LiteSpeed + CMC + CSF

Hi Comodo,

We’re currently running LiteSpeed, Config Mod Security and Config Server Security.

Inside of CSF we have LF_MODSEC set to 5, so 5 hits from a specific IP will be automatically blocked by CSF, however this isn’t functioning.

I can see that the the Comodo modsec rules being hit via the /usr/local/apache/logs/error_log file:

[Sat Jul 19 11:31:52 2014] [error] [client XXX.XXX.XXX.XXX] ModSecurity: Access denied with code 403, [Rule: ‘Request_URI’ ‘(media|post|post_new).php’] [ID: 220830] [Msg: COMODO WAF: COMODO WAF: Blocking XSS attack]

We previously had atomicorp modsec rules running, these were automatically blocked, as soon as I substituted in the Comodo rules the automatic block feature stopped working.


Config Mod Security doesn’t display the rule ID, shows this as ‘Unknown’ - screenshot: http://tinypic.com/view.php?pic=2iuqflu&s=8


We’re using the default modsec2.conf file:

LoadFile /opt/xml2/lib/libxml2.so

LoadFile /opt/lua/lib/liblua.so

LoadModule security2_module modules/mod_security2.so

SecRuleEngine On
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug.log
SecDebugLogLevel 0
SecRequestBodyAccess On
SecDataDir /tmp
SecTmpDir /tmp
SecPcreMatchLimit 250000
SecPcreMatchLimitRecursion 250000
Include “/var/cpanel/cwaf/etc/cwaf.conf”
Include “/usr/local/apache/conf/modsec2.whitelist.conf”

Any assistance would be greatly appreciated.

CSF issue with LF_MODSEC fixed.

CSF is reporting the ID as ‘unknown’, CMC also displays the ID identified as ‘Unknown’.

Example:

XXX.XXX.XXX.XXX # lfd: (mod_security) mod_security (id:unknown) triggered by XXX.XXX.XXX.XXX (US/United States/-): 1 in the last 3600 secs - Sat Jul 19 15:54:26 2014

Anyone have a fix for that?

Due to the way LSWS logs ModSecurity entries to error_log, you need to create a custom regex in CSF to have it track these log entries.

Open the file /etc/csf/regex.custom.pm and add the code below between the 2nd and 3rd comment areas. This should be line 36, unless the file was modified:

if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[error\] \[client (\S+)\] ModSecurity: Access denied with code 403/)) {
	$ip = $1; $acc = ""; $ip =~ s/^::ffff://;
	if (&checkip($ip)) {return ("mod_security triggered by","$ip|$acc","mod_security")} else {return}
}

Save the file, restart CSF+LFD and see if it works.

Disclaimer: Use at your own risk.

MH-Stefan,

Thank you very much, I will try this now.

I followed your instructions to the tee, unfortunately that didn’t work.

Forgot to mention that you will need to set the log level to INFO.

That’s under LSWS Admin Panel > Configuration > Server > Log > Log Level

You should then restart LSWS and check if ModSecurity triggers are actually logged in /usr/local/apache/logs/error_log

The downside is that this modification will significantly increase the size of your error_log since LSWS will log almost everything.

Tried that, didn’t work unfortunately.

Does LSWS at least log the triggered ModSecurity rules to error_log? Can you please post a sample?

This works just fine on many of our servers.

Yes it does, sample listed below:

2014-07-26 19:42:28.648 [INFO] [APVH_XXXXXXX_Suphp:] PID: 494653, add child process pid: 497601, procinfo: 0x6631e90
2014-07-26 19:42:28.649 [NOTICE] [IPADDRESS:60462-0#APVH_WEBSITEADDRESS.com] mod_security rule triggered!
[Sat Jul 26 19:42:28 2014] [error] [client IP ADDRESS] ModSecurity: Access denied with code 403, [Rule: ‘Request_URI’ ‘(media|post|post_new).php’] [ID: 220830] [Msg: COMODO WAF: Blocking XSS attack]
2014-07-26 19:42:28.649 [NOTICE] [192.171.235.105:60462-0#APVH_WEBSITEADDRESS.com] Content len: 723, Request line: ‘POST /wp-comments-post.php HTTP/1.1’
2014-07-26 19:42:28.649 [INFO] [192.171.235.105:60462-0#APVH_WEBSITEADDRESS.com] Cookie len: 67, PHPSESSID=b9kkm2vr8hc8sibqpr7g0d22s7; wfvt_1653771278=53d377fda0573

==================================

Custom regex file can be seen here: gist:0231a70f7ab6ff401724 · GitHub

LiteSpeed was also set to ‘INFO’ instead of ‘DEBUG’ as suggested, what I noticed that was weird is that both Config Mod Control and Config Server Firewall (csf.deny) both report the id as ‘unknown’.

LiteSpeed was also set to 'INFO' instead of 'DEBUG' as suggested, what I noticed that was weird is that both Config Mod Control and Config Server Firewall (csf.deny) both report the id as 'unknown'.
If you see IPs banned in csf.deny because of mod_security, then the custom regex works and CSF detects ModSecurity rule triggers. What's your LF_MODSEC_PERM setting? If you want IPs to be blocked permanently, set this option to 1. For temporary blocks, you should enter the number of seconds instead.

As for the unknown ID, you should find it within the log entry:

[Sat Jul 26 19:42:28 2014] [error] [client IP ADDRESS] ModSecurity: Access denied with code 403, [Rule: 'Request_URI' '(media|post|post_new)\.php'] [ID: 220830] [Msg: COMODO WAF: Blocking XSS attack]
You have to expand the log in ConfigServer ModSecurity Control to see all details.

I’ve just implemented the same thing today on a new server with LSWS v4.2.12 and CSF v7.07 and it works without any issues.

The regex command isn’t needed, CSF detects the modsecurity rules without the regex.

The CSF block is working correctly, this isn’t the problem here.

Thank you, I am aware of that however the question was directly relative to CSF. When CSF blocks the IP address it stores an entry in the csf.deny file.

XXX.XXX.XXX.XXX # lfd: (mod_security) mod_security (id:unknown) triggered by XXX.XXX.XXX.XXX (US/United States/-): 1 in the last 3600 secs - Sat Jul 19 15:54:26 2014

To my original question, is there anyway of telling CSF what the ‘id’ is - instead of ‘unknown’, actually list the id?