secfilter not working

Discussion in 'Apache Migration/Compatibility' started by felosi, Jun 23, 2007.

  1. felosi

    felosi Well-Known Member

    I noticed the last few days I havent been getting any configserver firewall mod security bans in my mail for my server. So I figured it didnt write to /etc/httpd/logs/audit_log like mod security did.
    So I went and done some testing with some common exploits I have rules for and didnt get any 403s,
    I double checked, made sure the request filter was on. Instead of including the mod security rules with an Include in httpd.conf I copied and pasted my blacklist.conf into a new ruleset in the litespeed admin panel., you can see a copy here It didnt accept the location match directives so I took them out.

    Went back to testing again, nothing. For example you should get a 403 for awstats probe for the request
    But if you click the link you notice you only get a 404.

    Anyway the most important rules I need are the ones for php shells and stuff like that so i definitely need to get this working. Ive looked over any piossibilty of any mistake I could have made and couldnt find anything.

    Any ideas?
  2. mistwang

    mistwang LiteSpeed Staff

    LiteSpeed does not write to audit_log.
    And if the file does not exist, you will only get 404, as the security check is after that, there is no reason to waste CPU cycles on a request does not possibly become a security threaten.
    You should get security log from lsws/logs/error.log, everything goes there.
  3. dbMG

    dbMG Member

    We got the same problem. After successfully using mod_security rule with Apache in LSWS we don't get this work correct.

    Just for 1 day one user get hacked by nasty rule one:

    This attack was by Indy Library which is stated in rule
    and this
    I'm 100% positive this will not happen in Apache + mod_security. We don't get any errors about wrong rules in /opt/lsws/log/error.log

    I was already tried making new Request filter, enable it and still nothing.

    I'm a little confused about saying "is equivalent t Apache's mod_security". Cn someone explain how to user REQUEST FILTER correct ?

  4. mistwang

    mistwang LiteSpeed Staff

    Only Enterprise edition can load security rules from httpd.conf
  5. dbMG

    dbMG Member

    So, every rule that is in "request filter" will not work until Ent. edition is bought?


  6. mistwang

    mistwang LiteSpeed Staff

    With standard, it works for vhosts configured within our web console, but not for vhosts configured through httpd.conf.
    Rules configured from web console has no effect on Apache vhost even with Enterprise, the filter rules need to be configured through httpd.conf for Apache vhosts.
  7. dbMG

    dbMG Member

    Any date when monthly license can be purchased ?

    Thank you.

  8. mistwang

    mistwang LiteSpeed Staff

    In a week or two.
  9. felosi

    felosi Well-Known Member

    well, I was kinda confused first about it not firing on 404s but it doesnt and does fire on what its supposed to. Would be nice for such an option so its possible to ban people with acunetix scanners and other crap that just guesses over and over despite the cms.
    Would also be nice too if it would write to a seperate log and have an option to actually have it write to /etc/httpd/logs/audit_log that way scripts like configserver will be able to ban on ips firing mod security too many times.
  10. pitabread55

    pitabread55 Member

    Wow! That is kind of a biggie. It would be nice if this was noted on the "comparison" page. We were thinking of using the free version for some lower volume boxes just for the DOS protection, but not without the mod_security rules. Time to had back to the drawing board.

  11. vivek

    vivek Well-Known Member

    Sorry to tell this, but I am having the same issue with litespeed ent version.
    I have had mod_security + apache + CSF and that was great.
    I got several mails when modsec bloks a request.
    But when I changed to litespeed ent version, the modsec is not working.

    Sorry to say, litespeed enterprise cant import modsec rules from httpd.conf and if it can import then it cant filter the request.

    Need to develop more for accepting modsec rules.

    PS: I have modsec 1.9 ruleset.
  12. aww

    aww Well-Known Member

  13. felosi

    felosi Well-Known Member

    Of course. I think it has problems with some of them.

    But those gotroot rules are very outdated and include LOTS and LOTS and TONS of garbage you will never ever in a million years need. Like filters for apps that are not even made anymore, stuff like that

    I have a trimmed down version here

    Now, f you plan on ever starting apache you will need to have modsec 1.95 compiled or just comment out the include line

    All you do is "Include /whereveruputit/mod_security.conf"
    in httpd.conf

    I did try the apache style configurations in lsws admin and did not work. i dont know if its supposed to for that or not
  14. mistwang

    mistwang LiteSpeed Staff

    Everything should go through the Apache httpd.conf for vhosts configured through httpd.conf. It works fine.

Share This Page