Comodo rules for LiteSpeed

TDmitry · July 3, 2015, 3:45pm

We will check this issue and I’ll inform you in this thread.

vadim · July 22, 2015, 9:02am

CWAF client starting from version 2.12 supports LiteSpeed 5.0.

Hedloff · August 10, 2015, 7:43am

Brute force attacks are still not working. They are not picked up by CWAF and not blocked.
Any eta on a fix for this?

akabakov · August 10, 2015, 3:20pm

Hello.

We’ve checked brute-force rules with LiteSpeed and test CMSs (Drupal, Typo3, WordPress) and got “error 403”.
So, brute-force rules work.

George_Fusioned · August 26, 2015, 12:01am

Hello,

I was using the Comodo WAF LiteSpeed rules without a problem (setup as a Vendor in cPanel) and all of a sudden I’m getting this error now:


[ModSecurity] unknown server variable while parsing: FILES
[ModSecurity] unknown server variable while parsing: ARGS_POST_NAMES

(also see attachment)

Does it have anything to do with the recent rule updates?
I’ve disabled 28_Apps_WPPlugin.conf & 31_Apps_OtherApps.conf for now and the error is gone.

Kind regards,
George

[attachment deleted by admin]

oleg.tsygany · August 26, 2015, 6:33am

Hello George.

Thank you for reporting. We have fixed this issue.
Please update to latest rules version (1.39)

With best regards, Oleg

George_Fusioned · August 26, 2015, 8:17am

Thank you for the fast fix Oleg.

For anyone wondering how to update the rules when using the Comodo rules configured as a Modsecurity Vendor in cPanel, just run /scripts/upcp (ModSecurity Vendors - Version 84 Documentation - cPanel Documentation) /usr/local/cpanel/scripts/modsec_vendor update --auto

Best regards,
George

H0sseiN · April 23, 2016, 8:52am

Hi,
I have a server with running litespeed webserver but using Apache configuration file now which rule set should I install Apache or litespeed?

TDmitry · April 25, 2016, 4:19pm

You should use LiteSpeed rules set. It specially built for LiteSpeed web server.

Hedloff · May 2, 2016, 6:03pm

I would not recommend running CWAF on LiteSpeed.
You can’t disable a domain from it and there are alot of false positives!

ezynic · November 10, 2016, 11:34pm

So how is Litespeed support these days? Is brute force working? How about excluding domains? I’ve just had it with Atomicorp’s attitude and switched a server to Comodo. Working fine so far…

Melih · November 11, 2016, 1:30pm

welcome to Comodo ezynic!

We support Litespeed. If you have any specific requirement please feel free to tell us so that we can get it done for you asap.

we are here to serve you.

Hedloff · November 11, 2016, 1:33pm

Think brute force is still working.
But there is alot of issues with EA4 and CWAF atm.

I got a reponse from their staff that it will not be supported from Comodo to exclude/disable domains.
So currently we’re checking other vendors for mod_security rules on LiteSpeed servers.

vadim · November 11, 2016, 2:52pm

Hello Hedloff

We didn’t detect any issues with exclude/disable domains for cPanel + LiteSpeed + CWAF configuration. Possibly it’s related to the last LiteSpeed updates.

We’ll review this issue and release the new CWAF agent version. We will be grateful to you if you can provide us your current configuration (cPanel, LiteSpeed asd CWAF plugin versions).

Please also create support ticket here: Submit a ticket - Powered by Kayako Help Desk Software (WAF Support)

And we’ll provide you direct support to resolve this issue on your web-servers.

ezynic · November 12, 2016, 4:52pm

Have you tried Configserver’s Modsec Control? That’s what I was using to exclude Atomicorp rules. It would be a disappointment if that stopped working.

akabakov · November 15, 2016, 3:47pm

How to exclude ModSecurity for domain under cPanel and LiteSpeed?
As an example lets use domain joomla-ls.labtest.
Exlude usually is located at /var/cpanel/cwaf/etc/httpd/domains/000_exclude_joomla-ls.labtest:80.conf It contains:


SecRule SERVER_NAME "(?:.*\.)?mail\.joomla-ls\.labtest(?::80)?|(?:.*\.)?www\.joomla-ls\.labtest(?::80)?|(?:.*\.)?joomla-ls\.labtest(?::80)?" "phase:1,nolog,noauditlog,allow,ctl:ruleEngine=Off,id:10001"

Such file is usually created after domain exclude in CWAF-plugin. For Apache it works, LiteSpeed ‘reads’ this file, but not uses it. To work with LiteSpeed code above should be located in /etc/apache2/conf.d/includes/post_virtualhost_global.conf (EA4) or in /usr/local/apache/conf/includes/post_virtualhost_global.conf (EA3) for any domain(s) user needs to exclude.
Also /var/cpanel/cwaf/etc/httpd/domains/000_exclude_joomla-ls.labtest:80.conf and other file(s) should be removed to avoid existing rules with the same id. If this files exists LiteSpeed will work, but CWAF-plugin won’t. Also if LiteSpeed is changed by Apache, it also won’t work.

Hedloff · November 17, 2016, 8:19am

akabakov: It would be great if you could get this in your agent so we don’t have to this manually to get it working.
Everything we have to do manually is not worth it. Then it’s better to have no WAF rules at all.

akabakov · November 17, 2016, 8:49am

We’ll try to include this in agent. Work is in progress.

Hedloff · November 17, 2016, 9:14am

Great NEWS!
Any idea/eta when new agent will be launched for this and/or fix EA4 issues?

vadim · November 17, 2016, 2:50pm

Related fix will be included into the next version of CWAF plugin. We plan to release it this month.