Request Filtering not working...

[brettdavidsonnz]

I have tried the following :

Included a conf file into httpd.conf which contains...

SecFilterEngine On
SecServerSignature "Litespeed"
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
SecDebugLog logs/modsec-debug_log
SecDebugLogLevel 4
SecTmpDir /tmp
SecUploadKeepFiles Off
SecFilterScanPOST On
SecFilterDefaultAction "deny,log,auditlog,status:412"

# WEB-ATTACKS chmod command attempt
SecFilter "/bin/chmod"

I have tried enabling and disabling Request filters with this entry.

I have also tried putting an entry directly into the list which doesn't seem to work either.

What am I missing here?

 

[mistwang]

Only Enterprise edition support mod_security rule through httpd.conf

 

[brettdavidsonnz]

Um, sorry for not making that clear. We are evaluating Enterprise trial edition at present.
Or are you stating that only the full license supports mod_security rules?
(We were hoping to evaluate this on Litespeed particularly as Apache runs like a dog on our ruleset).

 

[mistwang]

It should be fine.
Just remember that LiteSpeed won't block any request resulting in "404".

 

[brettdavidsonnz]

I know it SHOULD be.

But that's why I have raised this issue.
It's not.

I created a subdir called bin.
In this I placed a script called websendmail. (just a junk script that does not perform this function)

I can access this although I should not be able too...

Test url is http://test.plesk-bsd2.hosting.isx.net.nz/websendmail

Rule is :
SecFilterSelective THE_REQUEST "/websendmail" "log,pass,id:sid815,rev:9,msg:'WEB-CGI websendmail access'"

 

[mistwang]

Your rule action is "log,pass, ...", it won't block anything, check the audit log see if anything logged.

 

[brettdavidsonnz]

There is no audit_log generated.

It's defined in an Include file under the httpd.conf to be :

logs/audit_log

It's not is {$litespeedhome}/logs.
It's not in /var/logs
It's not in {$vhostlogdir}

If I change the rule to deny it does not block.

Together, these two actions make me think it's not working at all.

You have looked at this server before; when you get a spare moment would you like to do so again?

 

[mistwang]

tested it again, works well.

 

[mistwang]

Check your "ServerRoot" directive in httpd.conf, audit_log should be at
<ServerRoot>/logs/audit_log

with LSWS 3.3.7 release.

There is no audit_log generated.

It's defined in an Include file under the httpd.conf to be :

logs/audit_log

It's not is {$litespeedhome}/logs.
It's not in /var/logs
It's not in {$vhostlogdir}

If I change the rule to deny it does not block.

Together, these two actions make me think it's not working at all.

You have looked at this server before; when you get a spare moment would you like to do so again?

 

[brettdavidsonnz]

Hmm. It wasn't going at all as I suspected

When Litespeed looked at the line :

Include etc/apache2/Includes/*.conf

in the httpd.conf, it was only including one of the files in there.
As such, it did not load the other include files, one of which one had the mod_security rules defined in it.

Manually specifying this file has made it all work! Yaay!

 

[brettdavidsonnz]

This was the only thing remaining for us to test before going ahead with a purchase.

You'll have our money soon...

 

[mistwang]

It is a bug has been fixed in 3.3.7 release, have you upgraded to 3.3.7?

When Litespeed looked at the line :

Include etc/apache2/Includes/*.conf

in the httpd.conf, it was only including one of the files in there.

 

[brettdavidsonnz]

Not yet.

The upgrade up to 3.3.6 was as simple as clicking the upgrade link.

The upgrade to 3.3.7-ent is a download link.

I had downloaded the product a while ago but haven't got around to reading any release notes and/or applying the upgrade yet. I'll do that shortly...

 

[brettdavidsonnz]

Done! Upgraded.

Whoops. Not an imperative but a nice to have is RoR support.
Will go and try that out now...