4.1.1 Starts Restarting

[sux0r]

Im using Lsws 4.1.1 ( Build Date: 21st May 2011 )
Litespeed started to restart suddenly today.
Here are the most recent contents from the log.

http://i823.photobucket.com/albums/zz153/sux0r/5-26-20112-21-57PM.png

I've done a force-reinstall before the post.
And the problems still comming

~Thanks

 

[sux0r]

I switched back to Apache and after 2 hrs switched back to litespeed.
After tht all seems to be fine.
Before switching to Apache i removed my gotroot mod_sec entries from httpd.conf

Include "/usr/local/apache/conf/modsecurity_crs/10_asl_rules.conf"
Include "/usr/local/apache/conf/modsecurity_crs/20_asl_useragents.conf"
Include "/usr/local/apache/conf/modsecurity_crs/60_asl_recons.conf"
Include "/usr/local/apache/conf/modsecurity_crs/99_asl_jitp.conf"
Include "/usr/local/apache/conf/modsecurity_crs/SQL_injection.conf"
Include "/usr/local/apache/conf/modsecurity_crs/XSS_attack.conf"

The last two rules was in a litespeed configuration file.
I removed them, switched back to Apache. And after 2 hrs switched to litespeed and the problem havent occur yet.

~ Thanks

 

[webizen]

Are you indicating that the issue was caused by duplicate gotroot mod_sec rules in httpd.conf since lsws also has them (Admin console -> Configuration -> Server ->Request Filter -> Request Filtering Rule Set) ? You can disable them in LSWS Request Filter and uncomment the rules in httpd.conf to verify.

Before switching to Apache i removed my gotroot mod_sec entries from httpd.conf

Include "/usr/local/apache/conf/modsecurity_crs/SQL_injection.conf"
Include "/usr/local/apache/conf/modsecurity_crs/XSS_attack.conf"

The last two rules was in a litespeed configuration file.
I removed them, switched back to Apache. And after 2 hrs switched to litespeed and the problem havent occur yet.

~ Thanks

 

[webizen]

to help troubleshoot, you can install debug build of lsws and gdb (debugger) and send backtrace and core file to us or pm your server temporary root access for us to take a look.

debug build is at

http://www.litespeedtech.com/packages/lsws-4.1.1-ent-x86_64-linux-dbg.tar.gz
http://www.litespeedtech.com/packages/lsws-4.1.1-ent-i386-linux-dbg.tar.gz

do 'yum install gdb' to install debugger.

 

[sux0r]

Since i removed the mod_sec entries.
The issue havent come up yet.
Currently im using:

Include "/usr/local/apache/conf/modsecurity_crs/10_asl_rules.conf"
Include "/usr/local/apache/conf/modsecurity_crs/20_asl_useragents.conf"
Include "/usr/local/apache/conf/modsecurity_crs/60_asl_recons.conf"

If the problem continues, i'll install the debug version

 

[NiteWave]

can you post the rules here if they're not long?

Include "/usr/local/apache/conf/modsecurity_crs/SQL_injection.conf"
Include "/usr/local/apache/conf/modsecurity_crs/XSS_attack.conf"

 

[sux0r]

SQL_injection.conf

#SQL generic
SecFilterSelective ARGS "drop[[:space:]]+(database|table|column|procedure)"
SecFilterSelective ARGS "delete[[:space:]]+from|create[[:space:]]+table|update.+set.+=|insert[[:space:]]+into.+values"
SecFilterSelective ARGS "select.+from|bulk[[:space:]]+insert|union.+select|alter[[:space:]]+table"

SecFilterSelective ARGS "into[[:space:]]+outfile|load[[:space:]]+data|/\*.+\*/"

XSS_attack.conf

SecFilterSelective ARGS "(&\{.+\}|(&#[[0-9a-fA-F]]|\x5cx[0-9a-fA-F]){2})"

SecFilterSelective ARGS "(fromCharCode|http-equiv|<.+>|innerHTML|dynsrc|-->)"
SecFilterSelective ARGS "document\.(body|cookie|location|write)"

SecFilterSelective ARGS_VALUES "jsessionid|phpsessid|onReadyStateChange|xmlHttp"

SecFilterSelective ARGS "<(applet|div|embed|iframe|img|meta|object|script|textarea)"

# JavaScript event handlers
SecFilterSelective ARGS "on(Abort|Blur|Click|DblClick|DragDrop|Error|Focus|KeyUp|KeyDown|KeyPrerss|Load|Mouse(Down|Out|Over|Up)|Move|Reset|Resize|Select|Submit|Unload)"