A list of tested mod_security rulesets

Discussion in 'Feedback/Feature Requests' started by Monarobase, Feb 24, 2013.

  1. Monarobase

    Monarobase New Member

    Hello,

    You say that the latest version of litespeed has improved compatibility with gotroot rule set.

    When people ask what rules are compatible you say please inform us if you find any compatibility issues. I do not want to beta test for compatibiliy issues, I presume as you increased the compatibilty you tested a ruleset, could you please tell us exactly which one so we can run the tested ruleset.

    You also say that you do your best to keep up with mod_security compatibility.

    Would it be possible with each release of litespeed that improves mod_security compatibility to inform us what date of rulesets you tested ?

    Is litespeed compatible with got_root's mod security 2.7 rules ? (IE ASL 3.2.x)

    I think we would all like to have a litespeed tested ruleset with any rules that aren't compatible removed.

    From what I have read, Atomicorp would also like to have a documentation of what is compatible and what is not. They might even produce a litespeed compatible ruleset if you would give them the information they need to do it.

    I've given up with their T-WAF because there were too many issues and it doesn't make sense to run Apache in front of Litespeed.

    You are working hard on making ASL compatible with the gotroot ruleset, could you please publish your internal compatibiliy test results as well as the rules that you tested ?

    Thanks
  2. sahostking

    sahostking New Member

    I'd also like to know if possible.

    or if anyone else could inform me what they are using and that is working would be great.
  3. uchsam

    uchsam New Member

    Hello,

    I would also be interested in getting some concrete information on what actually works.

    We tried atomic ruleset on cPanel + Litespeed but came across so many errors on that.
  4. stormy

    stormy Member

    I would like to know this as well. Is there any official confirmation? Any ruleset that's working correctly?
  5. NiteWave

    NiteWave Administrator

  6. stormy

    stormy Member

  7. NiteWave

    NiteWave Administrator

    we support the paid version -- many our users are now running it and working fine, although not good as apache, as stated in previous post. and we've been working on it to support any new rules after reviewing/investiagting them.
  8. stormy

    stormy Member

    That's good to know.

    So - how should I use the paid rules then? They insist that you need either a WAF or their ASL product, and they won't support any other configuration.

    Can you add some documentation on how to install their rules and keep them upgraded?

    I hope progress is made towards full compatibility soon :)
  9. NiteWave

    NiteWave Administrator

    https://www.atomicorp.com/wiki/index.php/ASL_WAF
    maybe refer
    1) Embedded mode
    2) Transparent/Proxy mode (T-WAF)

    then it's 1) Embedded mode

    you can set up apache first, install the mod_security module, make sure gotroot rules works. in the end, install litespeed. it'll read and parse the apache's httpd.conf including mod_security rules.
  10. stormy

    stormy Member

    For reference, this is their official stance:
    https://www.atomicorp.com/wiki/index.php/Litespeed

    Here's some select quotes (bold is mine):

    That doesn't inspire a whole lot of confidence :)

    It seems that the Litespeed team and the Atomicorp team are at odds somehow. It would be great for everyone involved if you could find a way to work together and bring full mod_security support to Litespeed.
    Last edited: Oct 24, 2013
  11. Michael

    Michael Administrator Staff Member

    Hi Stormy,

    There are definitely things we would like to improve about our ModSecurity support. This has become a main focus for us and will continue to be in the near future
  12. stormy

    stormy Member

    It's good to hear that, especially now that the free rules have been discontinued. Thanks!
  13. Michael

    Michael Administrator Staff Member

  14. stormy

    stormy Member

    Michael, that is fantastic news! I'm already an Atomicorp rules user, and it's great that rule support keeps improving. I'm still looking for a way to block brute force attacks against Wordpress and Joomla, but it seems it can't be done without ASF.
  15. NiteWave

    NiteWave Administrator

    one user told us(on Feb.26) following rules works well:
    Code:
    <LocationMatch /wp-login.php>
    # only match posts
    SecRule REQUEST_METHOD "(^POST$)" "chain,id:'1303701',rev:'1',phase:1,deny,status:403,msg:'Too many requests'"
    #set ip pagecount and expiry of 30 s
    SecAction "nolog,noauditlog,initcol:IP=%{REMOTE_ADDR},setvar:IP.pagecount=+1,expirevar:IP.pagecount=300,chain,t:none"
    #pass if pagecount > 5
    SecRule IP:PAGECOUNT "@gt 5" ""
    </LocationMatch>
    FYI
  16. bettinz

    bettinz Member

    I'm using comodo rules since they started, and it works great.
    They have different rules for apache and litespeed, and a plugin for cpanel..for free :)
    waf.comodo.com
  17. wanah

    wanah Member

    I'm very interested by comodo's ruleset, haven't actually tried them yet as some people had issues with the first versions.

    https://forums.comodo.com/free-mods...b-application-firewall-b223.0/-t102938.0.html

    Very nice that comodo should actually try and make their product compatible with litespeed instead of atomi's approach to say litespeed must try and keep up with them.

    I tried the paid version of atomicorp's ruleset and while they fixed issues very quickly when they were reported, there were so many issues and such a high ressource usage that we abandonned them all together. We even tried their T-WAF but it would crash sometimes without warning and without restarting.

    I believe litespeed should start looking at other solutions, now there is nolonger a free ruleset, Comodo's ruleset seems like a very good alternative.
  18. stormy

    stormy Member

    Thanks for all the info! I will be considering Comodo as well, when my Atomicorp subscription runs out.

    Any ideas to protect Joomla against brute force attacks? All the rules I have found use output analysis, which is not available.
  19. Michael

    Michael Administrator Staff Member

    Howdy @wanah ,

    We will continue to work with both companies and whoever else wants to lend their expertise to the cause.

    I would just like to make clear that Atomicorp has put serious hard work into figuring out what parts of their ModSecurity rules LSWS will not work with (and making that clear to their users). In the same vein, we are thankful to Comodo for choosing to expend the effort required to maintain a separate ruleset. At the moment, I believe there can be no objective determinations as to which ruleset provides better security, but it is not like one company is working harder than the other.

    This process is still in its childhood and the most important step in this process is the next one: Working with these companies to isolate which areas of LSWS need improvement and improving said areas. Atomicorp has been very helpful so far with their advice and collaboration.

    m
    stormy likes this.
  20. bettinz

    bettinz Member

    I've found a problem with this code (and with Location or Location Match); this problem is not happening with Apache, but only with Litespeed.
    If my wordpress site is www.test.com, after x failed login i'm blocked -> OK.
    If my wordpress site is www.test.com/wp (or any subdirectory) the rule doesn't work, and I can try unlimited time without blocks.

    Can you check this thing for 4.2.8? Thanks :)

Share This Page