[Resolved] Modsecurity

[Will Harrison]

Hi all,

We are new to Litespeed, and have installed on a server with CPanel using the plugin. All gone well apart from Mod_security acting strangely.

We have commercial ASL rule set. I found I had to remove some of the rules based on errors when litespeed started. This I expected (file uploads etc).

However it still seemed a 406 could not be triggered with an obvious attack URL which I know would normally work. I therefore tried putting a rule in ahead of the ASL modsec rules. This time the 406 could be triggered. So I started removing ASL rules based on the order they loaded. I found the cure was emptying the whitelist.txt which was being loaded by

SecRule REMOTE_ADDR "@ipMatchFromFile whitelist.txt" "rev:1,id:345678,phase:1,t:none,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"

in 00_asl_whitelist.conf

The strange thing was I needed to empty completely even comments!

Does anyone have any idea why this strangeness is happening please?

Thanks in advance

Will

 

[mistwang]

Looks like a bug in our mod_sec engine. We will give that rule a try in our lab.
Do you have proxy in front of LSWS?
What is in the whitelist.txt? please give us a short example.

Which version of LSWS are you using? 4.2.11?

 

[mistwang]

Maybe the comment line causes LSWS to whitelist all IPs, treat it as "*".
Try put only real IP in that file without comment, see if it is OK.

 

[Will Harrison]

I will try that as you suggest - this is the file in part:

starts with

# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x

...

#---ASL-CONFIG-FILE---
#
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security

...
list or domains continues

 

[Will Harrison]

Yes without the # comments all is okay. I guess I adjust our rule update script to remove these lines for the time being. Thanks for the idea - I really should have thought of trying that myself.