Request Filter

vivek

Well-Known Member
#1
Hello

I used Mod_Security with CS Firewall. The firewall will block the IP instantly when the mod security rule encounted.

Althought CSF cant read litespeed log, so it will not block the IPs even if we have mod_security installed.

Ok, I know that there is an inbuilt mod_security in Lsws called Request filter.But dont know how to use it.

Mod, Please tell me an example.

I want to block

www.anydomain.com/proxy/index.php

Means, I want to show 500 or 404 or something other error when a user access /proxy/index.php or simply /proxy via webbrowser even if the folder/file exists

Please tell me how to write code in Request Filter tab in Admin area?


Also, tell me what is the Log Level ?

Any help is appreciated.

Regards
 

mistwang

LiteSpeed Staff
#2
LSWS request filter is our implementation of mod_security, it uses mod_security 1.9 rules.
If you use LiteSpeed + cPanel, security rule have to be configured from httpd.conf, the original mod_security rule should work just fine. Just do not expect LSWS to block any request results in 404.
 

xing

LiteSpeed Staff
#5
SecFilterSelective REQUEST_URI "^/proxy"

Should work. Note that if /proxy doesn't exists, lsws will not block 404 requests. The above should block anything with yourdomain.com/proxy*
 

vivek

Well-Known Member
#11
Hi mistwang,

Thank you for fixing the modsecurity issues, It started working for me.

But just now I realized that most of the rules aren't working.
Some rules are working,but some are not working.
The same rule is working fine with apache.

mistwang, do you have any set of modsecurty working rules with you ? Or can you recommed one which can work with lsws ?

Vivek
 

vivek

Well-Known Member
#13
Please post the the rules that does not work.
Hello

When I switch to Apache, I am getting lot of IP blocked mails, from CSF, because of Mod_sec rules, but when I switch to litespeed, I am not getting any of such mails, Just 2 or 3 mails only.

You will not believe, but now I switched to apache and I got around 50+ IP block mails since 1 hr. lol

Do you want to see the modsec rule I am using ? I am sure , lot of rules are still not compatible with litespeed, it is modsec 1.9 rules.

Vivek
 

vivek

Well-Known Member
#16
[root@monster logs]# tail -f audit_log
[client 201.234.30.130] mod_security: Access denied with code 403, [Rule: '(null)' '(cmd|command)=.*(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])'][client 74.50.11.40] mod_security: Access denied with code 403, [Rule: 'REQUEST_URI' '=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?'][client 74.50.11.40] mod_security: Access denied with code 403, [Rule: 'REQUEST_URI' '=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?'][client 74.50.11.40] mod_security: Access denied with code 403, [Rule: 'REQUEST_URI' '=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?']
 

vivek

Well-Known Member
#17
I see, LiteSpeed's audit log is not in such a proper format. Is it because of this , CSF is not working with every request ?

There is no 404 errors , only 403, but csf is not blocking those Ips.
 
Top