mod_security

[mistwang]

Can you please send your rule set to bug@litespeedtech.... , we will evaluate and improve.

[DanEZPZ]

Have there been any updates to this?

This is becoming a problem and as far as I can see it's just being overlooked. I've got a fair amount of licenses but am tempted to just go back to Apache as basic security features don't appear to get the development time they deserve.

[markb1439]

Quote:

This is becoming a problem and as far as I can see it's just being overlooked. I've got a fair amount of licenses but am tempted to just go back to Apache as basic security features don't appear to get the development time they deserve.

Same here. We see more and more hack attempts every day, and we need full mod_security support. I am a bit upset that we weren't told from the start that LiteSpeed's mod_security support is very incomplete. And now, even with Atomicorp doing all they can to help LiteSpeed implement it, it apparently still isn't there.

In today's climate, we need full support for mod_security. LiteSpeed may brag about their security features, but those features are ineffective if other threats are getting through because of the incomplete mod_security support.

LiteSpeed is very expensive considering the open source alternatives available. And LiteSpeed's support leaves a lot to be desired. For example, almost every other software company offers ticket-based or e-mail support. But with LiteSpeed, we must rely on forum-based support. And the answers in the forum are often cryptic and hard to follow. It is often hard to find the answers needed to properly configure and maintain LiteSpeed. So, on top of these issues, the security concerns are becoming a deal-breaker.

LiteSpeed, you will probably lose a lot of clients over this issue (including us) if you don't add real mod_security support ASAP.

[NiteWave]

from 4.1, lsws already support mod_security 2.5
please refer release log:
http://www.litespeedtech.com/litespe...lease-log.html

although some features not supported, for example pdf scan. but core features like those in latest gotroot rules are supported and that's our target.

since mod_security and rules keeps updating, we may miss something important. Please point out which feature/rule are not supported by latest lsws and we'll investigate it.

mod_security 2.5 engine is most difficult part -- lsws already include it since 4.1.

[markb1439]

Thanks for the reply. According to the Atomicorp Wiki, LiteSpeed's mod_security 2.x support is still incomplete, as least as of a month or two ago:

http://www.atomicorp.com/wiki/index.php/Litespeed

Quote:

LiteSpeed has a proprietary closed implementation of mod_security, the WAF module we use in Apache. The LiteSpeed modsecurity implementation is not complete, does not support the full rule language, and is not fully compatible with modern mod_security rules. We recommend you contact Litespeed to confirm what they may or may not support in the modsecurity rule language.

The Litespeed modsecurity implementation is not the same or a "drop in" replacement for the real modsecurity module. It is also not fully compatible with modsecurity rules nor is the litespeed implementation complete. Therefore, all modern modsecurity rules will not work correctly or completely Litespeed. In some cases, they may not load, or if they load they may not even work as expected. We have provided Litespeed with our rules and free ASL licenses, and eagerly await the day when they will actually support modsecurity. As of August 2011, the LiteSpeed implementation is still reported to be incomplete. You can read more about this on the Litespeed forums:

http://www.litespeedtech.com/support...ht=modsecurity

As a result of this, Litespeed currently only supports 1.9.x features and a subset of 2.0 features. Our rules are built for modsecurity 2.6.1. 1.9.x was obsolete many years ago (and we retired the 1.9.x rules as a result many years ago). The current version of the modsecurity rule language is 2.6.x, which we fully support. Litespeed is working on some 2.6.x compatibility, but it is still not complete and it appears they do not intend to fully support the language. We encourage you to encourage LiteSpeed in their efforts to support the full mod_security rule language.

If this is true, even if you "support 2.5 rules," that does not mean that your implementation of mod_security is complete. Please clarify this further.

BTW, I am not trying to be negative. I just need to make sure we are fully protected. Atomicorp seems to be a reliable company, so I trust their facts. However, if I have the facts wrong, please enlighten me.

[markb1439]

Hi Again,

Atomicorp still tells me that LiteSpeed does not fully support mod_security. Can LiteSpeed please supply complete details?

We are about to deploy additional servers, but we can't put LiteSpeed on them (or continue using it on our existing servers) if LiteSpeed cannot even tell us how much of mod_security is actually supported...and what functionality is missing.

Atomicorp is a respected expert on security, so if they say there is a problem, I believe it.

LiteSpeed, please provide a complete, honest, comprehensive answer about your mod_security support (what's included, what's missing, etc.). (This is my other complaint about LiteSpeed, that complete information is often hard to get...answers are often incomplete or vague.) LiteSpeed, please answer the mod_security issue completely.

Thanks,

Mark

[NiteWave]

Hi Mark,

created a wiki page for your long-term concerns
http://www.litespeedtech.com/support..._compatibility

[markb1439]

@nitewave, thank you! This is exactly the kind of information I was looking for.

Mark

[MattEvans]

Helo,I'm considering setting up a new server with LiteSpeed right now (under cPanel/WHM)...What should I do to get an excellent security?Thanks a lot!

[yingxuy]

300 ms in the normal delivery of a dynamic page, will take 20 seconds to load. It looks like the MOD security required to optimize the implementation, or in some way pre-compiled.