Request Filter

Discussion in 'Install/Configuration' started by vivek, Feb 19, 2008.

  1. vivek

    vivek New Member

    Hello

    I used Mod_Security with CS Firewall. The firewall will block the IP instantly when the mod security rule encounted.

    Althought CSF cant read litespeed log, so it will not block the IPs even if we have mod_security installed.

    Ok, I know that there is an inbuilt mod_security in Lsws called Request filter.But dont know how to use it.

    Mod, Please tell me an example.

    I want to block

    www.anydomain.com/proxy/index.php

    Means, I want to show 500 or 404 or something other error when a user access /proxy/index.php or simply /proxy via webbrowser even if the folder/file exists

    Please tell me how to write code in Request Filter tab in Admin area?


    Also, tell me what is the Log Level ?

    Any help is appreciated.

    Regards
  2. mistwang

    mistwang LiteSpeed Staff

    LSWS request filter is our implementation of mod_security, it uses mod_security 1.9 rules.
    If you use LiteSpeed + cPanel, security rule have to be configured from httpd.conf, the original mod_security rule should work just fine. Just do not expect LSWS to block any request results in 404.
  3. vivek

    vivek New Member

    Hi
    I am using mod_security 1.9 rule set

    I just added a rule via Admin panel


    Name : Proxy
    Action: deny,log,status:403
    Enabled : Yes
    Rules Definition :

    SecFilterSelective THE_REQUEST "/proxy/index\.php"


    And saved, restarted lsws

    But I still can take www.website.com/proxy/index.php or simply www.website.com/proxy/

    It is supposed to block those requests.


    Vivek
  4. vivek

    vivek New Member

    mistwang , please tell me a rule for blocking "/proxy/index.php" request.
  5. xing

    xing LiteSpeed Staff

    SecFilterSelective REQUEST_URI "^/proxy"

    Should work. Note that if /proxy doesn't exists, lsws will not block 404 requests. The above should block anything with yourdomain.com/proxy*
  6. vivek

    vivek New Member

    Hi there!

    I added the above with , deny,log,status:403 ,

    Still not working

    www.mysite.com/proxy/ is opening fine.

    Any suggestion ?
  7. vivek

    vivek New Member

    mistwang and xing, I sent you a PM with my login info.
    Please help me

    Thanks
  8. vivek

    vivek New Member

    Any documentation/wiki about Request Filter?
  9. mistwang

    mistwang LiteSpeed Staff

    Put the security rule in your httpd.conf
  10. vivek

    vivek New Member

    I tried that too.

    As far as I know, lsws cant follow modsecurity rules.
    I sent you my username and password. Please install at least 1 rule for blocking a single request, "/proxy/ "

    Thanks
  11. vivek

    vivek New Member

    Hi mistwang,

    Thank you for fixing the modsecurity issues, It started working for me.

    But just now I realized that most of the rules aren't working.
    Some rules are working,but some are not working.
    The same rule is working fine with apache.

    mistwang, do you have any set of modsecurty working rules with you ? Or can you recommed one which can work with lsws ?

    Vivek
  12. mistwang

    mistwang LiteSpeed Staff

    Please post the the rules that does not work.
  13. vivek

    vivek New Member

    Hello

    When I switch to Apache, I am getting lot of IP blocked mails, from CSF, because of Mod_sec rules, but when I switch to litespeed, I am not getting any of such mails, Just 2 or 3 mails only.

    You will not believe, but now I switched to apache and I got around 50+ IP block mails since 1 hr. lol

    Do you want to see the modsec rule I am using ? I am sure , lot of rules are still not compatible with litespeed, it is modsec 1.9 rules.

    Vivek
  14. mistwang

    mistwang LiteSpeed Staff

    Can you please go through the audit log and check how many rules are result in 404, how many rules are not.
  15. vivek

    vivek New Member

    Why dont litespeed block 404 hacking attempts like apache ? and let CSF block that IP.

    Vivek
  16. vivek

    vivek New Member

    [root@monster logs]# tail -f audit_log
    [client 201.234.30.130] mod_security: Access denied with code 403, [Rule: '(null)' '(cmd|command)=.*(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])'][client 74.50.11.40] mod_security: Access denied with code 403, [Rule: 'REQUEST_URI' '=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?'][client 74.50.11.40] mod_security: Access denied with code 403, [Rule: 'REQUEST_URI' '=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?'][client 74.50.11.40] mod_security: Access denied with code 403, [Rule: 'REQUEST_URI' '=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?']
  17. vivek

    vivek New Member

    I see, LiteSpeed's audit log is not in such a proper format. Is it because of this , CSF is not working with every request ?

    There is no 404 errors , only 403, but csf is not blocking those Ips.
  18. mistwang

    mistwang LiteSpeed Staff

    The audit_log format should be fixed in the latest 3.3.9 release.

Share This Page