Litespeed and Modsecurity

[sahostking]

Hi fellas,

Ive recently installed litespeed and enabled modsecurity. I'm currently testing with the delayed atomic rules which is free but I seem to get the error when using them:

mod_security: Access denied with code 406, [Rule: '' ''] [severity "WARNING"] [MatchedString ""]

All websites go down.

If I remove it then all works again. If I change from litespeed to apache and try it again with the rules all works fine.

Very strange. any ideas?

 

[webizen]

Hi fellas,

Ive recently installed litespeed and enabled modsecurity. I'm currently testing with the delayed atomic rules which is free but I seem to get the error when using them:

mod_security: Access denied with code 406, [Rule: '' ''] [severity "WARNING"] [MatchedString ""]

All websites go down.

If I remove it then all works again. If I change from litespeed to apache and try it again with the rules all works fine.

Very strange. any ideas?

Likely the rules are not supported in LSWS. pm the rules or your server temp root access for us to look further if you like.

 

[sahostking]

I like to figure these things out myself as I am the admin of these servers that get this issue.

I would just like to know what rules do you recommend we use ? I would like even basic mod security rules if any.

I current tried these which give me those issues:

http://updates.atomicorp.com/channels/rules/delayed/

Delayed free rules I've tested with.

Any other rules I should use instead?

 

[webizen]

you can narrow down the rule in question and we can give you suggestion more specifically.

 

[lancelot]

Which version ruleset

What is the suggested version to use for the gotroot rule sets at "https://updates.atomicorp.com/channels/rules/delayed/"? Should we use the "modsec-2.5" or the "modsec-2.7" ruleset? I am not sure which one is more compatible or have been tested with.

 

[NiteWave]

I'd recommend to use latest rulesets.

mod_security is our upstream and keeps updating frequently. so we're lag with them almost all the time. But 1st, I don't think mod_security is all of security; 2nd, one fact I know of, when I log in our customers' server, I see quite a lot of them installed mod_security and litespeed at the same time as WHM(cPanel) plug-in, they are using latest gotroot rulesets I believe. litespeed improve mod_security compatibility mainly base on customer's feedback. As an example in latest 4.2.2, "Improved mod_security compatibility with gotroot ruleset."

ruleset may update everyday, but engine may not. software mainly care about the engine. as a result of long time communication between our customers and us, following wiki page is out to address the compatibility issue:
http://www.litespeedtech.com/support/wiki/doku.php?id=litespeed_wiki:mod_security_compatibility

in general, latest ruleset is safe to use. for those mod_security directives which litespeed not support, the rules are just ignored and next rules are picked up to be processed. if it breaks litespeed, please report us and you please fall back to a previous ruleset.

So far, I've not heard of a user case, because of latest mod_security ruleset not support yet, the server has been compromised or hacked or any big loss.