mod_security Request Filters

[Michael.Terence]

Hey everyone - I'm working to secure my webserver with mod_security but have found very little info in the wiki, or the forums. Anyone interested in sharing their rules with everyone else?

I've been looking at the www.gotroot.com website (they have a great library of mod_security rules) but when I attempt to enable things things tend to break.

For example the following rule to block some spam words:

Action: log,deny,auditlog,phase:2,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace,msg:'No Spam Please'
Rules Definition: SecFilterSelective "POST_PAYLOAD" "(viagra|porn|poker|texasholdem|cialis|bllogspot|casino|gambling-|health-insurancedeals|homeequityloans|hotel-dealse-site|insurance-quotesdeals-4u|mortgage-4-u|mortgagequotes|online-gambling|shemale)"

The rule works for blocking the rules, but people who have subscribed to receive feedburner emails on new posts get an email with all the spaces removed. The action is set to trim whitespace, but I would think that's just for the inspection of the payload.

 

[Michael.Terence]

I got to looking at the default entries and modified my spam example to the following - the syntax for lsws is a bit different. I'm still unable to get it to actually deny the post though.

Action:  log,deny,auditlog,status:403,msg:'No Spam Please'
Rules Definition:  SecFilterSelective POST_PAYLOAD "viagra|porn|poker|texasholdem|cialis|bllogspot|casino|gambling-|health-insurancedeals|homeequityloans|hotel-dealse-site|insurance-quotesdeals-4u|mortgage-4-u|mortgagequotes|online-gambling|shemale"

 

[[QT]bender]

Agree, I have same problem. I was looking at gotroot by Prometheus too and was unable to get it working at Litespeed, and I found manual insufficient too(you can find manual on PHP CHROOT insufficient as well). It seems that there is a lot to do with this module or with manuals for LS tech. Possibly Litespeed tech enhance this module and we'll be able to use this excellent resource to enhance security. I'd even thought about inclusion of this features(gotroot mod_secuirty rule list) to Litespeed(somewhere in section 'Security'). Well, LSWSes has open-source back-end and we can hardcode this by ourselves if Litespeed include this feature in their future releases(our company developing e-Commerce products based on PHP and luckily Litespeed has back-end at PHP, so it's not a problem for us ).

Unfortunately I have no time for testings at the moment, so if you'll get it working and tell me how to do conversion of the rules, I'll be glad to hardcode and share a bash/perl script to convert new rules downloaded from gotroot and possibly automatic checker for rule list updates.

 

[Michael.Terence]

Thanks for posting bender - glad I'm not the only one having difficulties.

I've played around with some more settings but still no luck getting *any* rules to work. Even something as simple as:
log,deny,status:403,msg:'wget request denied'

SecFilterSelective THE_REQUEST "wget"

 

[Michael.Terence]

OK - I'M A MORON!

... seriously. I just never looked at the top of the page. I started testing the default rules and even they didn't work, so - I start looking for an option to turn ON the request filtering for the server... it was at the top of the page I've been working on for DAYS! hah

shoot me.

 

[[QT]bender]

OK - I'M A MORON!

... seriously. I just never looked at the top of the page. I started testing the default rules and even they didn't work, so - I start looking for an option to turn ON the request filtering for the server... it was at the top of the page I've been working on for DAYS! hah

shoot me.

Oh crap. Don't mind, never thought that it's at separate tab "Filter", I thought it should be at "Security"... =)

 

[brrr]

Good to hear it is working now.

Pls share your rules - I only have a minimal set of bot blocking rules like:

log,deny,status:404,msg:'Badbot blocked'

SecFilterSelective HEADER_USER_AGENT "MLbot"
SecFilterSelective HEADER_USER_AGENT "MOT-MPx220"
SecFilterSelective HEADER_USER_AGENT ^Morfeus

etc

alongside the standard LSWS SQL injection and XSS attack ones.

 

[Michael.Terence]

Only have one ATM - it has cut my community members spam posts down by a good 80%.

log,deny,auditlog,status:403,msg:'No Spam Please'

SecFilterSelective POST_PAYLOAD "lipitor|nude|valtrex|hardcore|viagra|porn|poker|texasholdem|cialis|bllogspot|casino|gambling-|health-insurancedeals|homeequityloans|hotel-dealse-site|insurance-quotesdeals-4u|mortgage-4-u|mortgagequotes|online-gambling|shemale"

 

[QuantumNet]

Would be nice if litespeed a few years later would support the mod security core rule set...

but no matter how many of the config files a stripped out it doesnt work

Litespeed + mod_security = a joke... 3 years and you still dont have it working

https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project


It seems to me litespeed doesnt take system security seriously, why is this web server so expensive again?

 

[mistwang]

Please be more specific with your test case that LiteSpeed does not support basic security rules, so, we can look into it.

The rule you think should work. The test request/URI, related File/script.

In order to reduce the cost of heavy mod_security rule, LiteSpeed takes shortcuts in many places, like skipping checking against static files and file does not exist, etc.

 

[QuantumNet]

Would be nice if litespeed a few years later would support the mod security core rule set...

but no matter how many of the config files a stripped out it doesnt work

Litespeed + mod_security = a joke... 3 years and you still dont have it working

https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project


It seems to me litespeed doesnt take system security seriously, why is this web server so expensive again?

Any of the rules in the owasp core ruleset... I disabled everything but the basic tires and no mater what I disabled.. litepeed choked.

Follow the url I provided and try to load any of the rules you will see for yourself, none of thsm work

 

[QuantumNet]

any update?