LSWS and Mod_security

Discussion in 'General' started by Mask, Aug 22, 2013.

  1. Mask

    Mask New Member

    Hello,

    I am currently using Trial license and I am looking forward to get 1CPU license for my server. I have been using Varnish (via Unixy plugin) and mod_security (with latest rules from ASL) till now and they have been working just fine. But I do see that with LSWS, I site is loading a bit quicker and especially with more concurrent users, its looking great.

    However, since the site gets attack often, I need to use mod_security on it. But reading all the threads here I am getting really worried. Is LSWS not compatible with Mod_security ??? Most people seems to have issues with it?? On my trial setup, everytime I restart LSWS I get this message in log viewer
    And that;s when I don't have any ASL rules. (just compiled it via easyapache).

    So, before I go purchase the license, please let me know if I can use mod_security rules from ASL just like I will use them with Apache. (I am using LSWS with cPanel).

    Thanks
    Mask
  2. mistwang

    mistwang LiteSpeed Staff

  3. Mask

    Mask New Member

    Thanks you so much. That's what I wanted to know that I will get help too get things working :)
    ....
    Ok here is the first one. I am using cP/WHM with PHP 5.3.27 and Latest mod_security and paid rules from Atomic Secure Linux. (Using CSF and CMC from ConfigServer)
    With Apache, everything works fine.

    When I switch to LSWS, I can not login to WP-Admin, it gives 403 error with the message.
    Code:
    [26/Aug/2013:19:42:08 -0700] - 192.168.1.1 60361 127.0.0.1:80 80
    --48f01da6-B--
    POST /wp-login.php HTTP/1.1
    Host: example.com
    Connection: keep-alive
    Content-Length: 112
    Cache-Control: max-age=0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Origin: http://example.com
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.57 Safari/537.36
    Content-Type: application/x-www-form-urlencoded
    Referer: http://example.com/wp-login.php?redirect_to=http%3A%2F%2Fexample.com%2Fwp-admin%2F&reauth=1
    Accept-Encoding: gzip,deflate,sdch
    Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
    Cookie: __qca=P0-1998578287-1377539979392; __gads=ID=841d9ef778d9942e:T=1377539981:S=ALNI_MYZP_0llAHJra_iI-M9ppW_xeKMvQ; bb_; bb_lastvisit=1377539989; bb_lastactivity=0; PHPSESSID=a01d5a5526e29f53ea5f82142518629b; _ga=GA1.2.522719876.1377539978; __utma=160960380.522719876.1377539978.1377539978.1377544922.2; __utmc=160960380; __utmz=160960380.1377539978.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wordpress_test_cookie=WP+Cookie+check
    
    --48f01da6-F--
    HTTP/1.1 403 Forbidden
    
    --48f01da6-H--
    Message: [client 192.168.1.1] mod_security: Access denied with code 403, [Rule: 'TX:0' '!^%{tx.allowed_request_content_type}$'] [ID "391213"] [Msg "Atomicorp.com WAF Rules: Request content type is not allowed by policy"] [severity "WARNING"] [MatchedString "application/x-www-form-urlencoded"]
    
    With Apache, CMC actually will report which rule file it is. (for any alert). With LSWS, it gives no such info. I have to use Grep to find out which files have 391213 rule id.
    In this case, there were two files: 01_asl_content.conf and waf_classes.conf
    I removed 01_asl_content.conf and I was able to login to WP-Admin.

    I can provide 01_asl_content.conf if needed.

    Please help. I have changed actual domain with example.com, my (client) IP with 192.168.1.1 and server IP with 127.0.0.1 above.
  4. mistwang

    mistwang LiteSpeed Staff

    Yes, please send a copy of 01_asl_content.conf to bug@litespeed... or attach to a PM to me.
  5. mistwang

    mistwang LiteSpeed Staff

    Also we need the whole request trigger it.

    The easiest way is to use chrome tools->"Developer Tool". click "network" tab. locate the request url, right click, then select "Copy as cURL". paste it to a text file, then send it to us.

    It does not matter the offending rule has been commented out or not.
  6. mistwang

    mistwang LiteSpeed Staff

    We will try the request data in the log first. maybe it will work.
  7. Mask

    Mask New Member

    Thanks a lot for your prompt response. :)
    I tried to send you PM but couldn't how to attach the file. Sent you email instead.

    I be happy to provide any other info to get it sorted.
  8. mistwang

    mistwang LiteSpeed Staff

    issue fixed with latest 4.2.4 build. please do a force reinstall from web console or with command

    /usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.4
  9. stormy

    stormy Member

    Can you confirm then that these rules work with Litespeed 4.2.4? That would be great!

Share This Page