Page 1 of 1

LFD ignoring mod_security

Posted: 07 Jun 2020, 19:22
by nullmem
I cannot seem to get this to work. I am running openlitespeed with mod_security 3.0 module on a non-cPanel CentOS 8 server and it denies access when using test URL, and logs the event like it supposed to, but LFD completely ignores it.

csf.conf has the following:
LF_MODSEC = "5"
LF_MODSEC_PERM = "1"
MODSEC_LOG = "/usr/local/lsws/logs/error.log

I even tried...
MODSEC_LOG = "/usr/local/lsws/logs/modsec_audit.log"

The error.log shows this...

Code: Select all

2020-06-07 13:20:34.473462 [INFO] [108.162.220.89:20120#danielsblog.org] [Module:Mod_Security] ModSecurity: Warning. Matched "Operator `Contains' with parameter `cpanel' against variable `REQUEST_URI' (Value: `/?a=../../etc/passwd' ) [file "/usr/local/lsws/modsec/comodo/02_Global_Generic.conf"] [line "74"] [id "211190"] [rev "9"] [msg "COMODO WAF: Remote File Access Attempt||www.danielsblog.org|F|2"] [data "Matched Data: 174.244.80.206 found within REQUEST_FILENAME: /"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "www.danielsblog.org"] [uri "/"] [unique_id "159155403427.436882"] [ref "v4,1o5,5v8,16t:cmdLinev4,20"]
2020-06-07 13:20:34.473510 [INFO] [108.162.220.89:20120#danielsblog.org] [Module:Mod_Security] ModSecurity: Warning. Matched "Operator `Contains' with parameter `cpanel' against variable `REQUEST_URI' (Value: `/?a=../../etc/passwd' ) [file "/usr/local/lsws/modsec/comodo/02_Global_Generic.conf"] [line "74"] [id "211190"] [rev "9"] [msg "COMODO WAF: Remote File Access Attempt||www.danielsblog.org|F|2"] [data "Matched Data: 174.244.80.206 found within REQUEST_FILENAME: /"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "www.danielsblog.org"] [uri "/"] [unique_id "159155403427.436882"] [ref "v4,1o5,5v8,16t:cmdLinev4,20"]
2020-06-07 13:20:34.473559 [INFO] [108.162.220.89:20120#danielsblog.org] [Module:Mod_Security]Intervention status code triggered: 403
2020-06-07 13:20:34.473576 [INFO] [108.162.220.89:20120#danielsblog.org] [Module:Mod_Security]Log Message: [client 174.244.80.206] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Contains' with parameter `cpanel' against variable `REQUEST_URI' (Value: `/?a=../../etc/passwd' ) [file "/usr/local/lsws/modsec/comodo/02_Global_Generic.conf"] [line "74"] [id "211190"] [rev "9"] [msg "COMODO WAF: Remote File Access Attempt||www.danielsblog.org|F|2"] [data "Matched Data: 174.244.80.206 found within REQUEST_FILENAME: /"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "CWAF"] [tag "Generic"] [hostname "www.danielsblog.org"] [uri "/"] [unique_id "159155403427.436882"] [ref "v4,1o5,5v8,16t:cmdLinev4,20"]
and the modsec_audit.log shows this....

Code: Select all

---5Iq8Szbw---A--
[07/Jun/2020:13:21:28 -0500] 159155408883.519983 174.244.80.206 55734 www.danielsblog.org 443
---5Iq8Szbw---B--
GET /?a=../../etc/passwd HTTP/1.1
Cdn-Loop: cloudflare
Cf-Connecting-Ip: 174.244.80.206
Cf-Request-Id: 03319d363900000ec2103d7200000001
x-forwarded-for: 174.244.80.206
cache-control: no-cache
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cf-Ray: 59fc649d2fca0ec2-DFW
pragma: no-cache
host: www.danielsblog.org
Cf-Ipcountry: US
user-agent: Mozilla/5.0 (iPhone; CPU OS 13_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/26.0  Mobile/15E148 Safari/605.1.15
Cf-Origin-Https: on
X-Forwarded-Proto: https
cookie: wphc_seen=1; _ga=GA1.2.900538470.1560083748; __cfduid=de3e89cd17350eddbac5deef44f75c5001564151543
accept-language: en-us
Cf-Visitor: {"scheme":"https"}

---5Iq8Szbw---F--
HTTP/1.1 403
Content-Type: text/html
Cache-Control: private, no-cache, max-age=0
Pragma: no-cache

---5Iq8Szbw---H--
ModSecurity: Warning. Matched "Operator `Contains' with parameter `cpanel' against variable `REQUEST_URI' (Value: `/?a=../../etc/passwd' ) [file "/usr/local/lsws/modsec/comodo/02_Global_Generic.conf"] [line "74"] [id "211190"] [rev "9"] [msg "COMODO WAF: Remote File Access Attempt||www.danielsblog.org|F|2"] [data "Matched Data: 174.244.80.206 found within REQUEST_FILENAME: /"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "www.danielsblog.org"] [uri "/"] [unique_id "159155408883.519983"] [ref "v4,1o5,5v8,16t:cmdLinev4,20"]
ModSecurity: Warning. Matched "Operator `Contains' with parameter `cpanel' against variable `REQUEST_URI' (Value: `/?a=../../etc/passwd' ) [file "/usr/local/lsws/modsec/comodo/02_Global_Generic.conf"] [line "74"] [id "211190"] [rev "9"] [msg "COMODO WAF: Remote File Access Attempt||www.danielsblog.org|F|2"] [data "Matched Data: 174.244.80.206 found within REQUEST_FILENAME: /"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "www.danielsblog.org"] [uri "/"] [unique_id "159155408883.519983"] [ref "v4,1o5,5v8,16t:cmdLinev4,20"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Contains' with parameter `cpanel' against variable `REQUEST_URI' (Value: `/?a=../../etc/passwd' ) [file "/usr/local/lsws/modsec/comodo/02_Global_Generic.conf"] [line "74"] [id "211190"] [rev "9"] [msg "COMODO WAF: Remote File Access Attempt||www.danielsblog.org|F|2"] [data "Matched Data: 174.244.80.206 found within REQUEST_FILENAME: /"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "CWAF"] [tag "Generic"] [hostname "www.danielsblog.org"] [uri "/"] [unique_id "159155408883.519983"] [ref "v4,1o5,5v8,16t:cmdLinev4,20"]

---5Iq8Szbw---Z--

I have similar setup on cPanel servers with Litespeed Enterprise and they all work. Anyone have any idea why this wont work?

Re: LFD ignoring mod_security

Posted: 08 Jun 2020, 01:29
by nullmem
I did some more testing. I removed all rules and created a simple test rule that denies access when you try and access phpinfo.php

Code: Select all

SecRule REQUEST_URI "@pm phpinfo.php" "phase:1,id:'10',log,deny,status:403"
error.log

Code: Select all

2020-06-07 19:27:02.569178 [INFO] [172.69.66.60:41142#danielsblog.org] [Module:Mod_Security]Intervention status code triggered: 403
2020-06-07 19:27:02.569208 [INFO] [172.69.66.60:41142#danielsblog.org] [Module:Mod_Security]Log Message: [client 174.244.80.206] ModSecurity: Access denied with code 403 (phase 1). Matched "Operator `Pm' with parameter `phpinfo.php' against variable `REQUEST_URI' (Value: `/phpinfo.php' ) [file "/usr/local/lsws/modsec/comodo/00_Init_Initialization.conf"] [line "1"] [id "10"] [rev ""] [msg ""] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "www.danielsblog.org"] [uri "/phpinfo.php"] [unique_id "159157602257.676711"] [ref "o1,11v4,12"]
access.log

Code: Select all

["danielsblog.org"] 174.244.80.206 - - [07/Jun/2020:19:28:00 -0500] "GET /phpinfo.php HTTP/1.1" 403 1227 "-" "Mozilla/5.0 (iPhone; CPU OS 13_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/26.0  Mobile/15E148 Safari/605.1.15"
lfd still refuses to ban the IP. The IP is not in csf.ignore.

Re: LFD ignoring mod_security

Posted: 08 Jun 2020, 03:43
by Sergio
For me it is better to find ModSec blocks info on /etc/apache2/logs/error_log

Check if you have that file and you can use that file to write your own rule at:
/usr/local/csf/bin/regex.custom.pm

Sergio

Re: LFD ignoring mod_security

Posted: 08 Jun 2020, 05:01
by nullmem
Sergio wrote: 08 Jun 2020, 03:43 For me it is better to find ModSec blocks info on /etc/apache2/logs/error_log

Check if you have that file and you can use that file to write your own rule at:
/usr/local/csf/bin/regex.custom.pm

Sergio
Well, I am not expert with regex, but syntax seemed fairly simple. I tested it and it works. If anyone is running Open Litespeed with mod security, this should fix your problem. If anyone can clean up my terible regex, that would be great too. Not sure why LFD don't work with Open Litespeed web server, I never found the regex LFD core is using, so I don't know what went wrong with the match.

Code: Select all

# Fix lack of support for ModSecurity with Open Litespeed
if (($lgfile eq $config{MODSEC_LOG}) and ($line =~ /\[Module:Mod_Security\]Log\sMessage:\s\[client\s(\S+)\]\sModSecurity:\sAccess\sdenied\swith\scode\s403/))  {
        return ("ModSecurity: 403 triggered by",$1,"mod_security","1","1");
}
I Updated code with suggestions from Sergio below

Re: LFD ignoring mod_security

Posted: 08 Jun 2020, 05:22
by Sergio
Nice, the rule is ok if it works, :-)
I just would use "\s" instead of "\s+" if there is only one space between words, but is not important.
I always use regex101.com to check my REGEX and to see the speed of the rule.

Sergio

Re: LFD ignoring mod_security

Posted: 09 Jun 2020, 17:02
by nullmem
Sergio wrote: 08 Jun 2020, 05:22 Nice, the rule is ok if it works, :-)
I just would use "\s" instead of "\s+" if there is only one space between words, but is not important.
I always use regex101.com to check my REGEX and to see the speed of the rule.

Sergio
I updated code above with your suggestions. Hopefully it helps someone else out. This drove me nuts for a few hours.

Re: LFD ignoring mod_security

Posted: 09 Jun 2020, 19:44
by Sergio
Nice to read that it is working, congrats.

Sergio