How to enable mod_security rules on Standalone LiteSpeed Web Server

In LSWS Web Admin console, there is “Web Application Firewall (WAF)” under: Server → Security → “Web Application Firewall (WAF). It is a LSWS built-in feature to enable and add mod_scurity rule set on an LSWS native server. For a control panel environment, these steps are unnecessary. Simply enable the mod_security rule set from the control panel, the same way you would enable a rule set for Apache. For more information on that, please see this wiki.

“Web Application Firewall (WAF)” for LSWS native is for user to choose whether to enable request content deep inspection. This feature is equivalent to Apache's mod_security, which can be used to detect and block requests with ill intention by matching them to known signatures.

There are many rules sets you can choose, such as: OWASP, Comodo, Atomicorp, Imunify360 etc. LSWS are compatible with these rule sets and it is up to you to choose one of them. You can also come up with your own customised rules if you are familiar with crafting mod_security rule set.

The following wiki will use Comodo rule set as an example to show you how to enable mod_security rule set on LSWS native mode.

Comodo is a Mod_Security rule set created by the Comodo Team. It provides real time protection for web apps running on the LiteSpeed Web Server. Its functions include:

  • Protecting sensitive customer data
  • Meeting PCI compliance requirements
  • Blocking unauthorized access
  • Preventing SQL injection and Cross Site Scripting (XSS) attacks

Download and Extract Rules

We first need to download Comodo rules that are compatible with Litespeed.

cd /usr/local/lsws/conf
wget https://waf.comodo.com/api/cpanel_litespeed_vendor
unzip cpanel_litespeed_vendor
cd comodo_litespeed/
mv rules.conf.main rules.conf

This will download Comodo Litespeed rules, and move rules.conf.main to rules.conf. This is the file we will reference in the WebAdmin console.

Add WAF Rule Set

Navigate to Configurations » Server » Security » WAF Rule Set

Click Add to edit the WAF Rule Set

  • Name: Comodo Litespeed
  • Action: None
  • Enabled: Yes
  • Rules Defination: Include $SERVER_ROOT/conf/comodo_litespeed/rules.conf

Click Save to activate the rules.

Enable Firewall

Navigate to Configurations » Server » Security » Web Application Firewall (WAF)

  • Enable WAF: Yes
  • Log Level: 0
  • Default Action: deny,log,status:403
  • Scan Request Body: Yes (If set to Yes will scan post request body)
  • Temporary File Path: /tmp
  • Disable .htaccess Override: Not Set
  • Enable Security Audit Log: Not Set
  • Security Audit Log: $SERVER_ROOT/logs/security_audit.log

Click Save to enable the firewall, and perform Graceful Restart.

Test mod_security rule set

Method 1

  1. To check CWAF for protection, send the request as shown below:
    http://$server_domain/?a=b AND 1=1

    The server will respond with a 403 status code

Method 2: Command injection attack

  1. Create a delete.php file with following codes
    <?php
    print("Please specify the name of the file to delete");
    print("<p>");
    $file=$_GET['filename'];
    system("rm $file");
    ?>
  2. Create a dummy file
    touch bob.txt
  3. Open
     http://$server_domain/delete.php?filename=bob.txt;id 

If WAF works, you will get a 403 forbidden page

 
litespeed_wiki/waf/standalone.txt · Last modified: 2018/10/05 20:17 by Jackson Zhang