[solved] Modsecurity

Discussion in 'Apache Migration/Compatibility' started by Will Harrison, May 27, 2014.

  1. Will Harrison

    Will Harrison New Member

    Hi all,

    We are new to Litespeed, and have installed on a server with CPanel using the plugin. All gone well apart from Mod_security acting strangely.

    We have commercial ASL rule set. I found I had to remove some of the rules based on errors when litespeed started. This I expected (file uploads etc).

    However it still seemed a 406 could not be triggered with an obvious attack URL which I know would normally work. I therefore tried putting a rule in ahead of the ASL modsec rules. This time the 406 could be triggered. So I started removing ASL rules based on the order they loaded. I found the cure was emptying the whitelist.txt which was being loaded by

    SecRule REMOTE_ADDR "@ipMatchFromFile whitelist.txt" "rev:1,id:345678,phase:1,t:none,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"

    in 00_asl_whitelist.conf

    The strange thing was I needed to empty completely even comments!

    Does anyone have any idea why this strangeness is happening please?

    Thanks in advance

    Will
  2. mistwang

    mistwang LiteSpeed Staff

    Looks like a bug in our mod_sec engine. We will give that rule a try in our lab.
    Do you have proxy in front of LSWS?
    What is in the whitelist.txt? please give us a short example.

    Which version of LSWS are you using? 4.2.11?
  3. mistwang

    mistwang LiteSpeed Staff

    Maybe the comment line causes LSWS to whitelist all IPs, treat it as "*".
    Try put only real IP in that file without comment, see if it is OK.
  4. Will Harrison

    Will Harrison New Member

    I will try that as you suggest - this is the file in part:

    starts with

    # http://www.atomicorp.com/
    # Atomicorp (Gotroot.com) ModSecurity rules
    # Application Security Rules for modsec 2.x
    ...
    #---ASL-CONFIG-FILE---
    #
    # Do not edit this file!
    # This file is generated and changes will be overwritten.
    #
    # If you need to make changes to the rules, please follow the procedure here:
    # http://www.atomicorp.com/wiki/index.php/Mod_security
    ...
    list or domains continues
  5. Will Harrison

    Will Harrison New Member

    Yes without the # comments all is okay. I guess I adjust our rule update script to remove these lines for the time being. Thanks for the idea - I really should have thought of trying that myself.

Share This Page