LiteSpeed is not working with Mod Security?

vivek

Well-Known Member
#1
Hello

I already reported that LiteSpeed is not working with mod security. But some one here, told me that it will work if the mod sec file is included in httpd.conf.

I thought that it is my mistake , But I changed the server just now.

I have a new server now ,and Installed mod security. I added lot of rules and all started working with Apache.

Then I installed litespeed and mod security stopped working.

Now, if I stop litespeed and start httpd, then I will get emails telling , some sites/ips are blocked by mod security.
But when I stop apache and start litespeed, no mails are coming.

Also , I checked it with a website, and confirmed that mod sec is not working with litespeed.

I want mod security. If it is not working with litespeed then I am sorry, I have to uninstall litespeed.
 

ffeingol

Well-Known Member
#2
What version of LSWS are you using (free, paid, trial)? What is emailing you that things are being blocked by mod_security?

Frank
 

vivek

Well-Known Member
#3
Hello
Its 3.3.4 Enterprise I suppose(Latest version, installed before a day).
Currently using the 14 days trial. But I think it is the same as paid, for at least 14 days.

I installed the CSF ,and I will get email from the Firewall something like this, when an mod sec blocks an IP

Time: Sat Jan 26 22:25:21 2008
IP: 91.75.37.130 (Unknown)
Failures: 1 (mod_security)
Interval: 255 seconds
Blocked: Yes

Log entries:

[Sat Jan 26 22:25:20 2008] [error] [client 91.75.37.130] mod_security: Access denied with code 403. Pattern match "/Long_stories/" at THE_REQUEST [severity "EMERGENCY"] [hostname "website.com"] [uri "/hack/hack.php"] [unique_id "R5v5oEU7GRsAAGdCxCU"]
 

ffeingol

Well-Known Member
#5
Hello vivek,

I'm guessing that mod_security is really working with LSWS. Take a look at the value of "MODSEC_LOG" in your csf.conf. I'm guessing that Apache and LSWS are not logging things to the same place, so CSF is not finding the mod_security (like) messages from LSWS.

Frank
 

vivek

Well-Known Member
#7
Hello vivek,

I'm guessing that mod_security is really working with LSWS. Take a look at the value of "MODSEC_LOG" in your csf.conf. I'm guessing that Apache and LSWS are not logging things to the same place, so CSF is not finding the mod_security (like) messages from LSWS.

Frank
I searched for the MODSEC_LOG file and it is the same as apache log file.

I am sure lsws is not working with mod_sec. I also cant see any blocked IPs in CSF deny IP list.

But when I start httpd and stop lsws , then I can see the deny IP file is starts filling.
Any idea ?
 

ffeingol

Well-Known Member
#8
I searched for the MODSEC_LOG file and it is the same as apache log file.

I am sure lsws is not working with mod_sec. I also cant see any blocked IPs in CSF deny IP list.
Hello vivek,

I'm sorry, but I think you are missing my point. In our config Apache logs to /etc/httpd/logs/error_log. LSWS on the other hand logs errors to /opt/lsws/logs/error.log.

Where your LSWS logs are is going to depend on where you installed LSWS and if you changed the default location for the log. Simply try grep'ping for SECURITY in your LSWS error log and you'll see right away if mod_security is working. You can also look for the SECURITY errors in the web interface.

Frank
 

vivek

Well-Known Member
#9
Hello vivek,

I'm sorry, but I think you are missing my point. In our config Apache logs to /etc/httpd/logs/error_log. LSWS on the other hand logs errors to /opt/lsws/logs/error.log.

Where your LSWS logs are is going to depend on where you installed LSWS and if you changed the default location for the log. Simply try grep'ping for SECURITY in your LSWS error log and you'll see right away if mod_security is working. You can also look for the SECURITY errors in the web interface.

Frank
Ok, One doubt.So, if I change the MODSEC_LOG path to /opt/lsws/logs/error.log , the will CSF block the Ips? and add to its IP deny list ?
 

ffeingol

Well-Known Member
#10
Your going to have to look at the mod_security entries in the LSWS log vs the Apache log and see if they are similar enough to get picked up. I'd have to look at how CSF scans the logs in more detail to know for sure.

The exact value for MODSEC_LOG is going to depend on where you installed LSWS (i.e. the exact path you choose).

Frank
 

vivek

Well-Known Member
#11
Ya, I am also thinking the same, that CSF scans the error.log (apache) for any mod_security issue. And it will take the IP from that file , and block it .

I am not sure how it will scan the /opt/lsws/logs/error.log .

Anyway., I changed the entry to /opt/lsws/logs/error.log, and checking it again.

Vivek
 

vivek

Well-Known Member
#12
ok, I changed it before many hours but still , CSF is not reading the lsws error.log and blocking those IPs.
Thats very bad.

Any other method ?
 

ffeingol

Well-Known Member
#13
I believe the issue is that LSWS does not format the security message the same way the mod_security does. CSF is looking for a specific patter and not finding the LSWS lines.

Frank
 

vivek

Well-Known Member
#14
I believe the issue is that LSWS does not format the security message the same way the mod_security does. CSF is looking for a specific patter and not finding the LSWS lines.

Frank
Well, I was wondering, is there any other method or is there any other firewall script that can read the lsws error.log file for mod security lines and that can block the IPs instantly?

Because the combination of

Apache + Mod_security+ConfigServer Firewall = is simply great!

But, if we replace apache with litespeed , then nothing works.(in the case of modsec.

Vivek
 

vivek

Well-Known Member
#15
Also,
Why dont lsws format its error.log msg as just like apache do ?
So that CSF can read both apache and lsws log file for modsec lines.
 

ffeingol

Well-Known Member
#16
Can you post a line from your error log (Apache) for mod_security? It should not be too difficult to change the regex in CSF to look for the LSWS lines. It would just be easier/quicker to be able to compare the two and I don't have any Apache servers anymore.

Frank
 

vivek

Well-Known Member
#17
Here it is.

[Sat Jan 26 04:05:55 2008] [error] [client 213.42.21.150] mod_security: Access denied with code 403. Pattern match "/Long_stories/" at THE_REQUEST $verity "EMERGENCY"] [hostname "files.websitesss.com"] [uri "/Long_stories/rathi_nirvruthi/rathi_nirvruthi_1.pdf"] [unique_id "R5r380U7GRsAADhRezs"]


This is the line in apache log file, and CSF can detect this line and take IP, then add the IP to the blocked list.

Can anybody paste the lsws log for mod_security like this ??
 
Top