Comodo rules for LiteSpeed

Free Modsecurity rules - Comodo Web Application Fi
1

Initialization version of Comodo protection rules for LiteSpeed has been released.

You may login to Comodo WAF interface: https://waf.comodo.com

Choose source “LiteSpeed” and download latest rules (Latest release: 0.01).

Client agent and cPanel plugin with supporting of LiteSpeed will be released soon.

2

good job guys!

3

Client Agent 1.5 with LiteSpeed support has been released:

You may download and install new client, available by link: https://waf.comodo.com/cpanel/cwaf_client_install.sh

If you already use Comodo WAF Client with Apache and you want switch to LiteSpeed:

  • Uninstall client agent: /var/cpanel/cwaf/scripts/uninstall_cwaf.sh
  • Download new version and install it choosing LiteSpeed platfor
4

great work guys.

now we are fully supporting Litespeed!

Melih

5

i only have cis. do i need this? i have win 7. thanks

6

Hi i am new here and really need a little help please.

I found the script for litespeed rules here https://waf.comodo.com/cpanel/cwaf_client_install.sh but wanted to know how i use it or install the plugin for cpanel ?

7

Hello

First, you need to login your Comodo WAF web-interface: https://waf.comodo.com/

If you still don’t have account, you may sign-up to the service here: COMODO Account Management

COMODO Web Application Firewall - No Card Required!

After successful registration you may find documentation, client program and rules on your account page.

8

Hi,

We have false alarm for operamini

[Sun Apr 20 01:35:59 2014] [error] [client 82.145.216.243] ModSecurity: Access denied with code 403, [Rule: ‘REQUEST_HEADERS:CLIENT_IP|REQUEST_HEADERS:FORWARDED|REQUEST_HEADERS:FORWARDED_FOR|REQUEST_HEADERS:X_FORWARDED|REQUEST_HEADERS:X_FORWARDED_FOR’ ‘@rx '|"’] [ID: 220590] [Msg: COMODO WAF: found CVE 2014-1401 attack]

i tried disable 220590 but rule still blocked operamini

9

Will be fixed with next update.

10

For shared hosting activities we wanted to use Comodo WAF on a VPS with CloudLinux, cPanel/WHM, WHMCS, Installatron and (important!) also Litespeed.

As Comodo WAF requires ModSecurity we first rebuilt Apache/php in WHM/cPanel with EasyApache to include Mod_security. Subsequently we noticed in WHM/cPanel a ModSecurity plugin apparently the EasyApache ModSecurity interface.

Because of Litespeed causing on our WordPress websites with an installed Wordfence plugin continuously ( not stopping ) Wordfence scanner(s) after some research we were pointed to using Comodo WAF + ModSecurity + Cloudflare as a superior solution replacing Wordfence.

After ‘installing’ ModSecurity’ ( via EasyApache ) Litespeed started displaying the following error message:

ERROR [ModSecurity] unknown server variable while parsing: MULTIPART_STRICT_ERROR

On the Litespeedtech forum we received a reply to this - basically an unimportant ‘hickup’ of Litespeed not being 100 % compatible with ModSecurity:

Initially not fully understanding the difference between Configserver Firewall already installed on our VPS and Comodo WAF confused and concerned whether this would work together with Comodo WAF or if any other add-ons were required. The answer is that both can work together well ! See the post for more info:

http://www.webhostingtalk.com/showthread.php?t=1377615 - post of webking57

Subsequently after registering a user account at waf.comodo.com and following the install instructions for the WHM/cpanel agent ( from Comodo WAF ) was simple and straightforward.

In ‘Comodo WAF’ interface located under the plugin section of WHM/cpanel however we do not see the ‘Exclude rules’ tab as depicted in the Comodo WAF Administrator Guide but see a new ‘Security Engine’ tab.

Our two questions are:

(1) do we need to ‘download’ any additional rules for Litespeed to update the ‘rules version 1.1.0’ using main panel: https://waf.comodo.com ???

The above rules ( version 1.1.0 ) were installled by clicking on a black icon ( “download rules 1.1.0” ) on the right side of the ‘Current Rules Version’ in the Main Tab of the WHM/cPanel Comodo Waf interface and after that prominently displaying that version there !

(2) as we do not seem to have an "Exclude Rules Tab’ in our Comodo Waf interface in WHM/CPanel how can we exclude any rules etc. ?

Did we make a mistake installing these rules 1.1.0 through the black install button ?

Are these rules the appropriate rules for Litespeed ?

Sorry we overlooked the instructions given as a reply by poster TDmitry !

How can we delete ‘wrong’ rules ( if wrong ) and install the right Litespeed rules … ?

11
  1. There are 2 different mod_security rulesets: for apache and litespeed. If you use apache ruleset, there will be errors after switching to litespeed.
  2. Litespeed can operate with mod_security. Please, try to do next steps:
    a) wget https://waf.comodo.com/cpanel/cwaf_client_install.sh to download installer;
    b) bash cwaf_client_install.sh to install rules and scripts.
    All files will be installed in /var/cpanel/cwaf. To update rules you can run /var/cpanel/cwaf/scripts/updater.pl. Also in your WHM in a section Plugins will be a subsection Comodo WAF, where you can manage your settings and make client and rules update.
  3. I think it is because of difference between apache and litespeed rulesets
12

Our experiences so far installing Comodo WAF - Overcoming beginners’ problems.

And how not to get ‘locked’ out of your VPS ( URL hostname ), not loose WHM/cPanel (https) access and WHMCS ( admin panel ) access and avoid no longer seeing your hosted websites on the WWW ?

Our VPS server hostname is: serverx1.abcdef.net
Our server IP is: 123.456.789.112
WHMCS is installed on: www.abcdef.net
WHMCS admin login is at: abcdef.net - This website is for sale! - abcdef Resources and Information.
And three websites in three cPanel user accounts:
www.efg.com - WordPress site
www.hij.net - WordPress site
www.spqr.org - WordPress site

Installing Comodo WAF proceeded without problems on a VPS with WHM/cPanel, WHMCS, Installatron, ConfigServer Firewall, mod_security ( EasyApache add on and WHM plug-in) twice over. First time with Litespeed webserver and second time with Apache webserver with exactly the same problem(s). De-installing the Comodo WAF cPanel plug-in and removing the string from /modsec.conf using the instructions from section 2.2.5 from the below manual did not solve our problems. Using a server snapshot we had to go back in time and by luckily remembering our ‘old’ server log in details could we regain ‘control’ again and restart afresh building up our server !

For installation we followed the instructions in the Comodo WAF Administrator Guide.

In the appearing WHM/cPanel Comodo WAF plugin interface we then:

  • updated the ‘rules’ by pressing on the black button
  • changed the settings to 4 debug level and
  • turned on the security engine in a next tab
    We did however not whitelist anything etc. assuming our settings on the VPS in Configserver Firewall would be included ….

Twice over ( with Litespeed and with Apache webserver after complete re-install) we got the following error messages when shortly after installation of Comodo WAF we proceeded with WHMCS admin and after making some changes and trying to save:

"Forbidden: You don’t have permission to access www.abcd.com/whmcs/configserver.php on this server.
Additionally a 404 error … Apache 2.49 etc )

Googling this indicated a Mod_scurity rule error …

Nowhere did we find or read any warnings nor see understandable instructions on how to properly proceed after installing Comodo WAF with the above disastrous outcome.

Comodo WAF and Mod_security are apparently that effective that all network access to your VPS server URL, WHM/Cpanel and hosted websites can be closed off from the WWW.

Can you please - for the not so experienced or enlightened - give clear understandable step by step instructions on what to do and what to enter in the Comodo WAF cPanel interface ? For this we have given our server and website details …?

Our next concern is: how complex and nerve wrecking will properly maintaining the Mod_security rules and exceptions be in practice ?
I am seeing a multitude of forum web posts on various errors Mod_security related errors ?

For the moment we have returned to Configserver Firewall, phpHulk Buute force, de-installed Mod_Security ( Easy Apache rebuild ) and use Wordfence plug-in for the WordPress sites. This works well and is easy to understand.

With Litespeed we experienced a lot of problems. Much to our regret this company - despite relentless attempts and endless correpondence, vague assurances - apart from not so useful general instructions is unwilling to log into servers nor offer on hands problem solving. We have for the moment ‘switched’ off Litespeed.

13
14

Please, open ticket at https://support.comodo.com/ in WAF Support section and give us, if it’s possible, logs from your “old” server.

15

Where can we find rules changelog for Litespeed?

See that rules 1.22 is avaliable, but not sure what is updated in those rules?

16

Updates for Apache and Litespeed are the same in most cases, so you can always refer to the Apache rules updates changelog and find appropriate update by release date.
https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/rules-updates-changelog-t101377.0.html

17

Guys!
Brute Force on your Litespeed rules are still not working! They only cause pain and we have to disable those rules on the whole server.
Please get a working brute force rule updated for Litespeed asap. It did work in the start, you just messed it up sometime ago… :-TD

18

Please, check log-files.
May be brute force rules don’t work because of “Failed to write to DBM file “/tmp/ip”:”
Please, see this topic:

https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/failed-to-write-to-dbm-file-tmpip-t106018.0.html

19

Guys, please provide a fix/update!
I turned brute force off and back on again. It gives 403 now, but ip is not blocked.

Please also see attached file. Something in your rules are not working.

Logs:

82.220.34.3 - - [01/Jul/2015:22:45:26 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:26 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:26 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:26 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:26 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:26 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:26 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:26 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] “POST /wp-login.php HTTP/1.1” 403 1139 “-” “-”

[attachment deleted by admin]

20

Now brute force is reacting on a different rule id!?

[attachment deleted by admin]