LiteSpeed is not working with Mod Security?

Discussion in 'Install/Configuration' started by vivek, Jan 27, 2008.

  1. vivek

    vivek Well-Known Member


    I already reported that LiteSpeed is not working with mod security. But some one here, told me that it will work if the mod sec file is included in httpd.conf.

    I thought that it is my mistake , But I changed the server just now.

    I have a new server now ,and Installed mod security. I added lot of rules and all started working with Apache.

    Then I installed litespeed and mod security stopped working.

    Now, if I stop litespeed and start httpd, then I will get emails telling , some sites/ips are blocked by mod security.
    But when I stop apache and start litespeed, no mails are coming.

    Also , I checked it with a website, and confirmed that mod sec is not working with litespeed.

    I want mod security. If it is not working with litespeed then I am sorry, I have to uninstall litespeed.
  2. ffeingol

    ffeingol Well-Known Member

    What version of LSWS are you using (free, paid, trial)? What is emailing you that things are being blocked by mod_security?

  3. vivek

    vivek Well-Known Member

    Its 3.3.4 Enterprise I suppose(Latest version, installed before a day).
    Currently using the 14 days trial. But I think it is the same as paid, for at least 14 days.

    I installed the CSF ,and I will get email from the Firewall something like this, when an mod sec blocks an IP

    Time: Sat Jan 26 22:25:21 2008
    IP: (Unknown)
    Failures: 1 (mod_security)
    Interval: 255 seconds
    Blocked: Yes

    Log entries:

    [Sat Jan 26 22:25:20 2008] [error] [client] mod_security: Access denied with code 403. Pattern match "/Long_stories/" at THE_REQUEST [severity "EMERGENCY"] [hostname ""] [uri "/hack/hack.php"] [unique_id "R5v5oEU7GRsAAGdCxCU"]
  4. mistwang

    mistwang LiteSpeed Staff

    LiteSpeed does not block requests result in 404 not found.
  5. ffeingol

    ffeingol Well-Known Member

    Hello vivek,

    I'm guessing that mod_security is really working with LSWS. Take a look at the value of "MODSEC_LOG" in your csf.conf. I'm guessing that Apache and LSWS are not logging things to the same place, so CSF is not finding the mod_security (like) messages from LSWS.

  6. vivek

    vivek Well-Known Member

    I never told it is 404. Please take a look at the above post. It is 403.
  7. vivek

    vivek Well-Known Member

    I searched for the MODSEC_LOG file and it is the same as apache log file.

    I am sure lsws is not working with mod_sec. I also cant see any blocked IPs in CSF deny IP list.

    But when I start httpd and stop lsws , then I can see the deny IP file is starts filling.
    Any idea ?
  8. ffeingol

    ffeingol Well-Known Member

    Hello vivek,

    I'm sorry, but I think you are missing my point. In our config Apache logs to /etc/httpd/logs/error_log. LSWS on the other hand logs errors to /opt/lsws/logs/error.log.

    Where your LSWS logs are is going to depend on where you installed LSWS and if you changed the default location for the log. Simply try grep'ping for SECURITY in your LSWS error log and you'll see right away if mod_security is working. You can also look for the SECURITY errors in the web interface.

  9. vivek

    vivek Well-Known Member

    Ok, One doubt.So, if I change the MODSEC_LOG path to /opt/lsws/logs/error.log , the will CSF block the Ips? and add to its IP deny list ?
  10. ffeingol

    ffeingol Well-Known Member

    Your going to have to look at the mod_security entries in the LSWS log vs the Apache log and see if they are similar enough to get picked up. I'd have to look at how CSF scans the logs in more detail to know for sure.

    The exact value for MODSEC_LOG is going to depend on where you installed LSWS (i.e. the exact path you choose).

  11. vivek

    vivek Well-Known Member

    Ya, I am also thinking the same, that CSF scans the error.log (apache) for any mod_security issue. And it will take the IP from that file , and block it .

    I am not sure how it will scan the /opt/lsws/logs/error.log .

    Anyway., I changed the entry to /opt/lsws/logs/error.log, and checking it again.

  12. vivek

    vivek Well-Known Member

    ok, I changed it before many hours but still , CSF is not reading the lsws error.log and blocking those IPs.
    Thats very bad.

    Any other method ?
  13. ffeingol

    ffeingol Well-Known Member

    I believe the issue is that LSWS does not format the security message the same way the mod_security does. CSF is looking for a specific patter and not finding the LSWS lines.

  14. vivek

    vivek Well-Known Member

    Well, I was wondering, is there any other method or is there any other firewall script that can read the lsws error.log file for mod security lines and that can block the IPs instantly?

    Because the combination of

    Apache + Mod_security+ConfigServer Firewall = is simply great!

    But, if we replace apache with litespeed , then nothing works.(in the case of modsec.

  15. vivek

    vivek Well-Known Member

    Why dont lsws format its error.log msg as just like apache do ?
    So that CSF can read both apache and lsws log file for modsec lines.
  16. ffeingol

    ffeingol Well-Known Member

    Can you post a line from your error log (Apache) for mod_security? It should not be too difficult to change the regex in CSF to look for the LSWS lines. It would just be easier/quicker to be able to compare the two and I don't have any Apache servers anymore.

  17. vivek

    vivek Well-Known Member

    Here it is.

    [Sat Jan 26 04:05:55 2008] [error] [client] mod_security: Access denied with code 403. Pattern match "/Long_stories/" at THE_REQUEST $verity "EMERGENCY"] [hostname ""] [uri "/Long_stories/rathi_nirvruthi/rathi_nirvruthi_1.pdf"] [unique_id "R5r380U7GRsAADhRezs"]

    This is the line in apache log file, and CSF can detect this line and take IP, then add the IP to the blocked list.

    Can anybody paste the lsws log for mod_security like this ??
  18. ffeingol

    ffeingol Well-Known Member

    I've posted on the CSF forum asking if they could add a regex that would support the LSWS format.

  19. vivek

    vivek Well-Known Member

    I saw your post, Still no reply from them :(

Share This Page