mod_sec partial failure

Discussion in 'Install/Configuration' started by edigest, Jan 7, 2014.

  1. edigest

    edigest Active Member

    I have the latest LiteSpeed, latest CPanel and mod_sec 2.7x installed via cpanel/easyapache.

    mod_security is only partially working. Simple useragents are blocked, but more complex UAs are not. For example, these work:

    SecRule HTTP_USER_AGENT "ati2qs" "id:330001,rev:1,phase:2,t:none,t:lowercase,status:403,log"
    SecRule HTTP_USER_AGENT "rarely used" "id:330170,rev:1,phase:2,t:none,t:lowercase,status:403,log"

    But these do not:

    SecRule HTTP_USER_AGENT "mail.ru_bot/2.0" "id:330121,rev:1,phase:2,t:none,t:lowercase,status:403,log"
    SecRule HTTP_USER_AGENT "mj12bot/v1.4.4" "id:330123,rev:1,phase:2,t:none,t:lowercase,status:403,log"

    Nor does it work replacing HTTP_USER_AGENT with REQUEST_HEADERS:User-Agent.

    SecRule REQUEST_HEADERS:User-Agent "mail.ru_bot/2.0" "id:330121,rev:1,phase:2,t:none,t:lowercase,status:403,log"
    SecRule REQUEST_HEADERS:User-Agent "mj12bot/v1.4.4" "id:330123,rev:1,phase:2,t:none,t:lowercase,status:403,log"

    What am I missing?
  2. edigest

    edigest Active Member

    Anybody? LiteSpeed staff?

    Just to be clear, if the UA is very simple such as "ati2qs" mod_sec blocks it with the rule above.

    But if the UA is more complex, such as

    Mozilla/5.0 (compatible; MJ12bot/v1.4.4;

    then filtering for "MJ12bot" (or "MJ12bot/v1.4.4") does not block the bot.
  3. edigest

    edigest Active Member

    SOLVED modsec partial failure

    Interesting - Apache doesn't care about the order of the rule elements and honors SecDefaultAction. Apparently, LiteSpeed cares about the order and does not honor SecDefaultAction.

    Several formats, including those in the original post, work fine with Apache but do not always work on LiteSpeed.

    YMMV, but this format & order works in all cases for me on LiteSpeed:

    SecRule REQUEST_HEADERS:User-Agent "MJ12bot" "phase:2,t:none,deny,status:403,id:330123,rev:1,severity:2,log,msg:'Bad Bot MJ12'"

Share This Page