Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
litespeed_wiki:waf:standalone [2017/09/12 18:20] Lisa Clarke [Download and Extract Rules] |
litespeed_wiki:waf:standalone [2018/10/05 16:01] Lisa Clarke [How to Setup Comodo on Standalone LiteSpeed Web Server] Proofreading |
||
---|---|---|---|
Line 6: | Line 6: | ||
* Preventing SQL injection and Cross Site Scripting (XSS) attacks | * Preventing SQL injection and Cross Site Scripting (XSS) attacks | ||
+ | The following wiki will explain how to enable the mod_security rule set on a LSWS native server. For a control panel environment, these steps are unnecessary. Simply enable the mod_security rule set from the control panel, the same way you would enable a rule set for Apache. For more information on that, please see [[litespeed_wiki:waf#with_a_control_panel|this wiki]]. | ||
===== Download and Extract Rules ===== | ===== Download and Extract Rules ===== | ||
Line 23: | Line 24: | ||
=====Add WAF Rule Set===== | =====Add WAF Rule Set===== | ||
- | **Configurations >> Server >> Security >> WAF Rule Set** | + | Navigate to **Configurations >> Server >> Security >> WAF Rule Set** |
{{ :litespeed_wiki:waf:waf-ruleset.png?600 |}} | {{ :litespeed_wiki:waf:waf-ruleset.png?600 |}} | ||
- | + | Click **Add** to edit the **WAF Rule Set** | |
- | + | ||
- | **WAF Rule Set Settings** | + | |
{{ :litespeed_wiki:waf:waf-settings.png?600 |}} | {{ :litespeed_wiki:waf:waf-settings.png?600 |}} | ||
- | * Name: Comodo Litespeed | + | * **Name**: ''Comodo Litespeed'' |
- | * Action: None | + | * **Action**: ''None'' |
- | * Enabled: Yes | + | * **Enabled**: ''Yes'' |
- | * Rules Defination: Include $SERVER_ROOT/conf/comodo_litespeed/rules.conf | + | * **Rules Defination**: ''Include $SERVER_ROOT/conf/comodo_litespeed/rules.conf'' |
- | + | ||
- | Click ''Save'' to activate the rules. | + | |
+ | Click **Save** to activate the rules. | ||
=====Enable Firewall===== | =====Enable Firewall===== | ||
- | **Configurations >> Server >> Security >> Web Application Firewall (WAF)** | + | Navigate to **Configurations >> Server >> Security >> Web Application Firewall (WAF)** |
{{ :litespeed_wiki:waf:waf-enable.png?600 |}} | {{ :litespeed_wiki:waf:waf-enable.png?600 |}} | ||
- | * Enable WAF : Yes | + | * **Enable WAF**: ''Yes'' |
- | * Log Level: 0 | + | * **Log Level**: ''0'' |
- | * Default Action: deny,log,status:403 | + | * **Default Action**: ''deny,log,status:403'' |
- | * Scan Request Body: Yes (If set to 'Yes' will scan post request body) | + | * **Scan Request Body**: ''Yes'' (If set to ''Yes'' will scan post request body) |
- | * Temporary File Path: /tmp | + | * **Temporary File Path**: ''/tmp'' |
- | * Disable .htaccess Override: Not Set | + | * **Disable .htaccess Override**: ''Not Set'' |
- | * Enable Security Audit Log: Not Set | + | * **Enable Security Audit Log**: ''Not Set'' |
- | * Security Audit Log: $SERVER_ROOT/logs/security_audit.log | + | * **Security Audit Log**: ''$SERVER_ROOT/logs/security_audit.log'' |
- | Click ''Save'' to enable the firewall, and perform Graceful Restart. | + | Click **Save** to enable the firewall, and perform Graceful Restart. |
===== Verify Comodo ===== | ===== Verify Comodo ===== | ||
- | - After setting up Comodo, you may need to restart LiteSpeed Web Server | + | ====Method 1==== |
- To check CWAF for protection, send the request as shown below: <code>http://$server_domain/?a=b AND 1=1</code> The server will respond with a 403 status code \\ {{:litespeed_wiki:waf:comodo-5.png?500|}} | - To check CWAF for protection, send the request as shown below: <code>http://$server_domain/?a=b AND 1=1</code> The server will respond with a 403 status code \\ {{:litespeed_wiki:waf:comodo-5.png?500|}} | ||
+ | |||
+ | ====Method 2: Command injection attack==== | ||
+ | - Create a delete.php file with following codes \\ <code> | ||
+ | <?php | ||
+ | print("Please specify the name of the file to delete"); | ||
+ | print("<p>"); | ||
+ | $file=$_GET['filename']; | ||
+ | system("rm $file"); | ||
+ | ?> | ||
+ | </code> | ||
+ | - Create a dummy file \\ <code>touch bob.txt</code> | ||
+ | - Open <code> http://$server_domain/delete.php?filename=bob.txt;id </code> | ||
+ | If WAF works, you will get a 403 forbidden page | ||
+ | |||
+ | |||
+ | |||