[Resolved] 5.1RC1 and @inspectFile

Status
Not open for further replies.

bobykus

Well-Known Member
#1
Hello,

I would like to evaluate new features in upcoming major release. The most interesting seems to @rbl and @inspectFile mod_sec features. It would be great if litespeed come with some help how to perform simple configuration and testing. So far I configured

Request Filter >

Enable Request Filtering
Yes

Default Action
deny,log,status:403

Scan Request Body
Yes

Disable .htaccess Override
Yes

Enable Security Audit Log
Yes



and Request Filtering Rule Set with
SecRule FILES_TMPNAMES "@inspectFile /opt/modsecurity/bin/file-inspect.pl" phase:2,t:none,log,block

where /opt/modsecurity/bin/file-inspect.pl comes from mod_sec manual.

Then created simple html/php upload script from site

<!DOCTYPE html>
<html>
<body>

<form action="up.php" method="post" enctype="multipart/form-data">
Select image to upload:
<input type="file" name="fileToUpload" id="fileToUpload">
<input type="submit" value="Upload Image" name="submit">
</form>

</body>
</html>



where EICAR-AV-Test test signature was uploaded, but nothing happens! And nothing in logs.
 

bobykus

Well-Known Member
#3
The settings are

Log Level 9

and

Security Audit Log

/hsphere/shared/apache/logs/audit.log


Here is a result of

/opt/modsecurity/bin/file-inspect.pl EICAR-AV-Test
0 clamscan: Eicar-Test-Signature


/hsphere/shared/apache/logs/audit.log is empty after uploading EICAR-AV-Test


Wonder what I am doing wrong...
 

mistwang

LiteSpeed Staff
#4
Please try 5.1RC2 with

/usr/local/lsws/admin/misc/lsup.sh -d -f -v 5.1RC2

There was a bug fixed in @fileinspect implementation.

Please make sure your server log level is not higher than INFO, the modesecurity debug messages are logged at INFO level.
 

bobykus

Well-Known Member
#5
Yes, I updated to RC2
Here is a log of POST request Nothing about any filtering,

/hsphere/shared/apache/logs/audit.log

is empty. We use apache style.
 
Last edited:

bobykus

Well-Known Member
#10
Do you mean

Disable .htaccess Override

Description: Specifies whether to disable .htaccess override. This is a global setting, only available at the server level. Default is "No".
Syntax: Select from radio box

Is it not not completely disable .htaccess?
 

bobykus

Well-Known Member
#14
Well,

After update I can not log into admin interface now :)
When I provide user and password nothing happens.
Also the error logs are empty too.
 

bobykus

Well-Known Member
#16
Still the issue



Code:
gettimeofday({1448291838, 319590}, NULL) = 0
lstat("/usr/local/lsws/admin/html/classes//DTblDef.php", 0x7ffeee2b8f90) = -1 ENOENT (No such file or directory)
gettimeofday({1448291838, 319688}, NULL) = 0
open("/usr/local/lsws/admin/html.5.1RC2/classes/ws/DTblDef.php", O_RDONLY) = 6
fstat(6, {st_mode=S_IFREG|0644, st_size=100613, ...}) = 0
fstat(6, {st_mode=S_IFREG|0644, st_size=100613, ...}) = 0
fstat(6, {st_mode=S_IFREG|0644, st_size=100613, ...}) = 0
mmap(NULL, 100613, PROT_READ, MAP_SHARED, 6, 0) = 0x7f091542d000
brk(0x15f8000)                          = 0x15f8000
writev(5, [{"LS\6\0\177\0\0\0", 8}, {"PHP Parse error:  syntax error, "..., 119}], 2) = 127
chdir("/usr/local/lsws/admin/fcgi-bin") = 0
setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={0, 0}}, NULL) = 0
pwrite(3, "secret|s:14:\"litespeedrocks\";cha"..., 98, 0) = 98
close(3)                                = 0
munmap(0x7f091542d000, 100613)          = 0
close(6)                                = 0
brk(0x1578000)                          = 0x1578000
setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={0, 0}}, NULL) = 0
writev(5, [{"LS\3\0\305\0\0\0\4\0\0\0\364\1\0\0\'\0N\0\21\0\'\0", 24}, {"Expires: Thu, 19 Nov 1981 08:52:"..., 173}, {"LS\5\0\10\0\0\0", 8}], 3) = 205


litespeedrocks ? really? :)
 
Last edited by a moderator:
Status
Not open for further replies.
Top