Modsec + Cloudlinux 7.x + Litespeed

Hedloff · March 13, 2016, 11:43pm

Hello,

Just installed latest version of Litespeed on a new Cloudlinux 7.x server and see some errors in the Litespeed admin panel as you can see here:
http://imgur.com/NUlvlHz

We’re using Comodo WAF plugin.
Got any ideas where to start looking?

Hedloff · March 14, 2016, 9:09am

Also opened a thread with Litespeed you can check out here:

akabakov · March 14, 2016, 11:08am

Hello,

I think these error appear because apache ruleset is used. It it possible?

Hedloff · March 14, 2016, 12:12pm

OMG! You are so correct!
Thank you! Will remove it and install for Litespeed

Hedloff · March 14, 2016, 12:22pm

Got no issues now on version 5.0.14 (Litespeed).
But when testing 5.1.4 I see alot of issues in apache error log:

2016-03-14 13:12:31.714 [ERROR] [ModSecurity] unknown server variable while parsing: REQBODY_PROCESSOR 2016-03-14 13:12:31.714 [ERROR] [ModSecurity] REQBODY_PROCESSOR "!@streq XML" "ctl:'requestBodyProcessor=XML'": Rule not supported. 2016-03-14 13:12:31.830 [ERROR] [ModSecurity] unknown server variable while parsing: RESOURCE:OSVDB_VULNERABLE 2016-03-14 13:12:31.830 [ERROR] [ModSecurity] RESOURCE:OSVDB_VULNERABLE "@eq 1" "chain": Rule not supported. 2016-03-14 13:12:31.830 [ERROR] [ModSecurity] TX:POINTS_BLOCKING "@streq on": Previous rule in chain not supported. 2016-03-14 13:12:31.836 [ERROR] [ModSecurity] unknown server variable while parsing: WEBSERVER_ERROR_LOG 2016-03-14 13:12:31.836 [ERROR] [ModSecurity] WEBSERVER_ERROR_LOG "@contains dateinterval::__construct():unknownorbadformat" "id:217100,rev:4,phase:5,pass,expirevar:'IP.buffer_dos_count=60',setvar:'IP.buffer_dos_count=+1',nolog,t:'none',t:'removeWhitespace',t:'lowercase'": Rule not supported. 2016-03-14 13:12:31.836 [ERROR] [ModSecurity] unknown server variable while parsing: WEBSERVER_ERROR_LOG 2016-03-14 13:12:31.836 [ERROR] [ModSecurity] WEBSERVER_ERROR_LOG "@contains Invalid URI in request" "id:210210,rev:1,msg:'COMODO WAF: Apache Error: Invalid URI in Request.',phase:5,severity:4,pass,setvar:'tx.points=+%{tx.points_limit1}',logdata:'%{request_line}',t:'none'": Rule not supported. 2016-03-14 13:12:31.837 [ERROR] [ModSecurity] unknown server variable while parsing: REQBODY_ERROR 2016-03-14 13:12:31.837 [ERROR] [ModSecurity] REQBODY_ERROR "!@eq 0" "id:210231,rev:2,chain,msg:'COMODO WAF: XMLRPC protection',phase:2,deny,status:403,log": Rule not supported. 2016-03-14 13:12:31.837 [ERROR] [ModSecurity] REQUEST_HEADERS:Content-Type "^text/xml$" "chain,t:'none',t:'lowercase'": Previous rule in chain not supported. 2016-03-14 13:12:31.837 [ERROR] [ModSecurity] REQUEST_FILENAME "@endsWith xmlrpc.php" "t:'none',t:'lowercase'": Previous rule in chain not supported. 2016-03-14 13:12:31.837 [ERROR] [ModSecurity] unknown server variable while parsing: REQBODY_ERROR 2016-03-14 13:12:31.837 [ERROR] [ModSecurity] REQBODY_ERROR "!@eq 0" "id:210230,rev:2,msg:'COMODO WAF: The request body could not be parsed. Possibility of an impedance mismatch attack. This is not a false positive.',phase:2,severity:2,pass,setvar:'tx.points=+%{tx.points_limit4}',logdata:'%{REQBODY_ERROR_MSG}',t:'none'": Rule not supported. 2016-03-14 13:12:31.837 [ERROR] [ModSecurity] unknown server variable while parsing: MULTIPART_STRICT_ERROR 2016-03-14 13:12:31.837 [ERROR] [ModSecurity] MULTIPART_STRICT_ERROR "!@eq 0" "id:210240,rev:1,msg:'COMODO WAF: Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}',phase:2,severity:2,block,setvar:'tx.points=+%{tx.points_limit4}',t:'none'": Rule not supported. 2016-03-14 13:12:31.837 [ERROR] [ModSecurity] unknown server variable while parsing: ARGS_COMBINED_SIZE 2016-03-14 13:12:31.837 [ERROR] [ModSecurity] ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" "setvar:'tx.points=+%{tx.points_limit1}',t:'none'": Rule not supported. 2016-03-14 13:12:31.837 [ERROR] [ModSecurity] unknown server variable while parsing: FILES_COMBINED_SIZE 2016-03-14 13:12:31.837 [ERROR] [ModSecurity] FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" "setvar:'tx.points=+%{tx.points_limit1}',t:'none'": Rule not supported. 2016-03-14 13:12:31.843 [ERROR] [ModSecurity] unknown server variable while parsing: MULTIPART_FILENAME 2016-03-14 13:12:31.843 [ERROR] [ModSecurity] MULTIPART_FILENAME "@rx \..+\.$": Rule not supported. 2016-03-14 13:12:48.838 [ERROR] [ModSecurity] unknown server variable while parsing: REQBODY_PROCESSOR 2016-03-14 13:12:48.838 [ERROR] [ModSecurity] REQBODY_PROCESSOR "!@streq XML" "ctl:'requestBodyProcessor=XML'": Rule not supported. 2016-03-14 13:12:48.943 [ERROR] [ModSecurity] unknown server variable while parsing: RESOURCE:OSVDB_VULNERABLE 2016-03-14 13:12:48.943 [ERROR] [ModSecurity] RESOURCE:OSVDB_VULNERABLE "@eq 1" "chain": Rule not supported. 2016-03-14 13:12:48.943 [ERROR] [ModSecurity] TX:POINTS_BLOCKING "@streq on": Previous rule in chain not supported. 2016-03-14 13:12:48.948 [ERROR] [ModSecurity] unknown server variable while parsing: WEBSERVER_ERROR_LOG 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] WEBSERVER_ERROR_LOG "@contains dateinterval::__construct():unknownorbadformat" "id:217100,rev:4,phase:5,pass,expirevar:'IP.buffer_dos_count=60',setvar:'IP.buffer_dos_count=+1',nolog,t:'none',t:'removeWhitespace',t:'lowercase'": Rule not supported. 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] unknown server variable while parsing: WEBSERVER_ERROR_LOG 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] WEBSERVER_ERROR_LOG "@contains Invalid URI in request" "id:210210,rev:1,msg:'COMODO WAF: Apache Error: Invalid URI in Request.',phase:5,severity:4,pass,setvar:'tx.points=+%{tx.points_limit1}',logdata:'%{request_line}',t:'none'": Rule not supported. 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] unknown server variable while parsing: REQBODY_ERROR 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] REQBODY_ERROR "!@eq 0" "id:210231,rev:2,chain,msg:'COMODO WAF: XMLRPC protection',phase:2,deny,status:403,log": Rule not supported. 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] REQUEST_HEADERS:Content-Type "^text/xml$" "chain,t:'none',t:'lowercase'": Previous rule in chain not supported. 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] REQUEST_FILENAME "@endsWith xmlrpc.php" "t:'none',t:'lowercase'": Previous rule in chain not supported. 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] unknown server variable while parsing: REQBODY_ERROR 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] REQBODY_ERROR "!@eq 0" "id:210230,rev:2,msg:'COMODO WAF: The request body could not be parsed. Possibility of an impedance mismatch attack. This is not a false positive.',phase:2,severity:2,pass,setvar:'tx.points=+%{tx.points_limit4}',logdata:'%{REQBODY_ERROR_MSG}',t:'none'": Rule not supported. 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] unknown server variable while parsing: MULTIPART_STRICT_ERROR 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] MULTIPART_STRICT_ERROR "!@eq 0" "id:210240,rev:1,msg:'COMODO WAF: Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}',phase:2,severity:2,block,setvar:'tx.points=+%{tx.points_limit4}',t:'none'": Rule not supported. 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] unknown server variable while parsing: ARGS_COMBINED_SIZE 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" "setvar:'tx.points=+%{tx.points_limit1}',t:'none'": Rule not supported. 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] unknown server variable while parsing: FILES_COMBINED_SIZE 2016-03-14 13:12:48.949 [ERROR] [ModSecurity] FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" "setvar:'tx.points=+%{tx.points_limit1}',t:'none'": Rule not supported. 2016-03-14 13:12:48.954 [ERROR] [ModSecurity] unknown server variable while parsing: MULTIPART_FILENAME 2016-03-14 13:12:48.954 [ERROR] [ModSecurity] MULTIPART_FILENAME "@rx \..+\.$": Rule not supported. 2016-03-14 13:13:11.357 [ERROR] [ModSecurity] unknown server variable while parsing: REQBODY_PROCESSOR 2016-03-14 13:13:11.357 [ERROR] [ModSecurity] REQBODY_PROCESSOR "!@streq XML" "ctl:'requestBodyProcessor=XML'": Rule not supported. 2016-03-14 13:13:11.473 [ERROR] [ModSecurity] unknown server variable while parsing: RESOURCE:OSVDB_VULNERABLE 2016-03-14 13:13:11.473 [ERROR] [ModSecurity] RESOURCE:OSVDB_VULNERABLE "@eq 1" "chain": Rule not supported. 2016-03-14 13:13:11.473 [ERROR] [ModSecurity] TX:POINTS_BLOCKING "@streq on": Previous rule in chain not supported. 2016-03-14 13:13:11.479 [ERROR] [ModSecurity] unknown server variable while parsing: WEBSERVER_ERROR_LOG 2016-03-14 13:13:11.479 [ERROR] [ModSecurity] WEBSERVER_ERROR_LOG "@contains dateinterval::__construct():unknownorbadformat" "id:217100,rev:4,phase:5,pass,expirevar:'IP.buffer_dos_count=60',setvar:'IP.buffer_dos_count=+1',nolog,t:'none',t:'removeWhitespace',t:'lowercase'": Rule not supported. 2016-03-14 13:13:11.479 [ERROR] [ModSecurity] unknown server variable while parsing: WEBSERVER_ERROR_LOG 2016-03-14 13:13:11.479 [ERROR] [ModSecurity] WEBSERVER_ERROR_LOG "@contains Invalid URI in request" "id:210210,rev:1,msg:'COMODO WAF: Apache Error: Invalid URI in Request.',phase:5,severity:4,pass,setvar:'tx.points=+%{tx.points_limit1}',logdata:'%{request_line}',t:'none'": Rule not supported. 2016-03-14 13:13:11.479 [ERROR] [ModSecurity] unknown server variable while parsing: REQBODY_ERROR 2016-03-14 13:13:11.479 [ERROR] [ModSecurity] REQBODY_ERROR "!@eq 0" "id:210231,rev:2,chain,msg:'COMODO WAF: XMLRPC protection',phase:2,deny,status:403,log": Rule not supported. 2016-03-14 13:13:11.479 [ERROR] [ModSecurity] REQUEST_HEADERS:Content-Type "^text/xml$" "chain,t:'none',t:'lowercase'": Previous rule in chain not supported. 2016-03-14 13:13:11.479 [ERROR] [ModSecurity] REQUEST_FILENAME "@endsWith xmlrpc.php" "t:'none',t:'lowercase'": Previous rule in chain not supported. 2016-03-14 13:13:11.479 [ERROR] [ModSecurity] unknown server variable while parsing: REQBODY_ERROR 2016-03-14 13:13:11.479 [ERROR] [ModSecurity] REQBODY_ERROR "!@eq 0" "id:210230,rev:2,msg:'COMODO WAF: The request body could not be parsed. Possibility of an impedance mismatch attack. This is not a false positive.',phase:2,severity:2,pass,setvar:'tx.points=+%{tx.points_limit4}',logdata:'%{REQBODY_ERROR_MSG}',t:'none'": Rule not supported. 2016-03-14 13:13:11.479 [ERROR] [ModSecurity] unknown server variable while parsing: MULTIPART_STRICT_ERROR 2016-03-14 13:13:11.479 [ERROR] [ModSecurity] MULTIPART_STRICT_ERROR "!@eq 0" "id:210240,rev:1,msg:'COMODO WAF: Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}',phase:2,severity:2,block,setvar:'tx.points=+%{tx.points_limit4}',t:'none'": Rule not supported. 2016-03-14 13:13:11.480 [ERROR] [ModSecurity] unknown server variable while parsing: ARGS_COMBINED_SIZE 2016-03-14 13:13:11.480 [ERROR] [ModSecurity] ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" "setvar:'tx.points=+%{tx.points_limit1}',t:'none'": Rule not supported. 2016-03-14 13:13:11.480 [ERROR] [ModSecurity] unknown server variable while parsing: FILES_COMBINED_SIZE 2016-03-14 13:13:11.480 [ERROR] [ModSecurity] FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" "setvar:'tx.points=+%{tx.points_limit1}',t:'none'": Rule not supported. 2016-03-14 13:13:11.486 [ERROR] [ModSecurity] unknown server variable while parsing: MULTIPART_FILENAME 2016-03-14 13:13:11.486 [ERROR] [ModSecurity] MULTIPART_FILENAME "@rx \..+\.$": Rule not supported. 2016-03-14 13:13:14.448 [ERROR] [ModSecurity] unknown server variable while parsing: REQBODY_PROCESSOR 2016-03-14 13:13:14.448 [ERROR] [ModSecurity] REQBODY_PROCESSOR "!@streq XML" "ctl:'requestBodyProcessor=XML'": Rule not supported. 2016-03-14 13:13:14.567 [ERROR] [ModSecurity] unknown server variable while parsing: RESOURCE:OSVDB_VULNERABLE 2016-03-14 13:13:14.567 [ERROR] [ModSecurity] RESOURCE:OSVDB_VULNERABLE "@eq 1" "chain": Rule not supported. 2016-03-14 13:13:14.567 [ERROR] [ModSecurity] TX:POINTS_BLOCKING "@streq on": Previous rule in chain not supported. 2016-03-14 13:13:14.573 [ERROR] [ModSecurity] unknown server variable while parsing: WEBSERVER_ERROR_LOG 2016-03-14 13:13:14.573 [ERROR] [ModSecurity] WEBSERVER_ERROR_LOG "@contains dateinterval::__construct():unknownorbadformat" "id:217100,rev:4,phase:5,pass,expirevar:'IP.buffer_dos_count=60',setvar:'IP.buffer_dos_count=+1',nolog,t:'none',t:'removeWhitespace',t:'lowercase'": Rule not supported. 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] unknown server variable while parsing: WEBSERVER_ERROR_LOG 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] WEBSERVER_ERROR_LOG "@contains Invalid URI in request" "id:210210,rev:1,msg:'COMODO WAF: Apache Error: Invalid URI in Request.',phase:5,severity:4,pass,setvar:'tx.points=+%{tx.points_limit1}',logdata:'%{request_line}',t:'none'": Rule not supported. 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] unknown server variable while parsing: REQBODY_ERROR 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] REQBODY_ERROR "!@eq 0" "id:210231,rev:2,chain,msg:'COMODO WAF: XMLRPC protection',phase:2,deny,status:403,log": Rule not supported. 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] REQUEST_HEADERS:Content-Type "^text/xml$" "chain,t:'none',t:'lowercase'": Previous rule in chain not supported. 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] REQUEST_FILENAME "@endsWith xmlrpc.php" "t:'none',t:'lowercase'": Previous rule in chain not supported. 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] unknown server variable while parsing: REQBODY_ERROR 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] REQBODY_ERROR "!@eq 0" "id:210230,rev:2,msg:'COMODO WAF: The request body could not be parsed. Possibility of an impedance mismatch attack. This is not a false positive.',phase:2,severity:2,pass,setvar:'tx.points=+%{tx.points_limit4}',logdata:'%{REQBODY_ERROR_MSG}',t:'none'": Rule not supported. 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] unknown server variable while parsing: MULTIPART_STRICT_ERROR 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] MULTIPART_STRICT_ERROR "!@eq 0" "id:210240,rev:1,msg:'COMODO WAF: Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}',phase:2,severity:2,block,setvar:'tx.points=+%{tx.points_limit4}',t:'none'": Rule not supported. 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] unknown server variable while parsing: ARGS_COMBINED_SIZE 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" "setvar:'tx.points=+%{tx.points_limit1}',t:'none'": Rule not supported. 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] unknown server variable while parsing: FILES_COMBINED_SIZE 2016-03-14 13:13:14.574 [ERROR] [ModSecurity] FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" "setvar:'tx.points=+%{tx.points_limit1}',t:'none'": Rule not supported. 2016-03-14 13:13:14.580 [ERROR] [ModSecurity] unknown server variable while parsing: MULTIPART_FILENAME 2016-03-14 13:13:14.580 [ERROR] [ModSecurity] MULTIPART_FILENAME "@rx \..+\.$": Rule not supported.

Hedloff · March 14, 2016, 12:25pm

Well, still errors in Litespeed admin panel:
2016-03-14 13:18:34.074 ERROR [ModSecurity] failed to parse a modsec variable. while parsing: %{TIME_EPOCH}
2016-03-14 13:18:34.074 ERROR [ModSecurity] unknown server variable while parsing: FILES:import_file
2016-03-14 13:18:34.076 ERROR [ModSecurity] unknown server variable while parsing: FILES
2016-03-14 13:18:34.077 ERROR [ModSecurity] unknown server variable while parsing: FILES
2016-03-14 13:18:34.078 ERROR [ModSecurity] unknown server variable while parsing: MATCHED_VARS_NAMES
2016-03-14 13:18:34.078 ERROR [ModSecurity] unknown server variable while parsing: FILES_NAMES
2016-03-14 13:18:34.078 ERROR [ModSecurity] unknown server variable while parsing: FILES
2016-03-14 13:18:34.078 ERROR [ModSecurity] unknown server variable while parsing: FILES
2016-03-14 13:18:34.080 ERROR [ModSecurity] unknown server variable while parsing: Set-Cookie
2016-03-14 13:18:34.080 ERROR [ModSecurity] unknown server variable while parsing: Set-Cookie

This is with version 5.0.14 of Litespeed.

akabakov · March 14, 2016, 2:29pm

Variables FILES, FILES_NAMES, MATCHED_VARS_NAMES aren’t used in the LiteSpeed ruleset.
So, errors appear when Apache ruleset for LiteSpeed is used.

Hedloff · March 14, 2016, 4:05pm

Ok.
Well, i uninstalled as your howto says.
Then how can I uninstall it correctly?

akabakov · March 14, 2016, 4:12pm

Please, try to remove them with

rm -rf /var/cpanel/cwaf/rules/*

Then run:

/var/cpanel/cwaf/scripts/updater.pl

/usr/local/lsws/bin/lswsctrl reload

Hedloff · March 16, 2016, 9:42am

Thanks. Seems to have fixed alot of the errors, but I still got this one:

Found 1 warning/error messages in the log: see more
Time Level Message
2016-03-16 10:39:48.471 ERROR [ModSecurity] unknown server variable while parsing: FILES_TMPNAMES

akabakov · March 16, 2016, 3:03pm

hello,

I rechecked all our linux web-server rulesets (Apache, LiteSpeed, Nginx) and didn’t found variable FILES_TMPNAMES there.

Hedloff · March 28, 2016, 6:11pm

You are completely correct.
We had our own rule with FILES_TMPNAMES using maldet scanning upon uploading and that is not working with Litespeed 5.0.14, but I got it working fine with 5.1.14 so you can close this thread.

Thank for your help