mod_security
- Thread starter markb1439
- Start date
Gotroot 2.5 modsecurity processing in Litespeed
I signed up for a gotroot subscription and tried the rules as suggested for a cpanel installation, i.e. a relatively light rule set.
While most rules parsed ok, performance on the server was significantly degraded, a normal dynamic page that delivered in 300 milliseconds would take 20 seconds to load. It looks like the mod security implementation needs to be optimized or precompiled in some way, or an apache reverse proxy run in front of litespeed.
I signed up for a gotroot subscription and tried the rules as suggested for a cpanel installation, i.e. a relatively light rule set.
While most rules parsed ok, performance on the server was significantly degraded, a normal dynamic page that delivered in 300 milliseconds would take 20 seconds to load. It looks like the mod security implementation needs to be optimized or precompiled in some way, or an apache reverse proxy run in front of litespeed.
Same here. We see more and more hack attempts every day, and we need full mod_security support. I am a bit upset that we weren't told from the start that LiteSpeed's mod_security support is very incomplete. And now, even with Atomicorp doing all they can to help LiteSpeed implement it, it apparently still isn't there.
In today's climate, we need full support for mod_security. LiteSpeed may brag about their security features, but those features are ineffective if other threats are getting through because of the incomplete mod_security support.
LiteSpeed is very expensive considering the open source alternatives available. And LiteSpeed's support leaves a lot to be desired. For example, almost every other software company offers ticket-based or e-mail support. But with LiteSpeed, we must rely on forum-based support. And the answers in the forum are often cryptic and hard to follow. It is often hard to find the answers needed to properly configure and maintain LiteSpeed. So, on top of these issues, the security concerns are becoming a deal-breaker.
LiteSpeed, you will probably lose a lot of clients over this issue (including us) if you don't add real mod_security support ASAP.
In today's climate, we need full support for mod_security. LiteSpeed may brag about their security features, but those features are ineffective if other threats are getting through because of the incomplete mod_security support.
LiteSpeed is very expensive considering the open source alternatives available. And LiteSpeed's support leaves a lot to be desired. For example, almost every other software company offers ticket-based or e-mail support. But with LiteSpeed, we must rely on forum-based support. And the answers in the forum are often cryptic and hard to follow. It is often hard to find the answers needed to properly configure and maintain LiteSpeed. So, on top of these issues, the security concerns are becoming a deal-breaker.
LiteSpeed, you will probably lose a lot of clients over this issue (including us) if you don't add real mod_security support ASAP.
Last edited:
from 4.1, lsws already support mod_security 2.5
please refer release log:
http://www.litespeedtech.com/litespeed-web-server-release-log.html
although some features not supported, for example pdf scan. but core features like those in latest gotroot rules are supported and that's our target.
since mod_security and rules keeps updating, we may miss something important. Please point out which feature/rule are not supported by latest lsws and we'll investigate it.
mod_security 2.5 engine is most difficult part -- lsws already include it since 4.1.
please refer release log:
http://www.litespeedtech.com/litespeed-web-server-release-log.html
although some features not supported, for example pdf scan. but core features like those in latest gotroot rules are supported and that's our target.
since mod_security and rules keeps updating, we may miss something important. Please point out which feature/rule are not supported by latest lsws and we'll investigate it.
mod_security 2.5 engine is most difficult part -- lsws already include it since 4.1.
Thanks for the reply. According to the Atomicorp Wiki, LiteSpeed's mod_security 2.x support is still incomplete, as least as of a month or two ago:
http://www.atomicorp.com/wiki/index.php/Litespeed
If this is true, even if you "support 2.5 rules," that does not mean that your implementation of mod_security is complete. Please clarify this further.
BTW, I am not trying to be negative. I just need to make sure we are fully protected. Atomicorp seems to be a reliable company, so I trust their facts. However, if I have the facts wrong, please enlighten me.
http://www.atomicorp.com/wiki/index.php/Litespeed
If this is true, even if you "support 2.5 rules," that does not mean that your implementation of mod_security is complete. Please clarify this further.
BTW, I am not trying to be negative. I just need to make sure we are fully protected. Atomicorp seems to be a reliable company, so I trust their facts. However, if I have the facts wrong, please enlighten me.
Last edited:
Hi Again,
Atomicorp still tells me that LiteSpeed does not fully support mod_security. Can LiteSpeed please supply complete details?
We are about to deploy additional servers, but we can't put LiteSpeed on them (or continue using it on our existing servers) if LiteSpeed cannot even tell us how much of mod_security is actually supported...and what functionality is missing.
Atomicorp is a respected expert on security, so if they say there is a problem, I believe it.
LiteSpeed, please provide a complete, honest, comprehensive answer about your mod_security support (what's included, what's missing, etc.). (This is my other complaint about LiteSpeed, that complete information is often hard to get...answers are often incomplete or vague.) LiteSpeed, please answer the mod_security issue completely.
Thanks,
Mark
Atomicorp still tells me that LiteSpeed does not fully support mod_security. Can LiteSpeed please supply complete details?
We are about to deploy additional servers, but we can't put LiteSpeed on them (or continue using it on our existing servers) if LiteSpeed cannot even tell us how much of mod_security is actually supported...and what functionality is missing.
Atomicorp is a respected expert on security, so if they say there is a problem, I believe it.
LiteSpeed, please provide a complete, honest, comprehensive answer about your mod_security support (what's included, what's missing, etc.). (This is my other complaint about LiteSpeed, that complete information is often hard to get...answers are often incomplete or vague.) LiteSpeed, please answer the mod_security issue completely.
Thanks,
Mark
Hi Mark,
created a wiki page for your long-term concerns
https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:config:mod_security-compatibility
created a wiki page for your long-term concerns
https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:config:mod_security-compatibility
