and do not support in your implementation that would certainly be helpful not just to your users, but to those of us that write WAF rules. It would help us to create a reduced set of rules for your implementation while you are still working towards full support for the rule language.

markb1439 · #8 02-02-2011, 06:14 PM

Thanks for the info.

I'd like to ask both of you...

If I'm setting up a new server with LiteSpeed right now (under cPanel/WHM), what do I need to do in order to get the best mod_security protection? Given that not all the 2.x rules are compatible, will the gotroot set break LiteSpeed?

Or, is LiteSpeed not yet secure enough (until it fully supports 2.x)?

Also, will ASL Lite work in a cPanel situation with LiteSpeed installed? (I mean, assuming that the rules will work, will the ASL Lite autoupdater also work...or does it not coexist with LiteSpeed?

I love LiteSpeed but I also need security. So any advice will be appreciated.

Thanks,

Mark

mistwang · #9 02-02-2011, 09:50 PM

Quote:

If you want a suggestion for your next feature to add, as both the OWASP and Gotroot/Atomicorp rule require the new branching logic directives to work I recommend you add in those in next.

Are you talking about "chain" and "skip" actions? those actions are supported currently.
There are litespeed users loading getroot or some other modsec rule sets. rules using regular express matching do work. It does not break LiteSpeed.

markb1439 · #10 02-02-2011, 10:37 PM

Quote:

Are you talking about "chain" and "skip" actions?

I just mean that we need the most comprehensive protection available.

I don't know all the terminology...can you tell me right now if LiteSpeed offers the same mod_security protection as Apache? If not, what features are missing? I am not trying to be a pest...this is a very important issue, and it is important to know which protections you are providing, and which ones you aren't.

Does anyone know if there are any modifications necessary to make the gotroot rules work with LSWS? I've heard various results.

Thanks,

Mark