Light and Effective Mod_security ruleset for litespeed

Discussion in 'General' started by felosi, Oct 25, 2007.

  1. felosi

    felosi Well-Known Member

    I been working on this ruleset sometime. Not really wring many rules but taking out all the useless stuff from the rules at gotroot, adding a few new ones, and trying to keep it light as possible.

    This ruleset will stop most known and some unknown exploits. It also will fire on most php shells executed on your server.

    Now, I suppose litespeed will just pick this ruleset up and read it but I usually install mod_security on apache and add it to httpd.conf in the case I had to run apache temporarily it wont error on the config . So compiling mod_security for your apache is recommended. There are tutorials everywhere for that, has a good one but dont add anything to httpd.conf yet.

    then wget this file to your /etc/httpd/conf directory

    Add a line in your httpd.conf

    Include /etc/httpd/conf/mod_security.conf

    This shouldn't fire on most popular web apps, check your logs for request blocks and determine if they are legit or false alarm.
  2. Dani

    Dani Well-Known Member

    I think it needs some rewriting to work with LS if I'm not mistaken.. hope the crew can answer that better than me tho. It's a nice filter to start with that you can later customize to your server as not all is needed in my opinion. As the more filters the more it will slow down the processing if you ask me :)
  3. felosi

    felosi Well-Known Member

    no, its fully functional with lsws. I was just posting it here in case someone wanted to use it
    I install it on every litespeed server I have and on new setups as well. Does good.

    As far as slowing down processing, it doesnt affect litespeed. Ive loaded much bigger rulesets then this and measured page load times, server load, etc with and without and there was no difference. Im sure it may on smaller machines though.

    But this ruleset here is good for vps and servers
  4. Dani

    Dani Well-Known Member

    so the
    <IfModule mod_security.c>
    stuff dosn't need to get filtered out before using this? I'm ofcource talking about the LS Request Filter settings. But maybe you load this somewhere else in LS?
  5. anewday

    anewday Moderator

    How updated is this ruleset?
    Probably a good idea to comment out this line:

    # Change Server: string
    SecServerSignature "Apache"

    You wouldn't want others to think your server is running Apache...

    And why comment this out?

    # Protecting from XSS attacks through the PHP session cookie
    #SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
    #SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
    Last edited: Nov 14, 2008
  6. UWH-David

    UWH-David Active Member

    Any update?

Share This Page