mod_security is not running ?
- Thread starter vivek
- Start date
/opt/lsws/bin/lswsctrl stop
service httpd start
I tried to access a blocked website and my IP got banned instantly
After releasing IP through a proxy website,
service httpd stop
/opt/lsws/bin/lswsctrl restart
Again I accessed the same website and the IP is NOT blocked.
That means, litespeed is not working with mod security and
httpd.conf is not altered.
What will do ?
httpd.conf starting...
Include "/usr/local/apache/conf/includes/pre_main_global.conf"
Include "/usr/local/apache/conf/includes/pre_main_1.conf"
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Direct modifications to the Apache configuration file may be lost upon subsequent regeneration of the #
# configuration file. To have modifications retained, all modifications must be checked into the #
# configuration system by running: #
# /usr/local/cpanel/bin/apache_conf_distiller --update #
# To see if your changes will be conserved, regenerate the Apache configuration file by running: #
# /usr/local/cpanel/bin/build_apache_conf #
# and check the configuration file for your alterations. If your changes have been ignored, then they will #
# need to be added directly to their respective template files. #
# #
# This configuration file was built from the following templates: #
# /var/cpanel/templates/apache1/main.default #
# /var/cpanel/templates/apache1/main.local #
# /var/cpanel/templates/apache1/vhost.default #
# /var/cpanel/templates/apache1/vhost.local #
# /var/cpanel/templates/apache1/ssl_vhost.default #
# /var/cpanel/templates/apache1/ssl_vhost.local #
# #
# Templates with the '.local' extension will be preferred over templates with the '.default' extension. #
# The only template updated by the apache_conf_distiller is main.default. #
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
LoadModule auth_passthrough_module libexec/mod_auth_passthrough.so
LoadModule bwlimited_module libexec/mod_bwlimited.so
LoadModule evasive_module libexec/mod_evasive.so
LoadModule security_module libexec/mod_security.so
LoadModule jk_module libexec/mod_jk.so
LoadModule bytes_log_module libexec/mod_log_bytes.so
Include "/usr/local/apache/conf/modsec.conf"
Include "/usr/local/apache/conf/php.conf"
Include "/usr/local/apache/conf/jk.conf"
---------------------------
See, Include "/usr/local/apache/conf/modsec.conf" is there and loading fine with Apache
Now,
nano /usr/local/apache/conf/modsec.conf
<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On
# Change Server: string
SecServerSignature "Apache Super Server"
# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog logs/audit_log
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:403"
## ## ## ## ## ## ## ## ## ##
## ## ## ## ## ## ## ## ## ##
####################################
# FRONTPAGE
####################################
SecFilterSelective THE_REQUEST "/forum/admin/index\.php" pass
SecFilterSelective THE_REQUEST "/forum/adm/index\.php" pass
SecFilterSelective THE_REQUEST "/forum/index\.php" pass
SecFilterSelective THE_REQUEST "/admin/index\.php" pass
SecFilterSelective THE_REQUEST "/forum/index\.php" pass
SecFilterSelective THE_REQUEST "/admin/index\.php" pass
SecFilterSelective THE_REQUEST "/g00d/" deny
-----------------------------------------------------------
ok , please take a look into the last line and that was my block rule
SecFilterSelective THE_REQUEST "/g00d/" deny
If the address bar contains any string like g00d then the IP will be blocked.
Ok, now tell me.
When I start httpd and stop litespeed ,then the mod security is working and blocking the IP when someone access the url.
Then, when I disabled httpd and enabled litespeed , then I saw that the mod security is not disabling the IP.
This is what I said. Hope you understand , If you need more info, please specify.
Regards
Include "/usr/local/apache/conf/includes/pre_main_global.conf"
Include "/usr/local/apache/conf/includes/pre_main_1.conf"
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Direct modifications to the Apache configuration file may be lost upon subsequent regeneration of the #
# configuration file. To have modifications retained, all modifications must be checked into the #
# configuration system by running: #
# /usr/local/cpanel/bin/apache_conf_distiller --update #
# To see if your changes will be conserved, regenerate the Apache configuration file by running: #
# /usr/local/cpanel/bin/build_apache_conf #
# and check the configuration file for your alterations. If your changes have been ignored, then they will #
# need to be added directly to their respective template files. #
# #
# This configuration file was built from the following templates: #
# /var/cpanel/templates/apache1/main.default #
# /var/cpanel/templates/apache1/main.local #
# /var/cpanel/templates/apache1/vhost.default #
# /var/cpanel/templates/apache1/vhost.local #
# /var/cpanel/templates/apache1/ssl_vhost.default #
# /var/cpanel/templates/apache1/ssl_vhost.local #
# #
# Templates with the '.local' extension will be preferred over templates with the '.default' extension. #
# The only template updated by the apache_conf_distiller is main.default. #
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
LoadModule auth_passthrough_module libexec/mod_auth_passthrough.so
LoadModule bwlimited_module libexec/mod_bwlimited.so
LoadModule evasive_module libexec/mod_evasive.so
LoadModule security_module libexec/mod_security.so
LoadModule jk_module libexec/mod_jk.so
LoadModule bytes_log_module libexec/mod_log_bytes.so
Include "/usr/local/apache/conf/modsec.conf"
Include "/usr/local/apache/conf/php.conf"
Include "/usr/local/apache/conf/jk.conf"
---------------------------
See, Include "/usr/local/apache/conf/modsec.conf" is there and loading fine with Apache
Now,
nano /usr/local/apache/conf/modsec.conf
<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On
# Change Server: string
SecServerSignature "Apache Super Server"
# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog logs/audit_log
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:403"
## ## ## ## ## ## ## ## ## ##
## ## ## ## ## ## ## ## ## ##
####################################
# FRONTPAGE
####################################
SecFilterSelective THE_REQUEST "/forum/admin/index\.php" pass
SecFilterSelective THE_REQUEST "/forum/adm/index\.php" pass
SecFilterSelective THE_REQUEST "/forum/index\.php" pass
SecFilterSelective THE_REQUEST "/admin/index\.php" pass
SecFilterSelective THE_REQUEST "/forum/index\.php" pass
SecFilterSelective THE_REQUEST "/admin/index\.php" pass
SecFilterSelective THE_REQUEST "/g00d/" deny
-----------------------------------------------------------
ok , please take a look into the last line and that was my block rule
SecFilterSelective THE_REQUEST "/g00d/" deny
If the address bar contains any string like g00d then the IP will be blocked.
Ok, now tell me.
When I start httpd and stop litespeed ,then the mod security is working and blocking the IP when someone access the url.
Then, when I disabled httpd and enabled litespeed , then I saw that the mod security is not disabling the IP.
This is what I said. Hope you understand , If you need more info, please specify.
Regards
I am using the 15 days trial version and I think its Enterprise
I again confirmed this and found that the litespeed installed on my server is not working with mod securityt.
When I start apache, around 10 IPs are blocking per 10 minutes and when I stop httpd and start litespeed, no IPs are blocking.
I again confirmed this and found that the litespeed installed on my server is not working with mod securityt.
When I start apache, around 10 IPs are blocking per 10 minutes and when I stop httpd and start litespeed, no IPs are blocking.
Hello
I am trying to apply the mod security rules to the Request Filer option in litespeed admin panel.
Anybody tell me what will I enter in the Rules Definition column for this code ?
SecFilterSelective THE_REQUEST "/forum/admin/index\.php" pass
SecFilterSelective THE_REQUEST "/forum/adm/index\.php" pass
SecFilterSelective THE_REQUEST "/forum/index\.php" pass
SecFilterSelective THE_REQUEST "/admin/index\.php" pass
SecFilterSelective THE_REQUEST "/Long/" deny
SecFilterSelective THE_REQUEST "/Short/" deny
SecFilterSelective THE_REQUEST "/No/.exe" deny
SecFilterSelective THE_REQUEST "/short/" deny
I am trying to apply the mod security rules to the Request Filer option in litespeed admin panel.
Anybody tell me what will I enter in the Rules Definition column for this code ?
SecFilterSelective THE_REQUEST "/forum/admin/index\.php" pass
SecFilterSelective THE_REQUEST "/forum/adm/index\.php" pass
SecFilterSelective THE_REQUEST "/forum/index\.php" pass
SecFilterSelective THE_REQUEST "/admin/index\.php" pass
SecFilterSelective THE_REQUEST "/Long/" deny
SecFilterSelective THE_REQUEST "/Short/" deny
SecFilterSelective THE_REQUEST "/No/.exe" deny
SecFilterSelective THE_REQUEST "/short/" deny
You have a security rule
If you request http://your.domain/g00d/...., if the corresponding file does not exist, Apache will return 403 access denied, while LSWS will return 404 not found. it is as designed, as 404 will not result in any security problem, why waste time on checking it against the filter.
Code:
SecFilterSelective THE_REQUEST "/g00d/" deny
Last edited: