How to use Mod Security & ClamAV with Litespeed 4.0

Discussion in 'General' started by grniyce, May 14, 2009.

  1. grniyce

    grniyce New Member

    PLEASE REMEMBER TO RATE THIS THREAD SO IT WILL GAIN STICKY STATUS AND REMAIN A CONSTANT THREAD OF ASSISTANCE. THANK YOU.

    I believe this post will help the greater LSWS community of users. Over and over I see many people asking the same questions, and multiple duplicates throughout the forum. For this reason I am compiling those queries into this thread in the hopes that a few of you Subject Matter Experts may help us.

    FIRST: PEOPLE WISH TO KNOW HOW TO FULLY INTEGRATE MOD_SECURITY 2.5.X INTO LSWS WITH LOGGING THAT WORKS.

    I have added the following line into httpd.conf, which is used by LSWS:
    Code:
    Include "/usr/local/apache/conf/modsec2.conf"
    Having already built mod_security within the Easy Apache build prior to building matching php in LSWS and then switching to LSWS; it has come with the default mod_security rules.

    modsec2.conf
    Code:
    LoadFile /opt/xml2/lib/libxml2.so
     LoadFile /opt/lua/lib/liblua.so
    LoadModule security2_module  modules/mod_security2.so
    <IfModule mod_security2.c>
    SecRuleEngine On
    # See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf 
    #  "Add the rules that will do exactly the same as the directives"
    # SecFilterCheckURLEncoding On 
    # SecFilterForceByteRange 0 255
    SecAuditEngine RelevantOnly
    SecAuditLog logs/modsec_audit.log 
    SecDebugLog logs/modsec_debug_log
    SecDebugLogLevel 0
    SecDefaultAction "phase:2,deny,log,status:406"
    SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
    Include "/usr/local/apache/conf/modsec2.user.conf"
    </IfModule>
    modsec2.user.conf (see attachment for default rules)

    ::::: Now I can only assume most people use CSF :::::

    You will see from the two illustrations below that mod security is installed and integrated with CSF, however, when you click to view the log, nothing is showed.

    How can this be fixed?

    [​IMG]
    [​IMG]

    Here are screenshots of the LSWS Admin Console for logging and request filter. Please advise if anything needs to be set there to properly incorporate better logging and/or mod_security integration:

    [​IMG]


    ::::: Now on to the final topic :::::

    I have ClamAV included, however I do not believe it has been properly integrated to process all files received or perhaps uploaded through ftp -> through -> the mod_security rules, and logged. To make a long story short. Let's say I have a few erroneous shell scripts. I can presently upload them via ftp to one of my sites. I do not want anyone to be allowed to do this, as my computer antivirus has to be shut off just to download them, however my server allows them to be uploaded, which no one wants. Here are some screenshots:

    [​IMG]

    FTP SHELL UPLOADED (THIS IS A SAFE MODE BYPASS SHELL)
    [​IMG]

    HERE IS THE RESPONSE OF THE SHELL BEING STOPPED DUE TO PHP FUNCTIONS BEING DISABLED, BUT I WOULD LIKE THIS TO BE STOPPED PRIOR TO BEING UPLOADED, AND LOGGED IN MOD_SECURITY, CAUGHT BY CLAMAV, AND LOGGED ALSO FOR THAT ADDED PROTECTION, AS WELL AS BEING USEFUL TO LEGALLY PROSECUTE THOSE WHOM ARE ATTEMPTING TO CRACK MY SERVER.
    [​IMG]

    For those of you whom do not have a proficient list of php functions to disable in "usr/local/lib/php.ini" - build matching php in lsws - or add to "usr/local/lsws/php/php.ini" ----- I have provided them here:

    Code:
    disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict,psockopen,php_ini_scanned_files,hell-exec,system,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software,get_current_user,HTTP_HOST,php_uname,ini_restore,popen,pclose,exec,shell_exec,suExec,passthru,proc_open,proc_nice,proc_terminate,proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod,posix_strerror,posix_initgroups,posix_setsidposix_setuid,show_source
    another good one to add is "ini_set", however I am using a constantly updating shoutcast radio script, so I do not have that in my list. If you don't have such a need, simply add ----> ,ini_set to the list.

    In closing I am hoping some of you Master System Admins can help us less knowledgeable individuals secure our servers by providing some helpful responses to my requests above.

    Sincerely,

    Anthony

    Attached Files:

    Last edited: May 14, 2009
  2. mistwang

    mistwang LiteSpeed Staff

    First, please upgrade to 4.0.3,
    Second, add a testing mod_security rule,
    third, try to hit the testing rule with a crafted request
    fourth, checklogs/modsec_audit.log
  3. grniyce

    grniyce New Member

    Thank you.
    Last edited: Jun 29, 2009
  4. mistwang

    mistwang LiteSpeed Staff

    You should not use chroot with a hosting control panel unless the control panel support chroot.

    For the security rule, if you want to block something like a URL "/blabla"

    Just add a rule in modsec2.user.conf like
    SecRule REQUEST_URI "/blabla"

    then create a file to serve url "/blabla". remember, if file not found (404), LSWS will not go through the security rules.

    then hit the URL, you will see 406 response, means that the request was blocked by security rule. check the audit_log, it should be logged.
  5. grniyce

    grniyce New Member

    thank you this seems to work pretty well, however I get an error 403 when I click it but at least things are being blocked now.

Share This Page