LiteSpeed is not working with Mod Security?

[vivek]

Hello

I already reported that LiteSpeed is not working with mod security. But some one here, told me that it will work if the mod sec file is included in httpd.conf.

I thought that it is my mistake , But I changed the server just now.

I have a new server now ,and Installed mod security. I added lot of rules and all started working with Apache.

Then I installed litespeed and mod security stopped working.

Now, if I stop litespeed and start httpd, then I will get emails telling , some sites/ips are blocked by mod security.
But when I stop apache and start litespeed, no mails are coming.

Also , I checked it with a website, and confirmed that mod sec is not working with litespeed.

I want mod security. If it is not working with litespeed then I am sorry, I have to uninstall litespeed.

 

[ffeingol]

What version of LSWS are you using (free, paid, trial)? What is emailing you that things are being blocked by mod_security?

Frank

 

[vivek]

Hello
Its 3.3.4 Enterprise I suppose(Latest version, installed before a day).
Currently using the 14 days trial. But I think it is the same as paid, for at least 14 days.

I installed the CSF ,and I will get email from the Firewall something like this, when an mod sec blocks an IP

Time: Sat Jan 26 22:25:21 2008
IP: 91.75.37.130 (Unknown)
Failures: 1 (mod_security)
Interval: 255 seconds
Blocked: Yes

Log entries:

[Sat Jan 26 22:25:20 2008] [error] [client 91.75.37.130] mod_security: Access denied with code 403. Pattern match "/Long_stories/" at THE_REQUEST [severity "EMERGENCY"] [hostname "website.com"] [uri "/hack/hack.php"] [unique_id "R5v5oEU7GRsAAGdCxCU"]

 

[mistwang]

LiteSpeed does not block requests result in 404 not found.

 

[ffeingol]

Hello vivek,

I'm guessing that mod_security is really working with LSWS. Take a look at the value of "MODSEC_LOG" in your csf.conf. I'm guessing that Apache and LSWS are not logging things to the same place, so CSF is not finding the mod_security (like) messages from LSWS.

Frank

 

[vivek]

LiteSpeed does not block requests result in 404 not found.

I never told it is 404. Please take a look at the above post. It is 403.

 

[vivek]

Hello vivek,

I'm guessing that mod_security is really working with LSWS. Take a look at the value of "MODSEC_LOG" in your csf.conf. I'm guessing that Apache and LSWS are not logging things to the same place, so CSF is not finding the mod_security (like) messages from LSWS.

Frank

I searched for the MODSEC_LOG file and it is the same as apache log file.

I am sure lsws is not working with mod_sec. I also cant see any blocked IPs in CSF deny IP list.

But when I start httpd and stop lsws , then I can see the deny IP file is starts filling.
Any idea ?

 

[ffeingol]

I searched for the MODSEC_LOG file and it is the same as apache log file.

I am sure lsws is not working with mod_sec. I also cant see any blocked IPs in CSF deny IP list.

Hello vivek,

I'm sorry, but I think you are missing my point. In our config Apache logs to /etc/httpd/logs/error_log. LSWS on the other hand logs errors to /opt/lsws/logs/error.log.

Where your LSWS logs are is going to depend on where you installed LSWS and if you changed the default location for the log. Simply try grep'ping for SECURITY in your LSWS error log and you'll see right away if mod_security is working. You can also look for the SECURITY errors in the web interface.

Frank

 

[vivek]

Hello vivek,

I'm sorry, but I think you are missing my point. In our config Apache logs to /etc/httpd/logs/error_log. LSWS on the other hand logs errors to /opt/lsws/logs/error.log.

Where your LSWS logs are is going to depend on where you installed LSWS and if you changed the default location for the log. Simply try grep'ping for SECURITY in your LSWS error log and you'll see right away if mod_security is working. You can also look for the SECURITY errors in the web interface.

Frank

Ok, One doubt.So, if I change the MODSEC_LOG path to /opt/lsws/logs/error.log , the will CSF block the Ips? and add to its IP deny list ?

 

[ffeingol]

Your going to have to look at the mod_security entries in the LSWS log vs the Apache log and see if they are similar enough to get picked up. I'd have to look at how CSF scans the logs in more detail to know for sure.

The exact value for MODSEC_LOG is going to depend on where you installed LSWS (i.e. the exact path you choose).

Frank

 

[vivek]

Ya, I am also thinking the same, that CSF scans the error.log (apache) for any mod_security issue. And it will take the IP from that file , and block it .

I am not sure how it will scan the /opt/lsws/logs/error.log .

Anyway., I changed the entry to /opt/lsws/logs/error.log, and checking it again.

Vivek

 

[vivek]

ok, I changed it before many hours but still , CSF is not reading the lsws error.log and blocking those IPs.
Thats very bad.

Any other method ?

 

[ffeingol]

I believe the issue is that LSWS does not format the security message the same way the mod_security does. CSF is looking for a specific patter and not finding the LSWS lines.

Frank

 

[vivek]

I believe the issue is that LSWS does not format the security message the same way the mod_security does. CSF is looking for a specific patter and not finding the LSWS lines.

Frank

Well, I was wondering, is there any other method or is there any other firewall script that can read the lsws error.log file for mod security lines and that can block the IPs instantly?

Because the combination of

Apache + Mod_security+ConfigServer Firewall = is simply great!

But, if we replace apache with litespeed , then nothing works.(in the case of modsec.

Vivek

 

[vivek]

Also,
Why dont lsws format its error.log msg as just like apache do ?
So that CSF can read both apache and lsws log file for modsec lines.

 

[ffeingol]

Can you post a line from your error log (Apache) for mod_security? It should not be too difficult to change the regex in CSF to look for the LSWS lines. It would just be easier/quicker to be able to compare the two and I don't have any Apache servers anymore.

Frank

 

[vivek]

Here it is.

[Sat Jan 26 04:05:55 2008] [error] [client 213.42.21.150] mod_security: Access denied with code 403. Pattern match "/Long_stories/" at THE_REQUEST $verity "EMERGENCY"] [hostname "files.websitesss.com"] [uri "/Long_stories/rathi_nirvruthi/rathi_nirvruthi_1.pdf"] [unique_id "R5r380U7GRsAADhRezs"]


This is the line in apache log file, and CSF can detect this line and take IP, then add the IP to the blocked list.

Can anybody paste the lsws log for mod_security like this ??

 

[ffeingol]

I've posted on the CSF forum asking if they could add a regex that would support the LSWS format.

Frank

 

[vivek]

I saw your post, Still no reply from them