Request Filter Not Working?

Discussion in 'General' started by NC-Designs, Aug 15, 2010.

  1. NC-Designs

    NC-Designs Well-Known Member

    I am having problems with the Request Filter not working. I have installed various rules and the particular one I am testing is -
    # WEB-ATTACKS /etc/passwd access
    SecFilter "/etc/passwd" deny,log,status:406
    The request filter is enabled along with scan request body and log level set to 6.

    When running the file that should trigger this, it doesn't. Put the rule into ModSec however and it denies instantly.

    Any ideas why this is or should I say isn't happening?
  2. NiteWave

    NiteWave Administrator

    assume the document root is /home/user1/public_html

    do you have a file /home/user1/public_html/etc/passwd ?
  3. NC-Designs

    NC-Designs Well-Known Member

  4. NiteWave

    NiteWave Administrator

    tested, with only 1 line in .htaccess
    when access through
    as expected.

    in error.log:
  5. NC-Designs

    NC-Designs Well-Known Member

    I dont understand. I run shared hosting and have recently changed over to LiteSpeed. Why would a customer want to put modsec rules in their .htaccess? I am talking about the request filters in the LiteSpeed panel.
  6. NiteWave

    NiteWave Administrator

    when did tests in admin console, I also experienced some difficulty to make it working well. although it finally got working, there are some strange behaviors observed. for example, to make the change effective, restarting lsws not enough, must stop and then start lsws. --- but not sure it's lsws's problem or the test box's problem, since I recreated /dev/urandom a few days ago on this box. but tests on .htaccess (maybe httpd.conf too) was quite smooth, so I posted the test results first.
  7. NC-Designs

    NC-Designs Well-Known Member

    Okay, thanks. I think Modsec would be the most reliable option of the two.

    About LiteSpeed IP blocking capability, how does it do it. Does it temporarily add to iptables or it's own blocking method?

    As I think when my server comes under attack, this IP blocking is proving damaging rather than helpful as it increases load yet prevents the firewall from catching it.

Share This Page