[Resolved] 5.1RC1 and @inspectFile

[bobykus]

Hello,

I would like to evaluate new features in upcoming major release. The most interesting seems to @rbl and @inspectFile mod_sec features. It would be great if litespeed come with some help how to perform simple configuration and testing. So far I configured

Request Filter >

Enable Request Filtering
Yes

Default Action
deny,log,status:403

Scan Request Body
Yes

Disable .htaccess Override
Yes

Enable Security Audit Log
Yes


and Request Filtering Rule Set with
SecRule FILES_TMPNAMES "@inspectFile /opt/modsecurity/bin/file-inspect.pl" phase:2,t:none,log,block

where /opt/modsecurity/bin/file-inspect.pl comes from mod_sec manual.

Then created simple html/php upload script from site

<!DOCTYPE html>
<html>
<body>

<form action="up.php" method="post" enctype="multipart/form-data">
Select image to upload:
<input type="file" name="fileToUpload" id="fileToUpload">
<input type="submit" value="Upload Image" name="submit">
</form>

</body>
</html>


where EICAR-AV-Test test signature was uploaded, but nothing happens! And nothing in logs.

 

[mistwang]

you can turn on Request Filter debug logging,
https://www.litespeedtech.com/docs/webserver/config/reqfilter#censorLogLevel

test /opt/modsecurity/bin/file-inspect.pl script manually see if works properly.

 

[bobykus]

The settings are

Log Level 9

and

Security Audit Log

/hsphere/shared/apache/logs/audit.log


Here is a result of

/opt/modsecurity/bin/file-inspect.pl EICAR-AV-Test
0 clamscan: Eicar-Test-Signature


/hsphere/shared/apache/logs/audit.log is empty after uploading EICAR-AV-Test


Wonder what I am doing wrong...

 

[mistwang]

Please try 5.1RC2 with

/usr/local/lsws/admin/misc/lsup.sh -d -f -v 5.1RC2

There was a bug fixed in @fileinspect implementation.

Please make sure your server log level is not higher than INFO, the modesecurity debug messages are logged at INFO level.

 

[bobykus]

Yes, I updated to RC2
Here is a log of POST request Nothing about any filtering,

/hsphere/shared/apache/logs/audit.log

is empty. We use apache style.

 

[mistwang]

looks like "scan post" is off. only headers are scanned. You can turn it on with "SecRequestBodyAccess" in Apache configuration.

 

[bobykus]

Yes, works now. Thank you!

 

[bobykus]

Oh, wonder if it possible to disable to set

SecFilterEngine Off

in .htaccess

 

[mistwang]

https://www.litespeedtech.com/docs/webserver/config/reqfilter#disableSecHtaccess

 

[bobykus]

Do you mean

Disable .htaccess Override

Description: Specifies whether to disable .htaccess override. This is a global setting, only available at the server level. Default is "No".
Syntax: Select from radio box

Is it not not completely disable .htaccess?

 

[mistwang]

Sorry for the confusion, it only disables turning off mod_security from .htaccess.

 

[bobykus]

It is fine. Where the option is configurable from? I can not find any of such in

Server » name > Request Filtering

 

[mistwang]

It was missing in 5.1RC2, please try the latest build.

/usr/local/lsws/admin/misc/lsup.sh -d -f -v 5.1RC2

 

[bobykus]

Well,

After update I can not log into admin interface now
When I provide user and password nothing happens.
Also the error logs are empty too.

 

[mistwang]

Please do a force update to get the latest build. should be fixed.

 

[bobykus]

Still the issue

gettimeofday({1448291838, 319590}, NULL) = 0
lstat("/usr/local/lsws/admin/html/classes//DTblDef.php", 0x7ffeee2b8f90) = -1 ENOENT (No such file or directory)
gettimeofday({1448291838, 319688}, NULL) = 0
open("/usr/local/lsws/admin/html.5.1RC2/classes/ws/DTblDef.php", O_RDONLY) = 6
fstat(6, {st_mode=S_IFREG|0644, st_size=100613, ...}) = 0
fstat(6, {st_mode=S_IFREG|0644, st_size=100613, ...}) = 0
fstat(6, {st_mode=S_IFREG|0644, st_size=100613, ...}) = 0
mmap(NULL, 100613, PROT_READ, MAP_SHARED, 6, 0) = 0x7f091542d000
brk(0x15f8000)                          = 0x15f8000
writev(5, [{"LS\6\0\177\0\0\0", 8}, {"PHP Parse error:  syntax error, "..., 119}], 2) = 127
chdir("/usr/local/lsws/admin/fcgi-bin") = 0
setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={0, 0}}, NULL) = 0
pwrite(3, "secret|s:14:\"litespeedrocks\";cha"..., 98, 0) = 98
close(3)                                = 0
munmap(0x7f091542d000, 100613)          = 0
close(6)                                = 0
brk(0x1578000)                          = 0x1578000
setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={0, 0}}, NULL) = 0
writev(5, [{"LS\3\0\305\0\0\0\4\0\0\0\364\1\0\0\'\0N\0\21\0\'\0", 24}, {"Expires: Thu, 19 Nov 1981 08:52:"..., 173}, {"LS\5\0\10\0\0\0", 8}], 3) = 205

litespeedrocks ? really?

 

[mistwang]

Just published a new build, please try again.

 

[bobykus]

Yes,
All is ok, if you not use -d option Thank you for a great job!

 

[mistwang]

Have you running it in production? or staging?
Need more feed backs on stability of 5.1RC2 release.

 

[bobykus]

I do not have much to say - we run it on one server with approx 1k sites and faced with no problems so far.