Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
litespeed_wiki:waf:standalone [2018/11/08 18:49]
Jackson Zhang
litespeed_wiki:waf:standalone [2018/11/08 19:56] (current)
Lisa Clarke Proofreading and Rewording
Line 1: Line 1:
-====== ​How to enable mod_security rules on Standalone LiteSpeed Web Server====== +====== ​Enabling ModSecurity Rules on Standalone LiteSpeed Web Server====== 
-In LSWS Web Admin console, there is "Web Application Firewall (WAF)" under: Server -> Security ->  "Web Application Firewall (WAF). It is a LSWS built-in feature ​to enable and add mod_scurity ​rule set on an LSWS native server. For a control panel environment,​ these steps are unnecessary. Simply enable the mod_security ​rule set from the control panel, the same way you would enable a rule set for Apache. For more information on that, please see [[litespeed_wiki:​waf#​with_a_control_panel|this wiki]]. ​ +In the LSWS Web Admin console, there is a **Web Application Firewall (WAF)** section which allows you to enable ​ModSecurity ​and add rule set on an LSWS native server. ​(For a control panel environment,​ these steps are unnecessary. Simply enable the ModSecurity ​rule set from the control panel, the same way you would enable a rule set for Apache. For more information on that, please see [[litespeed_wiki:​waf#​with_a_control_panel|this wiki]].
 + 
 +Navigate to **Server > Security**
  
 {{ :​litespeed_wiki:​waf:​lsws-builtin-waf.png?​600 |}} {{ :​litespeed_wiki:​waf:​lsws-builtin-waf.png?​600 |}}
  
-"Web Application Firewall (WAF)" for LSWS native is for user to choose whether to enable **request content deep inspection**. This feature is equivalent to Apache'​s ​mod_security, which can be used to detect and block requests with ill intention by matching them to known signatures.+In the **Web Application Firewall (WAF)** section, you can choose whether to enable **Request Content Deep Inspection**. This feature is equivalent to Apache'​s ​ModSecurity, which can be used to detect and block requests with ill intention by matching them to known signatures. 
 + 
 +There are many rule sets you can choose from, such as: 
  
-There are many rules sets you can choose, such as: **OWASP**, **Comodo**, **Atomicorp**, **Imunify360** etc. LSWS are compatible with these rule sets and it is up to you to choose ​one of them. You can also come up with your own customised ​rules if you are familiar with crafting ​mod_security ​rule set+  ​* OWASP 
 +  ​* Comodo 
 +  ​* Atomicorp 
 +  ​* Imunify360 
 +   
 +And others. LSWS is compatible with these rule setsand you may choose ​your favorite. You may also define ​your own customized ​rulesif you are familiar with crafting ​ModSecurity ​rule sets
  
-The following wiki will use Comodo ​rule set as an example ​to show you how to enable mod_security rule set on LSWS native mode.+Let's see how to enable a ModSecurity ​rule set, using Comodo ​as an example.
  
-[[https://​waf.comodo.com/​ | Comodo ]] is a Mod_Security ​rule set created by the Comodo Team. It provides real time protection for web apps running on the LiteSpeed Web Server. Its functions include:+[[https://​waf.comodo.com/​ | Comodo ]] is a ModSecurity ​rule set created by the Comodo Team. It provides real-time protection for web apps running on LiteSpeed Web Server. Its functions include:
   * Protecting sensitive customer data   * Protecting sensitive customer data
   * Meeting PCI compliance requirements   * Meeting PCI compliance requirements
Line 18: Line 27:
 ===== Download and Extract Rules ===== ===== Download and Extract Rules =====
  
-We first need to download Comodo rules that are compatible with Litespeed.+First, ​download Comodo rules that are compatible with Litespeed.
  
 <​code>​ <​code>​
Line 29: Line 38:
  
 This will download Comodo Litespeed rules, and move ''​rules.conf.main''​ to ''​rules.conf''​. This is the file we will reference in the WebAdmin console. This will download Comodo Litespeed rules, and move ''​rules.conf.main''​ to ''​rules.conf''​. This is the file we will reference in the WebAdmin console.
- 
  
 =====Add WAF Rule Set===== =====Add WAF Rule Set=====
  
-Navigate to **Configurations >> Server ​>> Security ​>> WAF Rule Set**+Navigate to **Configuration ​> Server > Security > WAF Rule Set**
  
 {{ :​litespeed_wiki:​waf:​waf-ruleset.png?​600 |}} {{ :​litespeed_wiki:​waf:​waf-ruleset.png?​600 |}}
Line 50: Line 58:
 =====Enable Firewall===== =====Enable Firewall=====
  
-Navigate to **Configurations >> Server ​>> Security ​>> Web Application Firewall (WAF)**+Navigate to **Configuration ​> Server > Security > Web Application Firewall (WAF)**
  
 {{ :​litespeed_wiki:​waf:​waf-enable.png?​600 |}} {{ :​litespeed_wiki:​waf:​waf-enable.png?​600 |}}
Line 63: Line 71:
   * **Security Audit Log**: ''​$SERVER_ROOT/​logs/​security_audit.log''​   * **Security Audit Log**: ''​$SERVER_ROOT/​logs/​security_audit.log''​
  
-Click **Save** to enable the firewall, and perform Graceful Restart.+Click **Save** to enable the firewall, and perform ​Graceful Restart.
  
-===== Test mod_security ​rule set =====+===== Test ModSecurity ​rule set =====
 ====Method 1==== ====Method 1====
-  - To check CWAF for protection, send the request ​as shown below: <​code>​http://​$server_domain/?​a=b AND 1=1</​code> ​The server ​will respond with a 403 status code \\ {{:​litespeed_wiki:​waf:​comodo-5.png?​500|}}+To check CWAF for protection, send this request: ​ 
 + 
 +<​code>​http://​$server_domain/?​a=b AND 1=1</​code> ​ 
 + 
 +If it's working, the server ​should ​respond with a 403 status code
 + 
 +{{:​litespeed_wiki:​waf:​comodo-5.png?​500|}}
  
 ====Method 2: ==== ====Method 2: ====
-You can check that CWAF works properly by sending ​in GET or POST request parameter cwaf_test_request=a12875a9e62e1ecbcd1dded1879ab06949566276+You can check that CWAF works properly by sending ​GET or POST request parameter ​''​cwaf_test_request=a12875a9e62e1ecbcd1dded1879ab06949566276''​
  
-like+Like this:
  
   http://​$server_domain/?​cwaf_test_request=a12875a9e62e1ecbcd1dded1879ab06949566276   http://​$server_domain/?​cwaf_test_request=a12875a9e62e1ecbcd1dded1879ab06949566276
  
-If web server ​will return status ​403 Forbidden, then CWAF works fine.+If the web server ​returns a 403 Forbidden ​status, then CWAF works fine.
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
  
-==== The following method won'​t ​trigger due to mod_security rule set change ​=====+==== Test Method Won'​t ​Trigger 403 =====
  
-The following test method for command injection attack won't work due to the mod_scurity ​rule set change:+The following test method for command injection attack won't work due to the ModSecurity ​rule set change:
  
-  - Create a delete.php file with following ​codes \\ <​code>​+  - Create a ''​delete.php'' ​file with following ​code: <​code>​
 <?php <?php
 print("​Please specify the name of the file to delete"​);​ print("​Please specify the name of the file to delete"​);​
Line 92: Line 106:
 ?> ?>
 </​code>​ </​code>​
-  - Create a dummy file \\ <​code>​touch bob.txt</​code>​ +  - Create a dummy file<​code>​touch bob.txt</​code>​ 
-  - Open <​code>​ http://​$server_domain/​delete.php?​filename=bob.txt;​id </​code>​ +  - Open<​code>​ http://​$server_domain/​delete.php?​filename=bob.txt;​id </​code>​
- +
-You will not get a 403 forbidden page if you test as above. Please use other methods to test. In term of how to test against the Command injection attack protection, you may need to consult corresponding mod_security rules providers. As we are not  mod_security rulesets provider and we are not in a position to provide such recommendation.  +
- +
  
 +You will //not// get a 403 forbidden page if you test in this way. Please use other methods for testing. ​
  
 +In terms of //how// to test for command injection attack protection, you may need to consult the corresponding ModSecurity rules providers. As LiteSpeed is not  a ModSecurity rule set provider, we are not in a position to provide such recommendations. ​
  
 
litespeed_wiki/waf/standalone.txt · Last modified: 2018/11/08 19:56 by Lisa Clarke