Differences

This shows you the differences between two versions of the page.

--- litespeed_wiki:waf:standalone [2018/05/16 19:30]
Eric Leu [Method 2: Command injection attack]
+++ litespeed_wiki:waf:standalone [2018/11/08 19:56]
Lisa Clarke Proofreading and Rewording
@@ Line 1: / Line 1: @@
-====== How to Setup Comodo on Standalone LiteSpeed Web Server======
+====== Enabling ModSecurity Rules on Standalone LiteSpeed Web Server======
-[[https://waf.comodo.com/ | Comodo ]] is a Mod_Security rule set created by the Comodo Team. It provides real time protection for web apps running on the LiteSpeed Web Server. Its functions include:
+In the LSWS Web Admin console, there is a **Web Application Firewall (WAF)** section which allows you to enable ModSecurity and add a rule set on an LSWS native server. (For a control panel environment, these steps are unnecessary. Simply enable the ModSecurity rule set from the control panel, the same way you would enable a rule set for Apache. For more information on that, please see [[litespeed_wiki:waf#with_a_control_panel|this wiki]].)
+Navigate to **Server > Security**
+{{ :litespeed_wiki:waf:lsws-builtin-waf.png?600 |}}
+In the **Web Application Firewall (WAF)** section, you can choose whether to enable **Request Content Deep Inspection**. This feature is equivalent to Apache's ModSecurity, which can be used to detect and block requests with ill intention by matching them to known signatures.
+There are many rule sets you can choose from, such as:
+  * OWASP
+  * Comodo
+  * Atomicorp
+  * Imunify360
+And others. LSWS is compatible with these rule sets, and you may choose your favorite. You may also define your own customized rules, if you are familiar with crafting ModSecurity rule sets.
+Let's see how to enable a ModSecurity rule set, using Comodo as an example.
+[[https://waf.comodo.com/ | Comodo ]] is a ModSecurity rule set created by the Comodo Team. It provides real-time protection for web apps running on LiteSpeed Web Server. Its functions include:
   * Protecting sensitive customer data
   * Meeting PCI compliance requirements
@@ Line 8: / Line 27: @@
 ===== Download and Extract Rules =====
-We first need to download Comodo rules that are compatible with Litespeed.
+First, download Comodo rules that are compatible with Litespeed.
 <code>
@@ Line 19: / Line 38: @@
 This will download Comodo Litespeed rules, and move ''rules.conf.main'' to ''rules.conf''. This is the file we will reference in the WebAdmin console.
 =====Add WAF Rule Set=====
-Navigate to **Configurations >> Server >> Security >> WAF Rule Set**
+Navigate to **Configuration > Server > Security > WAF Rule Set**
 {{ :litespeed_wiki:waf:waf-ruleset.png?600 |}}
@@ Line 40: / Line 58: @@
 =====Enable Firewall=====
-Navigate to **Configurations >> Server >> Security >> Web Application Firewall (WAF)**
+Navigate to **Configuration > Server > Security > Web Application Firewall (WAF)**
 {{ :litespeed_wiki:waf:waf-enable.png?600 |}}
@@ Line 53: / Line 71: @@
   * **Security Audit Log**: ''$SERVER_ROOT/logs/security_audit.log''
-Click **Save** to enable the firewall, and perform Graceful Restart.
+Click **Save** to enable the firewall, and perform a Graceful Restart.
-===== Verify Comodo =====
+===== Test ModSecurity rule set =====
 ====Method 1====
-  - To check CWAF for protection, send the request as shown below: <code>http://$server_domain/?a=b AND 1=1</code> The server will respond with a 403 status code \\ {{:litespeed_wiki:waf:comodo-5.png?500|}}
+To check CWAF for protection, send this request:
-====Method 2: Command injection attack====
+<code>http://$server_domain/?a=b AND 1=1</code>
-  - Create a delete.php file with following codes \\ <code>
+If it's working, the server should respond with a 403 status code.
+{{:litespeed_wiki:waf:comodo-5.png?500|}}
+====Method 2: ====
+You can check that CWAF works properly by sending a GET or POST request parameter ''cwaf_test_request=a12875a9e62e1ecbcd1dded1879ab06949566276''
+Like this:
+  http://$server_domain/?cwaf_test_request=a12875a9e62e1ecbcd1dded1879ab06949566276
+If the web server returns a 403 Forbidden status, then CWAF works fine.
+===== Troubleshooting =====
+==== Test Method Won't Trigger 403 =====
+The following test method for a command injection attack won't work due to the ModSecurity rule set change:
+  - Create a ''delete.php'' file with following code: <code>
 <?php
 print("Please specify the name of the file to delete");
@@ Line 68: / Line 106: @@
 ?>
 </code>
-  - Create a dummy file \\ <code>touch bob.txt</code>
+  - Create a dummy file: <code>touch bob.txt</code>
-  - Open <code> http://$server_domain/delete.php?filename=bob.txt;id </code>
+  - Open: <code> http://$server_domain/delete.php?filename=bob.txt;id </code>
-If WAF works, you will get a 403 forbidden page
+You will //not// get a 403 forbidden page if you test in this way. Please use other methods for testing.
+In terms of //how// to test for command injection attack protection, you may need to consult the corresponding ModSecurity rules providers. As LiteSpeed is not  a ModSecurity rule set provider, we are not in a position to provide such recommendations.