This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
litespeed_wiki:waf:standalone [2018/05/16 19:30]
Eric Leu [Method 2: Command injection attack]
litespeed_wiki:waf:standalone [2018/11/08 19:56] (current)
Lisa Clarke Proofreading and Rewording
Line 1: Line 1:
-====== ​How to Setup Comodo ​on Standalone LiteSpeed Web Server====== +====== ​Enabling ModSecurity Rules on Standalone LiteSpeed Web Server====== 
-[[https://​waf.comodo.com/​ | Comodo ]] is a Mod_Security ​rule set created by the Comodo Team. It provides real time protection for web apps running on the LiteSpeed Web Server. Its functions include:+In the LSWS Web Admin console, there is a **Web Application Firewall (WAF)** section which allows you to enable ModSecurity and add a rule set on an LSWS native server. (For a control panel environment,​ these steps are unnecessary. Simply enable the ModSecurity rule set from the control panel, the same way you would enable a rule set for Apache. For more information on that, please see [[litespeed_wiki:​waf#​with_a_control_panel|this wiki]].) 
 +Navigate to **Server > Security** 
 +{{ :​litespeed_wiki:​waf:​lsws-builtin-waf.png?​600 |}} 
 +In the **Web Application Firewall (WAF)** section, you can choose whether to enable **Request Content Deep Inspection**. This feature is equivalent to Apache'​s ModSecurity,​ which can be used to detect and block requests with ill intention by matching them to known signatures. 
 +There are many rule sets you can choose from, such as:  
 +  * OWASP 
 +  * Comodo 
 +  * Atomicorp 
 +  * Imunify360 
 +And others. LSWS is compatible with these rule sets, and you may choose your favorite. You may also define your own customized rules, if you are familiar with crafting ModSecurity rule sets.  
 +Let's see how to enable a ModSecurity rule set, using Comodo as an example. 
 +[[https://​waf.comodo.com/​ | Comodo ]] is a ModSecurity ​rule set created by the Comodo Team. It provides real-time protection for web apps running on LiteSpeed Web Server. Its functions include:
   * Protecting sensitive customer data   * Protecting sensitive customer data
   * Meeting PCI compliance requirements   * Meeting PCI compliance requirements
Line 8: Line 27:
 ===== Download and Extract Rules ===== ===== Download and Extract Rules =====
-We first need to download Comodo rules that are compatible with Litespeed.+First, ​download Comodo rules that are compatible with Litespeed.
 <​code>​ <​code>​
Line 19: Line 38:
 This will download Comodo Litespeed rules, and move ''​rules.conf.main''​ to ''​rules.conf''​. This is the file we will reference in the WebAdmin console. This will download Comodo Litespeed rules, and move ''​rules.conf.main''​ to ''​rules.conf''​. This is the file we will reference in the WebAdmin console.
 =====Add WAF Rule Set===== =====Add WAF Rule Set=====
-Navigate to **Configurations >> Server ​>> Security ​>> WAF Rule Set**+Navigate to **Configuration ​> Server > Security > WAF Rule Set**
 {{ :​litespeed_wiki:​waf:​waf-ruleset.png?​600 |}} {{ :​litespeed_wiki:​waf:​waf-ruleset.png?​600 |}}
Line 40: Line 58:
 =====Enable Firewall===== =====Enable Firewall=====
-Navigate to **Configurations >> Server ​>> Security ​>> Web Application Firewall (WAF)**+Navigate to **Configuration ​> Server > Security > Web Application Firewall (WAF)**
 {{ :​litespeed_wiki:​waf:​waf-enable.png?​600 |}} {{ :​litespeed_wiki:​waf:​waf-enable.png?​600 |}}
Line 53: Line 71:
   * **Security Audit Log**: ''​$SERVER_ROOT/​logs/​security_audit.log''​   * **Security Audit Log**: ''​$SERVER_ROOT/​logs/​security_audit.log''​
-Click **Save** to enable the firewall, and perform Graceful Restart.+Click **Save** to enable the firewall, and perform ​Graceful Restart.
-===== Verify Comodo ​=====+===== Test ModSecurity rule set =====
 ====Method 1==== ====Method 1====
-  - To check CWAF for protection, send the request ​as shown below<​code>​http://​$server_domain/?​a=b AND 1=1</​code>​ The server will respond with a 403 status code \\ {{:​litespeed_wiki:​waf:​comodo-5.png?​500|}}+To check CWAF for protection, send this request: ​
-====Method 2: Command injection attack==== +<​code>​http://​$server_domain/?​a=b AND 1=1</​code>​  
-  - Create a delete.php file with following ​codes \\ <​code>​+ 
 +If it's working, the server should respond with a 403 status code. 
 +====Method 2: ==== 
 +You can check that CWAF works properly by sending a GET or POST request parameter ''​cwaf_test_request=a12875a9e62e1ecbcd1dded1879ab06949566276''​ 
 +Like this: 
 +  http://​$server_domain/?​cwaf_test_request=a12875a9e62e1ecbcd1dded1879ab06949566276 
 +If the web server returns a 403 Forbidden status, then CWAF works fine. 
 +===== Troubleshooting ===== 
 +==== Test Method Won't Trigger 403 ===== 
 +The following test method for a command injection attack won't work due to the ModSecurity rule set change: 
 +  - Create a ''​delete.php'' ​file with following ​code: <​code>​
 <?php <?php
 print("​Please specify the name of the file to delete"​);​ print("​Please specify the name of the file to delete"​);​
Line 68: Line 106:
 ?> ?>
 </​code>​ </​code>​
-  - Create a dummy file \\ <​code>​touch bob.txt</​code>​ +  - Create a dummy file<​code>​touch bob.txt</​code>​ 
-  - Open <​code>​ http://​$server_domain/​delete.php?​filename=bob.txt;​id </​code>​ +  - Open<​code>​ http://​$server_domain/​delete.php?​filename=bob.txt;​id </​code>​
-If WAF works, you will get a 403 forbidden page +
- +
 +You will //not// get a 403 forbidden page if you test in this way. Please use other methods for testing. ​
 +In terms of //how// to test for command injection attack protection, you may need to consult the corresponding ModSecurity rules providers. As LiteSpeed is not  a ModSecurity rule set provider, we are not in a position to provide such recommendations. ​
litespeed_wiki/waf/standalone.1526499000.txt.gz · Last modified: 2018/05/16 19:30 by Eric Leu