mod_security

Discussion in 'General' started by markb1439, Jan 23, 2011.

  1. NC-Designs

    NC-Designs New Member

    I have PMed you my email, please could you get back to me on that address so I can provide you with a login so you could take a look?

    Regards,
    Chris
  2. sux0r

    sux0r New Member

    I get these errors with the latest gotr00t rule set which i tried.

    20_asl_useragents.conf
    00_asl_rbl.conf
    10_asl_rules.conf

    [​IMG]

    o_O
  3. NC-Designs

    NC-Designs New Member

    Yeah I get the Location match authType errors that you are getting.
  4. NiteWave

    NiteWave Administrator

    please confirm if it's the latest 4.1?
    Last-Modified: Tue, 03 May 2011
  5. NC-Designs

    NC-Designs New Member

    Yep Tuesday 3rd May. Just a quick screenie of the errors im getting too -
    [​IMG]
  6. sux0r

    sux0r New Member

    Even with the First 4.1 build im getting the errors.
    I didnt bother much about it. :)
  7. mistwang

    mistwang LiteSpeed Staff

    The <LocationMatch> issue should be addressed in our 4.1.1 release when you put security rule in native LSWS configuration.

    However, for vhost configured through httpd.conf, you should configure mod_security through httpd.conf as if Apache is used.
  8. sux0r

    sux0r New Member

    Configured ModSec from httpd.conf
    And the <LocationMatch> errors disappeared.

    These are the errors now whichs regarding 10_asl_rules.conf
    From GotRoot Rule set.

    [​IMG]
  9. optize

    optize New Member

    No update?
  10. chernann

    chernann New Member

    Gotroot 2.5 modsecurity processing in Litespeed

    I signed up for a gotroot subscription and tried the rules as suggested for a cpanel installation, i.e. a relatively light rule set.

    While most rules parsed ok, performance on the server was significantly degraded, a normal dynamic page that delivered in 300 milliseconds would take 20 seconds to load. It looks like the mod security implementation needs to be optimized or precompiled in some way, or an apache reverse proxy run in front of litespeed.
  11. mistwang

    mistwang LiteSpeed Staff

    Can you please send your rule set to bug@litespeedtech.... , we will evaluate and improve.
  12. DanEZPZ

    DanEZPZ New Member

    Have there been any updates to this?

    This is becoming a problem and as far as I can see it's just being overlooked. I've got a fair amount of licenses but am tempted to just go back to Apache as basic security features don't appear to get the development time they deserve.
  13. markb1439

    markb1439 New Member

    Same here. We see more and more hack attempts every day, and we need full mod_security support. I am a bit upset that we weren't told from the start that LiteSpeed's mod_security support is very incomplete. And now, even with Atomicorp doing all they can to help LiteSpeed implement it, it apparently still isn't there.

    In today's climate, we need full support for mod_security. LiteSpeed may brag about their security features, but those features are ineffective if other threats are getting through because of the incomplete mod_security support.

    LiteSpeed is very expensive considering the open source alternatives available. And LiteSpeed's support leaves a lot to be desired. For example, almost every other software company offers ticket-based or e-mail support. But with LiteSpeed, we must rely on forum-based support. And the answers in the forum are often cryptic and hard to follow. It is often hard to find the answers needed to properly configure and maintain LiteSpeed. So, on top of these issues, the security concerns are becoming a deal-breaker.

    LiteSpeed, you will probably lose a lot of clients over this issue (including us) if you don't add real mod_security support ASAP.
    Last edited: Oct 1, 2011
  14. NiteWave

    NiteWave Administrator

    from 4.1, lsws already support mod_security 2.5
    please refer release log:
    http://www.litespeedtech.com/litespeed-web-server-release-log.html

    although some features not supported, for example pdf scan. but core features like those in latest gotroot rules are supported and that's our target.

    since mod_security and rules keeps updating, we may miss something important. Please point out which feature/rule are not supported by latest lsws and we'll investigate it.

    mod_security 2.5 engine is most difficult part -- lsws already include it since 4.1.
  15. markb1439

    markb1439 New Member

    Thanks for the reply. According to the Atomicorp Wiki, LiteSpeed's mod_security 2.x support is still incomplete, as least as of a month or two ago:

    http://www.atomicorp.com/wiki/index.php/Litespeed

    If this is true, even if you "support 2.5 rules," that does not mean that your implementation of mod_security is complete. Please clarify this further.

    BTW, I am not trying to be negative. I just need to make sure we are fully protected. Atomicorp seems to be a reliable company, so I trust their facts. However, if I have the facts wrong, please enlighten me.
    Last edited: Oct 3, 2011
  16. markb1439

    markb1439 New Member

    Hi Again,

    Atomicorp still tells me that LiteSpeed does not fully support mod_security. Can LiteSpeed please supply complete details?

    We are about to deploy additional servers, but we can't put LiteSpeed on them (or continue using it on our existing servers) if LiteSpeed cannot even tell us how much of mod_security is actually supported...and what functionality is missing.

    Atomicorp is a respected expert on security, so if they say there is a problem, I believe it.

    LiteSpeed, please provide a complete, honest, comprehensive answer about your mod_security support (what's included, what's missing, etc.). (This is my other complaint about LiteSpeed, that complete information is often hard to get...answers are often incomplete or vague.) LiteSpeed, please answer the mod_security issue completely.

    Thanks,

    Mark
  17. NiteWave

    NiteWave Administrator

  18. markb1439

    markb1439 New Member

    @nitewave, thank you! This is exactly the kind of information I was looking for.

    Mark
  19. MattEvans

    MattEvans New Member

    Helo,I'm considering setting up a new server with LiteSpeed right now (under cPanel/WHM)...What should I do to get an excellent security?Thanks a lot! [​IMG]
  20. yingxuy

    yingxuy New Member

    300 ms in the normal delivery of a dynamic page, will take 20 seconds to load. It looks like the MOD security required to optimize the implementation, or in some way pre-compiled.

Share This Page