Request Filter Not Working?

[NC-Designs]

I am having problems with the Request Filter not working. I have installed various rules and the particular one I am testing is -

# WEB-ATTACKS /etc/passwd access
SecFilter "/etc/passwd" deny,log,status:406

The request filter is enabled along with scan request body and log level set to 6.

When running the file that should trigger this, it doesn't. Put the rule into ModSec however and it denies instantly.

Any ideas why this is or should I say isn't happening?

 

[NiteWave]

assume the document root is /home/user1/public_html

do you have a file /home/user1/public_html/etc/passwd ?

 

[NC-Designs]

No there is no file of this name. But surely the request filters shoud filter GET variables such as http://example.com/MaliciousScript.php?cmd=cat&file=/etc/passwd

 

[NiteWave]

tested, with only 1 line in .htaccess

SecFilter "/etc/passwd" deny,log,status:406

when access through http://domain.com/p.htm?f=/etc/passwd
return

406 Not Acceptable

as expected.

in error.log:

2010-08-15 08:25:05.940 [INFO] [10.0.0.1:1900-0#Example] [SECURITY] match [SecFilter] against pattern [/etc/passwd], result: 1
2010-08-15 08:25:05.940 [NOTICE] [10.0.0.1:1900-0#Example] mod_security rule triggered!
[Sun Aug 15 08:25:05 2010] [error] [client 10.0.0.1] ModSecurity: Access denied with code 406, [Rule: 'SecFilter' '/etc/passwd']
2010-08-15 08:25:05.940 [NOTICE] [10.0.0.1:1900-0#Example] Content len: 0, Request line:
GET /p.htm?f=/etc/passwd HTTP/1.1

 

[NC-Designs]

I dont understand. I run shared hosting and have recently changed over to LiteSpeed. Why would a customer want to put modsec rules in their .htaccess? I am talking about the request filters in the LiteSpeed panel.

 

[NiteWave]

when did tests in admin console, I also experienced some difficulty to make it working well. although it finally got working, there are some strange behaviors observed. for example, to make the change effective, restarting lsws not enough, must stop and then start lsws. --- but not sure it's lsws's problem or the test box's problem, since I recreated /dev/urandom a few days ago on this box. but tests on .htaccess (maybe httpd.conf too) was quite smooth, so I posted the test results first.

 

[NC-Designs]

Okay, thanks. I think Modsec would be the most reliable option of the two.

About LiteSpeed IP blocking capability, how does it do it. Does it temporarily add to iptables or it's own blocking method?

As I think when my server comes under attack, this IP blocking is proving damaging rather than helpful as it increases load yet prevents the firewall from catching it.