mod_security

NC-Designs

Well-Known Member
#21
Those rules should work fine with 4.1 release.
We need to either check it on your server, or copy your configuration to our lab environment to reproduce it.
I have PMed you my email, please could you get back to me on that address so I can provide you with a login so you could take a look?

Regards,
Chris
 

sux0r

Well-Known Member
#22
I get these errors with the latest gotr00t rule set which i tried.

20_asl_useragents.conf
00_asl_rbl.conf
10_asl_rules.conf



o_O
 

mistwang

LiteSpeed Staff
#27
The <LocationMatch> issue should be addressed in our 4.1.1 release when you put security rule in native LSWS configuration.

However, for vhost configured through httpd.conf, you should configure mod_security through httpd.conf as if Apache is used.
 

sux0r

Well-Known Member
#28
Configured ModSec from httpd.conf
And the <LocationMatch> errors disappeared.

These are the errors now whichs regarding 10_asl_rules.conf
From GotRoot Rule set.

 
#30
Gotroot 2.5 modsecurity processing in Litespeed

I signed up for a gotroot subscription and tried the rules as suggested for a cpanel installation, i.e. a relatively light rule set.

While most rules parsed ok, performance on the server was significantly degraded, a normal dynamic page that delivered in 300 milliseconds would take 20 seconds to load. It looks like the mod security implementation needs to be optimized or precompiled in some way, or an apache reverse proxy run in front of litespeed.
 

DanEZPZ

Well-Known Member
#32
Have there been any updates to this?

This is becoming a problem and as far as I can see it's just being overlooked. I've got a fair amount of licenses but am tempted to just go back to Apache as basic security features don't appear to get the development time they deserve.
 

markb1439

Well-Known Member
#33
This is becoming a problem and as far as I can see it's just being overlooked. I've got a fair amount of licenses but am tempted to just go back to Apache as basic security features don't appear to get the development time they deserve.
Same here. We see more and more hack attempts every day, and we need full mod_security support. I am a bit upset that we weren't told from the start that LiteSpeed's mod_security support is very incomplete. And now, even with Atomicorp doing all they can to help LiteSpeed implement it, it apparently still isn't there.

In today's climate, we need full support for mod_security. LiteSpeed may brag about their security features, but those features are ineffective if other threats are getting through because of the incomplete mod_security support.

LiteSpeed is very expensive considering the open source alternatives available. And LiteSpeed's support leaves a lot to be desired. For example, almost every other software company offers ticket-based or e-mail support. But with LiteSpeed, we must rely on forum-based support. And the answers in the forum are often cryptic and hard to follow. It is often hard to find the answers needed to properly configure and maintain LiteSpeed. So, on top of these issues, the security concerns are becoming a deal-breaker.

LiteSpeed, you will probably lose a lot of clients over this issue (including us) if you don't add real mod_security support ASAP.
 
Last edited:

NiteWave

Administrator
#34
from 4.1, lsws already support mod_security 2.5
please refer release log:
http://www.litespeedtech.com/litespeed-web-server-release-log.html

although some features not supported, for example pdf scan. but core features like those in latest gotroot rules are supported and that's our target.

since mod_security and rules keeps updating, we may miss something important. Please point out which feature/rule are not supported by latest lsws and we'll investigate it.

mod_security 2.5 engine is most difficult part -- lsws already include it since 4.1.
 

markb1439

Well-Known Member
#35
Thanks for the reply. According to the Atomicorp Wiki, LiteSpeed's mod_security 2.x support is still incomplete, as least as of a month or two ago:

http://www.atomicorp.com/wiki/index.php/Litespeed

LiteSpeed has a proprietary closed implementation of mod_security, the WAF module we use in Apache. The LiteSpeed modsecurity implementation is not complete, does not support the full rule language, and is not fully compatible with modern mod_security rules. We recommend you contact Litespeed to confirm what they may or may not support in the modsecurity rule language.

The Litespeed modsecurity implementation is not the same or a "drop in" replacement for the real modsecurity module. It is also not fully compatible with modsecurity rules nor is the litespeed implementation complete. Therefore, all modern modsecurity rules will not work correctly or completely Litespeed. In some cases, they may not load, or if they load they may not even work as expected. We have provided Litespeed with our rules and free ASL licenses, and eagerly await the day when they will actually support modsecurity. As of August 2011, the LiteSpeed implementation is still reported to be incomplete. You can read more about this on the Litespeed forums:

http://www.litespeedtech.com/support/forum/showthread.php?t=4619&highlight=modsecurity

As a result of this, Litespeed currently only supports 1.9.x features and a subset of 2.0 features. Our rules are built for modsecurity 2.6.1. 1.9.x was obsolete many years ago (and we retired the 1.9.x rules as a result many years ago). The current version of the modsecurity rule language is 2.6.x, which we fully support. Litespeed is working on some 2.6.x compatibility, but it is still not complete and it appears they do not intend to fully support the language. We encourage you to encourage LiteSpeed in their efforts to support the full mod_security rule language.
If this is true, even if you "support 2.5 rules," that does not mean that your implementation of mod_security is complete. Please clarify this further.

BTW, I am not trying to be negative. I just need to make sure we are fully protected. Atomicorp seems to be a reliable company, so I trust their facts. However, if I have the facts wrong, please enlighten me.
 
Last edited:

markb1439

Well-Known Member
#36
Hi Again,

Atomicorp still tells me that LiteSpeed does not fully support mod_security. Can LiteSpeed please supply complete details?

We are about to deploy additional servers, but we can't put LiteSpeed on them (or continue using it on our existing servers) if LiteSpeed cannot even tell us how much of mod_security is actually supported...and what functionality is missing.

Atomicorp is a respected expert on security, so if they say there is a problem, I believe it.

LiteSpeed, please provide a complete, honest, comprehensive answer about your mod_security support (what's included, what's missing, etc.). (This is my other complaint about LiteSpeed, that complete information is often hard to get...answers are often incomplete or vague.) LiteSpeed, please answer the mod_security issue completely.

Thanks,

Mark
 
#39
Helo,I'm considering setting up a new server with LiteSpeed right now (under cPanel/WHM)...What should I do to get an excellent security?Thanks a lot!
 
#40
300 ms in the normal delivery of a dynamic page, will take 20 seconds to load. It looks like the MOD security required to optimize the implementation, or in some way pre-compiled.
 
Top