Comodo rules for LiteSpeed

[TDmitry]

Where can we find rules changelog for Litespeed?

See that rules 1.22 is avaliable, but not sure what is updated in those rules?

Updates for Apache and Litespeed are the same in most cases, so you can always refer to the Apache rules updates changelog and find appropriate update by release date.
https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/rules-updates-changelog-t101377.0.html

[Hedloff]

Guys! 
Brute Force on your Litespeed rules are still not working! They only cause pain and we have to disable those rules on the whole server.
Please get a working brute force rule updated for Litespeed asap. It did work in the start, you just messed it up sometime ago.....

[akabakov]

Please, check log-files.
May be brute force rules don't work because of "Failed to write to DBM file "/tmp/ip":"
Please, see this topic:

https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/failed-to-write-to-dbm-file-tmpip-t106018.0.html

[Hedloff]

Guys, please provide a fix/update!
I turned brute force off and back on again. It gives 403 now, but ip is not blocked.

Please also see attached file. Something in your rules are not working.

Logs:

82.220.34.3 - - [01/Jul/2015:22:45:26 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:26 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:26 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:26 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:26 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:26 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:26 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:26 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:27 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
82.220.34.3 - - [01/Jul/2015:22:45:28 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"



[attachment deleted by admin]

[Hedloff]

Now brute force is reacting on a different rule id!?

[attachment deleted by admin]

[TDmitry]

We will check this issue and I'll inform you in this thread.

[vadim]

CWAF client starting from version 2.12 supports LiteSpeed 5.0.

[Hedloff]

Brute force attacks are still not working. They are not picked up by CWAF and not blocked.
Any eta on a fix for this?

[akabakov]

Hello.

We've checked brute-force rules with LiteSpeed and test CMSs (Drupal, Typo3, WordPress) and got  "error 403".
So,  brute-force rules work.

[George_Fusioned]

Hello,

I was using the Comodo WAF LiteSpeed rules without a problem (setup as a Vendor in cPanel) and all of a sudden I'm getting this error now:

Code: [Select]

[ModSecurity] unknown server variable while parsing: FILES
[ModSecurity] unknown server variable while parsing: ARGS_POST_NAMES
(also see attachment)

Does it have anything to do with the recent rule updates?
I've disabled 28_Apps_WPPlugin.conf & 31_Apps_OtherApps.conf for now and the error is gone.

Kind regards,
George

[attachment deleted by admin]

[oleg.tsygany]

Hello George.

Thank you for reporting. We have fixed this issue.
Please update to latest rules version (1.39)

With best regards, Oleg

[George_Fusioned]

Thank you for the fast fix Oleg.

For anyone wondering how to update the rules when using the Comodo rules configured as a Modsecurity Vendor in cPanel, just run /scripts/upcp (https://documentation.cpanel.net/display/ALD/ModSecurity+Vendors#ModSecurityVendors-Enableordisableupdates) /usr/local/cpanel/scripts/modsec_vendor update --auto


Best regards,
George

[H0sseiN]

Hi,
I have a server with running litespeed webserver but using Apache configuration file now which rule set should I install Apache or litespeed?

[TDmitry]

Hi,
I have a server with running litespeed webserver but using Apache configuration file now which rule set should I install Apache or litespeed?

You should use LiteSpeed rules set. It specially built for LiteSpeed web server.

[Hedloff]

Hi,
I have a server with running litespeed webserver but using Apache configuration file now which rule set should I install Apache or litespeed?

I would not recommend running CWAF on LiteSpeed.
You can't disable a domain from it and there are alot of false positives!