Hello,
Just installed latest version of Litespeed on a new Cloudlinux 7.x server and see some errors in the Litespeed admin panel as you can see here:
http://imgur.com/NUlvlHz
We’re using Comodo WAF plugin.
Got any ideas where to start looking?
Hello,
Just installed latest version of Litespeed on a new Cloudlinux 7.x server and see some errors in the Litespeed admin panel as you can see here:
http://imgur.com/NUlvlHz
We’re using Comodo WAF plugin.
Got any ideas where to start looking?
Also opened a thread with Litespeed you can check out here:
Hello,
I think these error appear because apache ruleset is used. It it possible?
OMG! You are so correct!
Thank you! Will remove it and install for Litespeed
Got no issues now on version 5.0.14 (Litespeed).
But when testing 5.1.4 I see alot of issues in apache error log:
2016-03-14 13:12:31.714 [ERROR] [ModSecurity] unknown server variable while parsing: REQBODY_PROCESSOR 2016-03-14 13:12:31.714 [ERROR] [ModSecurity] REQBODY_PROCESSOR "!@streq XML" "ctl:'requestBodyProcessor=XML'": Rule not supported. 2016-03-14 13:12:31.830 [ERROR] [ModSecurity] unknown server variable while parsing: RESOURCE:OSVDB_VULNERABLE 2016-03-14 13:12:31.830 [ERROR] [ModSecurity] RESOURCE:OSVDB_VULNERABLE "@eq 1" "chain": Rule not supported. 2016-03-14 13:12:31.830 [ERROR] [ModSecurity] TX:POINTS_BLOCKING "@streq on": Previous rule in chain not supported. 2016-03-14 13:12:31.836 [ERROR] [ModSecurity] unknown server variable while parsing: WEBSERVER_ERROR_LOG 2016-03-14 13:12:31.836 [ERROR] [ModSecurity] WEBSERVER_ERROR_LOG "@contains dateinterval::__construct():unknownorbadformat" "id:217100,rev:4,phase:5,pass,expirevar:'IP.buffer_dos_count=60',setvar:'IP.buffer_dos_count=+1',nolog,t:'none',t:'removeWhitespace',t:'lowercase'": Rule not supported. 2016-03-14 13:12:31.836 [ERROR] [ModSecurity] unknown server variable while parsing: WEBSERVER_ERROR_LOG 2016-03-14 13:12:31.836 [ERROR] [ModSecurity] WEBSERVER_ERROR_LOG "@contains Invalid URI in request" "id:210210,rev:1,msg:'COMODO WAF: Apache Error: Invalid URI in Request.',phase:5,severity:4,pass,setvar:'tx.points=+%{tx.points_limit1}',logdata:'%{request_line}',t:'none'": Rule not supported. 2016-03-14 13:12:31.837 [ERROR] [ModSecurity] unknown server variable while parsing: REQBODY_ERROR 2016-03-14 13:12:31.837 [ERROR] [ModSecurity] REQBODY_ERROR "!@eq 0" "id:210231,rev:2,chain,msg:'COMODO WAF: XMLRPC protection',phase:2,deny,status:403,log": Rule not supported. 2016-03-14 13:12:31.837 [ERROR] [ModSecurity] REQUEST_HEADERS:Content-Type "^text/xml$" "chain,t:'none',t:'lowercase'": Previous rule in chain not supported. 2016-03-14 13:12:31.837 [ERROR] [ModSecurity] REQUEST_FILENAME "@endsWith xmlrpc.php" "t:'none',t:'lowercase'": Previous rule in chain not supported. 2016-03-14 13:12:31.837 [ERROR] [ModSecurity] unknown server variable while parsing: REQBODY_ERROR 2016-03-14 13:12:31.837 [ERROR] [ModSecurity] REQBODY_ERROR "!@eq 0" "id:210230,rev:2,msg:'COMODO WAF: The request body could not be parsed. Possibility of an impedance mismatch attack. This is not a false positive.',phase:2,severity:2,pass,setvar:'tx.points=+%{tx.points_limit4}',logdata:'%{REQBODY_ERROR_MSG}',t:'none'": Rule not supported. 2016-03-14 13:12:31.837 [ERROR] [ModSecurity] unknown server variable while parsing: MULTIPART_STRICT_ERROR 2016-03-14 13:12:31.837 [ERROR] [ModSecurity] MULTIPART_STRICT_ERROR "!@eq 0" "id:210240,rev:1,msg:'COMODO WAF: Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}',phase:2,severity:2,block,setvar:'tx.points=+%{tx.points_limit4}',t:'none'": Rule not supported. 2016-03-14 13:12:31.837 [ERROR] [ModSecurity] unknown server variable while parsing: ARGS_COMBINED_SIZE 2016-03-14 13:12:31.837 [ERROR] [ModSecurity] ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" "setvar:'tx.points=+%{tx.points_limit1}',t:'none'": Rule not supported. 2016-03-14 13:12:31.837 [ERROR] [ModSecurity] unknown server variable while parsing: FILES_COMBINED_SIZE 2016-03-14 13:12:31.837 [ERROR] [ModSecurity] FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" "setvar:'tx.points=+%{tx.points_limit1}',t:'none'": Rule not supported. 2016-03-14 13:12:31.843 [ERROR] [ModSecurity] unknown server variable while parsing: MULTIPART_FILENAME 2016-03-14 13:12:31.843 [ERROR] [ModSecurity] MULTIPART_FILENAME "@rx \..+\.$": Rule not supported. 2016-03-14 13:12:48.838 [ERROR] [ModSecurity] unknown server variable while parsing: REQBODY_PROCESSOR 2016-03-14 13:12:48.838 [ERROR] [ModSecurity] REQBODY_PROCESSOR "!@streq XML" "ctl:'requestBodyProcessor=XML'": Rule not supported. 2016-03-14 13:12:48.943 [ERROR] [ModSecurity] unknown server variable while parsing: RESOURCE:OSVDB_VULNERABLE 2016-03-14 13:12:48.943 [ERROR] [ModSecurity] RESOURCE:OSVDB_VULNERABLE "@eq 1" "chain": Rule not supported. 2016-03-14 13:12:48.943 [ERROR] [ModSecurity] TX:POINTS_BLOCKING "@streq on": Previous rule in chain not supported. 2016-03-14 13:12:48.948 [ERROR] [ModSecurity] unknown server variable while parsing: WEBSERVER_ERROR_LOG 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] WEBSERVER_ERROR_LOG "@contains dateinterval::__construct():unknownorbadformat" "id:217100,rev:4,phase:5,pass,expirevar:'IP.buffer_dos_count=60',setvar:'IP.buffer_dos_count=+1',nolog,t:'none',t:'removeWhitespace',t:'lowercase'": Rule not supported. 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] unknown server variable while parsing: WEBSERVER_ERROR_LOG 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] WEBSERVER_ERROR_LOG "@contains Invalid URI in request" "id:210210,rev:1,msg:'COMODO WAF: Apache Error: Invalid URI in Request.',phase:5,severity:4,pass,setvar:'tx.points=+%{tx.points_limit1}',logdata:'%{request_line}',t:'none'": Rule not supported. 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] unknown server variable while parsing: REQBODY_ERROR 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] REQBODY_ERROR "!@eq 0" "id:210231,rev:2,chain,msg:'COMODO WAF: XMLRPC protection',phase:2,deny,status:403,log": Rule not supported. 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] REQUEST_HEADERS:Content-Type "^text/xml$" "chain,t:'none',t:'lowercase'": Previous rule in chain not supported. 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] REQUEST_FILENAME "@endsWith xmlrpc.php" "t:'none',t:'lowercase'": Previous rule in chain not supported. 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] unknown server variable while parsing: REQBODY_ERROR 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] REQBODY_ERROR "!@eq 0" "id:210230,rev:2,msg:'COMODO WAF: The request body could not be parsed. Possibility of an impedance mismatch attack. This is not a false positive.',phase:2,severity:2,pass,setvar:'tx.points=+%{tx.points_limit4}',logdata:'%{REQBODY_ERROR_MSG}',t:'none'": Rule not supported. 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] unknown server variable while parsing: MULTIPART_STRICT_ERROR 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] MULTIPART_STRICT_ERROR "!@eq 0" "id:210240,rev:1,msg:'COMODO WAF: Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}',phase:2,severity:2,block,setvar:'tx.points=+%{tx.points_limit4}',t:'none'": Rule not supported. 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] unknown server variable while parsing: ARGS_COMBINED_SIZE 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" "setvar:'tx.points=+%{tx.points_limit1}',t:'none'": Rule not supported. 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] unknown server variable while parsing: FILES_COMBINED_SIZE 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" "setvar:'tx.points=+%{tx.points_limit1}',t:'none'": Rule not supported. 2016-03-14 13:12:48.954 [ERROR] [ModSecurity] unknown server variable while parsing: MULTIPART_FILENAME 2016-03-14 13:12:48.954 [ERROR] [ModSecurity] MULTIPART_FILENAME "@rx \..+\.$": Rule not supported. 2016-03-14 13:13:11.357 [ERROR] [ModSecurity] unknown server variable while parsing: REQBODY_PROCESSOR 2016-03-14 13:13:11.357 [ERROR] [ModSecurity] REQBODY_PROCESSOR "!@streq XML" "ctl:'requestBodyProcessor=XML'": Rule not supported. 2016-03-14 13:13:11.473 [ERROR] [ModSecurity] unknown server variable while parsing: RESOURCE:OSVDB_VULNERABLE 2016-03-14 13:13:11.473 [ERROR] [ModSecurity] RESOURCE:OSVDB_VULNERABLE "@eq 1" "chain": Rule not supported. 2016-03-14 13:13:11.473 [ERROR] [ModSecurity] TX:POINTS_BLOCKING "@streq on": Previous rule in chain not supported. 2016-03-14 13:13:11.479 [ERROR] [ModSecurity] unknown server variable while parsing: WEBSERVER_ERROR_LOG 2016-03-14 13:13:11.479 [ERROR] [ModSecurity] WEBSERVER_ERROR_LOG "@contains dateinterval::__construct():unknownorbadformat" "id:217100,rev:4,phase:5,pass,expirevar:'IP.buffer_dos_count=60',setvar:'IP.buffer_dos_count=+1',nolog,t:'none',t:'removeWhitespace',t:'lowercase'": Rule not supported. 2016-03-14 13:13:11.479 [ERROR] [ModSecurity] unknown server variable while parsing: WEBSERVER_ERROR_LOG 2016-03-14 13:13:11.479 [ERROR] [ModSecurity] WEBSERVER_ERROR_LOG "@contains Invalid URI in request" "id:210210,rev:1,msg:'COMODO WAF: Apache Error: Invalid URI in Request.',phase:5,severity:4,pass,setvar:'tx.points=+%{tx.points_limit1}',logdata:'%{request_line}',t:'none'": Rule not supported. 2016-03-14 13:13:11.479 [ERROR] [ModSecurity] unknown server variable while parsing: REQBODY_ERROR 2016-03-14 13:13:11.479 [ERROR] [ModSecurity] REQBODY_ERROR "!@eq 0" "id:210231,rev:2,chain,msg:'COMODO WAF: XMLRPC protection',phase:2,deny,status:403,log": Rule not supported. 2016-03-14 13:13:11.479 [ERROR] [ModSecurity] REQUEST_HEADERS:Content-Type "^text/xml$" "chain,t:'none',t:'lowercase'": Previous rule in chain not supported. 2016-03-14 13:13:11.479 [ERROR] [ModSecurity] REQUEST_FILENAME "@endsWith xmlrpc.php" "t:'none',t:'lowercase'": Previous rule in chain not supported. 2016-03-14 13:13:11.479 [ERROR] [ModSecurity] unknown server variable while parsing: REQBODY_ERROR 2016-03-14 13:13:11.479 [ERROR] [ModSecurity] REQBODY_ERROR "!@eq 0" "id:210230,rev:2,msg:'COMODO WAF: The request body could not be parsed. Possibility of an impedance mismatch attack. This is not a false positive.',phase:2,severity:2,pass,setvar:'tx.points=+%{tx.points_limit4}',logdata:'%{REQBODY_ERROR_MSG}',t:'none'": Rule not supported. 2016-03-14 13:13:11.479 [ERROR] [ModSecurity] unknown server variable while parsing: MULTIPART_STRICT_ERROR 2016-03-14 13:13:11.479 [ERROR] [ModSecurity] MULTIPART_STRICT_ERROR "!@eq 0" "id:210240,rev:1,msg:'COMODO WAF: Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}',phase:2,severity:2,block,setvar:'tx.points=+%{tx.points_limit4}',t:'none'": Rule not supported. 2016-03-14 13:13:11.480 [ERROR] [ModSecurity] unknown server variable while parsing: ARGS_COMBINED_SIZE 2016-03-14 13:13:11.480 [ERROR] [ModSecurity] ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" "setvar:'tx.points=+%{tx.points_limit1}',t:'none'": Rule not supported. 2016-03-14 13:13:11.480 [ERROR] [ModSecurity] unknown server variable while parsing: FILES_COMBINED_SIZE 2016-03-14 13:13:11.480 [ERROR] [ModSecurity] FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" "setvar:'tx.points=+%{tx.points_limit1}',t:'none'": Rule not supported. 2016-03-14 13:13:11.486 [ERROR] [ModSecurity] unknown server variable while parsing: MULTIPART_FILENAME 2016-03-14 13:13:11.486 [ERROR] [ModSecurity] MULTIPART_FILENAME "@rx \..+\.$": Rule not supported. 2016-03-14 13:13:14.448 [ERROR] [ModSecurity] unknown server variable while parsing: REQBODY_PROCESSOR 2016-03-14 13:13:14.448 [ERROR] [ModSecurity] REQBODY_PROCESSOR "!@streq XML" "ctl:'requestBodyProcessor=XML'": Rule not supported. 2016-03-14 13:13:14.567 [ERROR] [ModSecurity] unknown server variable while parsing: RESOURCE:OSVDB_VULNERABLE 2016-03-14 13:13:14.567 [ERROR] [ModSecurity] RESOURCE:OSVDB_VULNERABLE "@eq 1" "chain": Rule not supported. 2016-03-14 13:13:14.567 [ERROR] [ModSecurity] TX:POINTS_BLOCKING "@streq on": Previous rule in chain not supported. 2016-03-14 13:13:14.573 [ERROR] [ModSecurity] unknown server variable while parsing: WEBSERVER_ERROR_LOG 2016-03-14 13:13:14.573 [ERROR] [ModSecurity] WEBSERVER_ERROR_LOG "@contains dateinterval::__construct():unknownorbadformat" "id:217100,rev:4,phase:5,pass,expirevar:'IP.buffer_dos_count=60',setvar:'IP.buffer_dos_count=+1',nolog,t:'none',t:'removeWhitespace',t:'lowercase'": Rule not supported. 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] unknown server variable while parsing: WEBSERVER_ERROR_LOG 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] WEBSERVER_ERROR_LOG "@contains Invalid URI in request" "id:210210,rev:1,msg:'COMODO WAF: Apache Error: Invalid URI in Request.',phase:5,severity:4,pass,setvar:'tx.points=+%{tx.points_limit1}',logdata:'%{request_line}',t:'none'": Rule not supported. 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] unknown server variable while parsing: REQBODY_ERROR 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] REQBODY_ERROR "!@eq 0" "id:210231,rev:2,chain,msg:'COMODO WAF: XMLRPC protection',phase:2,deny,status:403,log": Rule not supported. 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] REQUEST_HEADERS:Content-Type "^text/xml$" "chain,t:'none',t:'lowercase'": Previous rule in chain not supported. 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] REQUEST_FILENAME "@endsWith xmlrpc.php" "t:'none',t:'lowercase'": Previous rule in chain not supported. 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] unknown server variable while parsing: REQBODY_ERROR 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] REQBODY_ERROR "!@eq 0" "id:210230,rev:2,msg:'COMODO WAF: The request body could not be parsed. Possibility of an impedance mismatch attack. This is not a false positive.',phase:2,severity:2,pass,setvar:'tx.points=+%{tx.points_limit4}',logdata:'%{REQBODY_ERROR_MSG}',t:'none'": Rule not supported. 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] unknown server variable while parsing: MULTIPART_STRICT_ERROR 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] MULTIPART_STRICT_ERROR "!@eq 0" "id:210240,rev:1,msg:'COMODO WAF: Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}',phase:2,severity:2,block,setvar:'tx.points=+%{tx.points_limit4}',t:'none'": Rule not supported. 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] unknown server variable while parsing: ARGS_COMBINED_SIZE 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" "setvar:'tx.points=+%{tx.points_limit1}',t:'none'": Rule not supported. 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] unknown server variable while parsing: FILES_COMBINED_SIZE 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" "setvar:'tx.points=+%{tx.points_limit1}',t:'none'": Rule not supported. 2016-03-14 13:13:14.580 [ERROR] [ModSecurity] unknown server variable while parsing: MULTIPART_FILENAME 2016-03-14 13:13:14.580 [ERROR] [ModSecurity] MULTIPART_FILENAME "@rx \..+\.$": Rule not supported.
Well, still errors in Litespeed admin panel:
2016-03-14 13:18:34.074 ERROR [ModSecurity] failed to parse a modsec variable. while parsing: %{TIME_EPOCH}
2016-03-14 13:18:34.074 ERROR [ModSecurity] unknown server variable while parsing: FILES:import_file
2016-03-14 13:18:34.076 ERROR [ModSecurity] unknown server variable while parsing: FILES
2016-03-14 13:18:34.077 ERROR [ModSecurity] unknown server variable while parsing: FILES
2016-03-14 13:18:34.078 ERROR [ModSecurity] unknown server variable while parsing: MATCHED_VARS_NAMES
2016-03-14 13:18:34.078 ERROR [ModSecurity] unknown server variable while parsing: FILES_NAMES
2016-03-14 13:18:34.078 ERROR [ModSecurity] unknown server variable while parsing: FILES
2016-03-14 13:18:34.078 ERROR [ModSecurity] unknown server variable while parsing: FILES
2016-03-14 13:18:34.080 ERROR [ModSecurity] unknown server variable while parsing: Set-Cookie
2016-03-14 13:18:34.080 ERROR [ModSecurity] unknown server variable while parsing: Set-Cookie
This is with version 5.0.14 of Litespeed.
Variables FILES, FILES_NAMES, MATCHED_VARS_NAMES aren’t used in the LiteSpeed ruleset.
So, errors appear when Apache ruleset for LiteSpeed is used.
Ok.
Well, i uninstalled as your howto says.
Then how can I uninstall it correctly?
Please, try to remove them with
rm -rf /var/cpanel/cwaf/rules/*
Then run:
/var/cpanel/cwaf/scripts/updater.pl
/usr/local/lsws/bin/lswsctrl reload
Thanks. Seems to have fixed alot of the errors, but I still got this one:
Found 1 warning/error messages in the log: see more
Time Level Message
2016-03-16 10:39:48.471 ERROR [ModSecurity] unknown server variable while parsing: FILES_TMPNAMES
hello,
I rechecked all our linux web-server rulesets (Apache, LiteSpeed, Nginx) and didn’t found variable FILES_TMPNAMES there.
You are completely correct.
We had our own rule with FILES_TMPNAMES using maldet scanning upon uploading and that is not working with Litespeed 5.0.14, but I got it working fine with 5.1.14 so you can close this thread.
Thank for your help