mod_security

markb1439 · Jan 23, 2011

Hello,

I've heard a good bit of concerning talk about LiteSpeed's support (or lack of support) for mod_security.

For example, the gotroot people say that LS does not fully support mod_security, and therefore many of the rules and protections are ineffective.

I've seen similar claims, and various partial answers here and there, but nothing definitive.

With security growing even more important every day, I am wondering if LiteSpeed staff can address this issue definitively and let me know how secure LS is, especially in regard to mod_security.

If you can outline how to best set up LS with effective mod_security on a cPanel server, that would be appreciated. That was asked in a post several months ago that was never responded to.

Thanks,

Mark

markb1439 · Jan 23, 2011

To clarify, here is what gotroot says about LiteSpeed and mod_security:

Is this true? If so, this is very concerning because LiteSpeed is advertised as a completely Apache-compatible, drop-in replacement. However, if the comments above are true, LiteSpeed ignores an important, major part of Apache functionality. An omission such as this should be disclosed, IMHO.

Or am I missing something? I look forward to a definitive answer about LiteSpeed and mod_security (and security in general).

Thanks.

mistwang · Jan 24, 2011

mod_security makes big changes from release 1.9 to 2.x, our implementation is based on 1.9, so not all features in 2.x are support. We will add more 2.x features in the future. those features are probably only used in 5% of rules.

But if you require 100% compatibility with mod_security, you may have to stay with Apache.

markb1439 · Jan 24, 2011

Of course, it is concerning that these differences were not spelled out prominently. LiteSpeed is advertised as "APACHE INTERCHANGEABLE". That implies that it is functionally equivalent, however this is not the case in terms of mod_security. And, of course, security is critical in today's climate.

The biggest question is how secure LiteSpeed is (in terms of mod_security) compared to Apache. Please feel free to explain further, so we can decide whether LiteSpeed is safe to use.

mikegotroot · Feb 1, 2011

I'm the lead developer of one of the two modsecurity projects out there and maybe I can help explain.

All the current rulesets out there (Gotroot, OWASP, etc.) require support for the 2.5.x rule language. Those rules have a different syntax from the older 1.9.x rules, and also use lots of features that the older implementation (1.9.x) does not have - which means 2.5.x rules are WAY WAY more robust but also, incompatible with 1.9.x implementations.

This is all good stuff. There are things we can do in 2.5.x that are simply not possible in 1.9.x (the features don't exist, like lua scripts, branching logic, DOS protections, anti-obfuscation countermeasures, transforms, etc.). There are things we can do in 2.5.x that are really fast, which in 1.9.x were painfully impossibly slow, such as the ability to do Aho-Corasick matching - which made it possible to do matches against large lists super fast (think big blacklists of malicious domains, IPs, etc.). We can also do branching logic in 2.5.x, which we can't do 1.9.x - think of if then else statements, which are used by both the OWASP and GotRoot rules for huge performance gains (if I dont see X in this payload, skip all these rules). In fact, both rule sets won't even work correctly with a 1.9.x implementation because of the lack of branching logic, which is a real biggie. Probably 100% of the rules won't work right without that logic alone.

We can also do anomaly detection in 2.5.x, again, this doesnt exist in 1.9.x, so if you use either ruleset in anomaly detection mode 100% of the rules don't work in 1.9.x implemenations. So its really a square peg in a round hole trying to get 2.5.x rules to work in the less capable 1.9.x implementation. It just won't work.

And finally, the new rule language lets us do things that massively reduces false positives. Its like night and day from a reliability point of view. The improvements in this area were so great that 1.9.x was dropped by rule authors for probably that reason alone!

So, the advantages of the 2.5.x implementation are just worth so much its not worth maintaining rulesets for 1.9.x. We retired our 1.9.x rules many years ago for just those reasons. So, the 2.5.x change was a big positive change well worth the adoption.

Unfortunately, thats means 1.9.x implementations such as LiteSpeeds are left in the cold because the big rule projects moved onto 2.5.x years ago. Its like being forced to support something you know is just out of date, inefficient and not powerful enough to solve the problems you know you need to solve to protect your users. No security guy wants that.

So, I hope that Litespeed can support 2.5.x soon, we'd love to be able to help out LiteSpeed users with our rules. If you must use 1.9.x rules, we do still publish 1.9.x rules at www.gotroot.com, but they are totally EOL and I wouldn't rely on any 1.9.x rules to protect you from modern attacks and expect FPs too, we just cant do all the things we've been doing for years with the 2.5.x rules in 1.9.x. Too many things can get past an older implementation, but something is probably better than nothing.

I hope this information helps everyone to understand where things are, and I wish LiteSpeed all the success in the world getting a 2.5.x implementation in place!

mistwang · Feb 2, 2011

We have been adding 2.5 features into our modsec engine, @pm, @pmFromFile are supported in our 4.1RC4 release already. We will continue adding more features based on popularity and importance.

mikegotroot · Feb 2, 2011

Thats a good start. I look forward to when your implementation is feature complete.

If you want a suggestion for your next feature to add, as both the OWASP and Gotroot/Atomicorp rule require the new branching logic directives to work I recommend you add in those in next. Neither ruleset is going to work properly without that.

If you could also document what you do and do not support in your implementation that would certainly be helpful not just to your users, but to those of us that write WAF rules. It would help us to create a reduced set of rules for your implementation while you are still working towards full support for the rule language.

markb1439 · Feb 3, 2011

Thanks for the info.

I'd like to ask both of you...

If I'm setting up a new server with LiteSpeed right now (under cPanel/WHM), what do I need to do in order to get the best mod_security protection? Given that not all the 2.x rules are compatible, will the gotroot set break LiteSpeed?

Or, is LiteSpeed not yet secure enough (until it fully supports 2.x)?

Also, will ASL Lite work in a cPanel situation with LiteSpeed installed? (I mean, assuming that the rules will work, will the ASL Lite autoupdater also work...or does it not coexist with LiteSpeed?

I love LiteSpeed but I also need security. So any advice will be appreciated.

Thanks,

Mark

mistwang · Feb 3, 2011

Are you talking about "chain" and "skip" actions? those actions are supported currently.
There are litespeed users loading getroot or some other modsec rule sets. rules using regular express matching do work. It does not break LiteSpeed.

markb1439 · Feb 3, 2011

I just mean that we need the most comprehensive protection available.

I don't know all the terminology...can you tell me right now if LiteSpeed offers the same mod_security protection as Apache? If not, what features are missing? I am not trying to be a pest...this is a very important issue, and it is important to know which protections you are providing, and which ones you aren't.

Does anyone know if there are any modifications necessary to make the gotroot rules work with LSWS? I've heard various results.

Thanks,

Mark

mikegotroot · Feb 3, 2011

Thank you for the reply. No, I'm talking about the ability to actually creating branching logic using SecAction, Secskip, SecMarker and other methods. Example:

SecRule REQUEST_METHOD "@pm trace track connect post" \
"phase:1,t:none,t:lowercase,pass,nolog,skip:1"
SecAction phase:1,t:none,pass,nolog,skipAfter:END_FOO

SecRule REQUEST_METHOD "trac(?:e|k)" \ "phase:1,t:none,t:lowercase,id:340002,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: TRACE/TRACK method denied'"

# Rule 340361: deny CONNECT method
SecRule REQUEST_METHOD "connect" \ "t:none,t:lowercase,capture,phase:1,t:lowercase,id:340361,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: CONNECT method denied',logdata:'%{TX.0}'"

SecMarker END_FOO

Do you support that? And what about the transforms in 2.5.13, like escapeSeqDecode, removecomments, and others. I could go on, but you get the point. I couldnt find any documentation on your WAF module, if you could point me to it then I would know what you do support, and what 2.5.x logic won't work with your WAF module. As it stands right now, I get several reports a week that the current gotroot and OWASP rules don't work with your implementation. If you dont support all the features in 2.5.13, then that makes sense. Could you please tell me what features you do support?

I'm a bit puzzled by this response. Do you support the whole rule language or not? It not, then rules won't work correctly (Modsecurity rules require a lot more than just regular expression matching). If your implementation is supposed to be a drop in replacement I'm glad to hear that, so can you confirm that you support the whole 2.5.13+ rule language? And if not, what do you support?

mikegotroot · Feb 3, 2011

My two cents, I dont know if it will "break" LiteSpeed (I doubt it), but if LiteSpeed doesnt support the full rule language you will not be as secure against web attacks and many of the rules written for modsecurity may not even work correctly. You really need the full feature set in modsecurity 2.5.13 to use either the gotroot or OWASP rules which are written for modsecurity. Those rules might "load" but without all the features they won't work correctly, they probably won't even detect attacks properly. 2.5.x rules are very different from the simplistic 1.9.x "look for this regexp" rules, its like night and day. So even though 1.9.x rules worked in the past does not mean modern 2.5.x rules will, the whole syntax of the language changed between 1.9.x and 2.0, and 2.5.x has added tons of new things.

ASL Lite works great with cpanel, and the autoupdater will work just fine with cpanel and litespeed. The issue is does LiteSpeed understand the rules, and your guess is as good as mine. As I understand it, I thought LiteSpeed was a drop in replacement for Apache, and if it is then the answer should be yes. However, we don't know what LiteSpeed supports in its modsecurity like implemenation (I cant find any documentation, if someone could point me to it that would be awesome!) and we have had lots of reports that the 2.x rulesets don't work right, ours, OWASPs or anyone elses.

So the LiteSpeed implementation appears to not be feature complete, and I'd like nothing more than to be wrong about that and to say yes it will work. So if someone from LiteSpeed could explain what they do support, we'd all apreciate that.

Without knowing what it does support its very difficult to even begin to write rules for it, and with reports that things don't work right, all I can say is no the gotroot and OWASP rules will not work right (may not even load correctly) with LiteSpeeds WAF. With that said, I hope LiteSpeed is close to full 2.5.13 compability, because if all it had is 1.9.x compatibility then no it won't be as secure as Apache. :-(

Me too!

markb1439 · Feb 3, 2011

Of course Mike's answer is way over my head. However, in laymen's terms, I'd like a similar answer:

Exactly what mod_security protection does LiteSpeed provide? Is it full support for all rules? Or is it limited...and, if so, HOW limited? In today's security climate, vague answers simply aren't good enough. If we're putting our servers in the hands of your software...and paying a pretty penny for your software when other software is available free...we need definitive answers on what protection your software is giving us (or not).

Also, I'm confused about the answer on whether the gotroot rules will work with LiteSpeed. I've seen multiple reports that the rules don't work well with LiteSpeed (not a gotroot issue, but apparently an issue with LiteSpeed's mod_security implementation). Of course, mod_security rules are only effective if they protect but don't interfere with normal operations.

So I'd really appreciate some frank, detailed answers from LiteSpeed on this issue. We are deploying a new server this week, and we can't justify using LiteSpeed on it (or continuing to use LiteSpeed elsewhere) without knowing these answers.

Thanks,

Mark

mistwang · Feb 3, 2011

got it. support for SecMarker and skipAfter action is required, should be easy to implement. We do assume rule ID is numeric though, all examples given in modsec document are integers.

We are adding more features for our 4.1 release to improve the compatibility with modsec 2.5, however, there is some feature we wont consider to support right now:

1. xml related.
2. pdf related.
3. lua script (we are investigating, may add, but low priority)
4. geo lookup (duplicate with mod_geoip, can use env added by mod_geoip)
5. inspecting response body (still evaluating)
6. executing external script

We do not plan to implement features mainly because, some features may rely on third party libraries, and the license of that library may not allow us to incorporate into our product; some features may severely slow down the non-blocking, single-thread process, especially, when large amount of data need to be processed, it is fatal. We have seen even PCRE hanging lshttpd process with 100% cpu.

Hope it will make it a little bit clearer with our mod_sec support.
BTW: we will publish a document regarding what feature is supported, what is not, after our 4.1 release settled.

markb1439 · Feb 3, 2011

Thanks for the reply. However it's highly technical...I'm wondering if you can explain in laymen's terms:

How secure is LiteSpeed now? (In other words, how much of the mod_security functionality is missing?)
When will additional security be added?
When will LiteSpeed offer the full protection currently offered by Apache + mod_security?

I was actually surprised to find that much of this functionality is missing, since LiteSpeed is marketed as a complete equivalent replacement for Apache. It should definitely have been disclosed that important security features are not implemented, IMHO.

Thanks,

Mark

mikegotroot · Feb 3, 2011

Thank you for the reply. Based on the modsecurity documentation here:

http://www.modsecurity.org/document....12/modsecurity2-apache-reference.html#N11514

Which of its features are supported in Litespeed today, and what is planned in your next release?

markb1439 · Feb 4, 2011

Hi Again,

We are deploying a new server over the weekend, and we have decided that we will not even consider using LiteSpeed on it until we receive answers for the questions asked previously:

How secure is LiteSpeed now? (In other words, how much of the mod_security functionality is missing?)
When will additional security be added?
When will LiteSpeed offer the full protection currently offered by Apache + mod_security?

In addition, we will probably discontinue our existing use of LiteSpeed until we get these answers. And we may still stay away from LiteSpeed if the answers are not favorable. For example, if it will still be a long time before LiteSpeed offers the same security as Apache, we'll have to take that into consideration.

We are a bit upset that we've been using LiteSpeed for some time now, thinking that it offered the full functionality of Apache in terms of security...only to find out that it does not. And we aren't even sure how much of that security it does offer, because those answers are not being provided. We feel that a major shortcoming like this should have been disclosed publicly, instead of LiteSpeed simply being advertised as a drop-in replacement for Apache, with no mention of gaping security holes and lack of full support for mod_security.

Mark

markb1439 · Feb 7, 2011

LiteSpeed, can you please answer the questions I've asked:

How secure is LiteSpeed now? (In other words, how much of the mod_security functionality is missing?)
When will additional security be added?
When will LiteSpeed offer the full protection currently offered by Apache + mod_security?

These are fair questions, as you are advertising a functional replacement for Apache. So, as hosts, we need to know what security functionality is missing from your product.

Can you also clarify your request filtering functions? Do they replace some of the missing mod_security functionality? Do they require their own rules? Are the rules included in the LiteSpeed installation? Are the rules updated automatically?

The security-related functions (e.g., mod_security, etc.) are not very-well explained. Please provide answers so we can decide whether to use your product moving forward.

Thanks,

Mark

EDIT: I'm not trying to be negative or hostile, in fact I hope the answers are not bad...I hope that LiteSpeed is very secure in terms of mod_security. But without the answers I don't know what the situation is. Thanks.

NC-Designs · May 8, 2011

Hi Mark, gotroot guy and LiteSpeed staff. This thread is typical of LiteSpeed forum.

Staff eventually not replying and not finding a sufficient resolution. Now I am aware you have added modsec 2.5 support to your latest release however it really isn't sufficient. Your changelog displays this but by that you could mean, we have added 1 feature of 2.5 or the entire functionality. However, from using 4.1 I have found that you really haven't added much of the functionality some people would require.

I have found LocationMatch rules for example, not to work.

Even simple SecRule from testing have failed to work?!

Now I have paid for this service fair and square however the results I am getting are not sufficient. I have purchased an owned license with yourselves and that is more than enough to fund development. I have tried contacting your support directly and you tell me to use the forum, all in vein when you don't even help!

Your support is shabby and your pricing somewhat outrageous. Now while I agree with everyone that LiteSpeed is a great piece of kit when it comes to security it has so much further to go. Why don't you drop the support for your own Modsec alternative and let us use Mod_Security? Wouldn't that just make life a little easier for you? Your product has some rough edges and this is certainly one of them. Functions that have worked in previous versions I find no longer work (See my previous threads) and please take a look at the latest addition to my threads.

Regards,
Chris.

mistwang · May 9, 2011

Those rules should work fine with 4.1 release.
We need to either check it on your server, or copy your configuration to our lab environment to reproduce it.

mod_security

Well-Known Member

Well-Known Member

LiteSpeed Staff

Well-Known Member

Member

LiteSpeed Staff

Member

Well-Known Member

LiteSpeed Staff

Well-Known Member

Member

Member

Well-Known Member

LiteSpeed Staff

Well-Known Member

Member

Well-Known Member

Well-Known Member

Well-Known Member

LiteSpeed Staff