mod_security support

[mferguson]

Over the weekend we purchased and installed LSWS 4.0.12 Enterprise. We had been running Apache 2 and had several mod_security exceptions set up. We had /opt/mod_security/whitelist.conf define these exceptions but when we switched to LSWS it appears that it is using mod_security (lots of things are showing up in the modsec_audit.log) but that the exceptions we made are no longer working. Its as if the whitelist is being ignored.

Can anyone explain how mod_security configuration is done with LSWS or if there is a better way to handle functions that mod_security is providing?

Thanks

Mark

 

[mistwang]

Can you post the whitelist.conf

 

[mferguson]

Sure. It is:

SecRule Request_URI /frontend/x3/fantastico/autoinstall[a-zA-Z0-9]+.php phase:1,nolog,allow,ctl:ruleRemoveByID=340067
SecRule SERVER_NAME "ourdomainnamehere" phase:1,nolog,pass,ctl:ruleRemoveByID=340151
SecRule SERVER_NAME "ourdomainnamehere" phase:1,nolog,pass,ctl:ruleRemoveByID=340163

I've replaced the domain name above as my client doesn't want the address exposed in public forums.

Thanks!

Mark

 

[mistwang]

ruleRemoveByID is not supported yet, so, the only option with LiteSpeed is to comment out those unwanted rules.

 

[mferguson]

What rules are supported? For now I've had to disable all our rules since they were using ruleRemoveByID.

Thanks

Mark

 

[UWH-David]

Yes, I am seeing a LOT of mod_security rules failing with LiteSpeed. Is there any common thread so we can convert these to LiteSpeed friendly rules quickly? Process of elimination when you have thousands of rules is just not going to work.

 

[brrr]

Thousands of mod_security rules...

Little wonder you are looking into Litespeed on your server to improve performance

 

[UWH-David]

Even disabled, suPHP is not very quick.

Thousands of mod_security rules...

Little wonder you are looking into Litespeed on your server to improve performance

 

[mistwang]

Yes, I am seeing a LOT of mod_security rules failing with LiteSpeed. Is there any common thread so we can convert these to LiteSpeed friendly rules quickly? Process of elimination when you have thousands of rules is just not going to work.

If you do not mind, please send your rule set to bug@litespeed..., and tell us how to reproduce the issue (URL trigger it), we will investigate and improve the compatibility.

 

[UWH-David]

The majority of our rules are seeded from the gotroot modsec rule subscription:
http://www.gotroot.com/mod_security+rules

If you do not mind, please send your rule set to bug@litespeed..., and tell us how to reproduce the issue (URL trigger it), we will investigate and improve the compatibility.

 

[UWH-David]

What would be the most useful is if the log listed the ID of the mod_security rule which it is having troubles with.

The majority of our rules are seeded from the gotroot modsec rule subscription:
http://www.gotroot.com/mod_security+rules

 

[UWH-David]

Is this thread true?

https://www.atomicorp.com/forums/viewtopic.php?f=14&t=4222