I have the Comodo CWAF Plugin installed on a Litespeed 5.0.10 Enterprise server running v. 1.58 of the CWAF rules and v. 2.15 of the CWAF plugin. I don’t have any ModSecurity vendors installed. The CWAF plugin Main tab shows that Mod_Security is compatible and loaded.
The CWAF Plugin was working fine in the past, but I noticed that now the hits list is empty, and after taking my IP address out of the whitelist and restarting Litespeed, I can browse to the URL Web Hosting, Domain Name Registration - MyDomain.com and I don’t get a 403 error. In the past there were plenty of entries in the hits list, so it looks like the CWAF Plugin has stopped working.
I have the debug level set to 4, Warning, in the CWAF plugin Configuration page.
What can I do to get the CWAF Plugin working again?
I tried uninstalling and reinstalling the CWAF Plugin, and now it does give me a 403 when I browse to the test URL above, and the hits list contains the 403.
I don’t know what it was that caused this when it was working before and suddenly stopped, but uninstalling and reinstalling the CWAF Plugin has apparently gotten it working again, and I am happy.
This also can be LiteSpeed issue (it’s quite tricky from time to time).
Restarting during rules update possible can fix it.
Thank you for sharing your experience. It can be handy for other customers
Thanks Oleg. I will try restarting Litespeed if this happens again. I have the plugin configured to automatically update the rules daily, so there were some unattended updates going on, though according to the utils.log, they all were going smoothly. I wish I knew what the problem was, but it’s good to have it working again, anyway.
The only thing I see that is different from the original installation is that the paths on the Security Engine tab now correctly show /usr/local/apache/logs/, whereas before, the paths didn’t have the full path /usr/local/apache in them. I don’t know if that has anything to do with anything or not.
Security Engine tab get logs path from your mod_security config file (located in the place where ‘Mod_security conf’ points in Main tab)
So if logs path modified in this config it will show changed in Security Engine tab accordingly.
UPD: Either check if ‘Audit Log Type’ set to ‘Serial’ in Security Engine tab. Otherwise this also can lead to problem with Hits List in ModSecurity™ Tools
The “Audit Log Type” is set to “Serial” on the Security Engine tab now, and I think that’s what it was before I reinstalled, but I’m not sure. So far, it’s still working, and it has one one automatic rules update.