How to enable ModSecurity on OLS?

How Can We Help?
< Back
You are here:
Print

How to enable mod_security such as OWASP or COMODO rule set on OLS?

The ModSecurity module allows OpenLiteSpeed to use common ModSecurity rules to improve server security. For this guide, we assume you already have a working installation of OpenLiteSpeed 1.4.29 or greater. OpenLiteSpeed began supporting modules in version 1.3 but has only included and supported the ModSecurity module as of version 1.4.29.

If you install OpenLiteSpeed through packages, such as yum or apt-get, ModSecurity module may have been included in your package already. Check the file /usr/local/lsws/modules/mod_security.so to see if it exists or not. If it exists, you can skip the ModSecurity module installation step and go directly to “set up the module” section directly. You can also check if the module has been installed by listing files in the openlitespeed package, for example on CentOS system:

rpm -ql openlitespeed

From the output of file list, you can see if it has been installed or not. The following output is from 1.5.7 openlitespeed CentOS7 package.

/usr/local/lsws/modules
/usr/local/lsws/modules/cache.so
/usr/local/lsws/modules/mod_js.so
/usr/local/lsws/modules/mod_security.so
/usr/local/lsws/modules/modinspector.so
/usr/local/lsws/modules/modpagespeed.so
/usr/local/lsws/modules/modreqparser.so
/usr/local/lsws/modules/uploadprogress.so

If mod_security.so doesn’t exist, you will need to install the ModSecurity module separately through the way appliable to your original OLS installation method. If you install OpenLiteSpeed through source code, The ModSecurity module may not be added automatically, requiring you to build it yourself.

OLS only supports ModSecurity 3.x, but not 2.x

The OLS ModSecurity engine uses the latest ModSecurity 3.x only and doesn’t support ModSecurity 2.x rule set.

For OWASP, please make sure to use ModSecurity Core Rule Set (CRS) Version 3.

For Comodo Rule set, all currently commonly used rule sets including those named “LiteSpeed”,”Apache”,”Nginx” or “IIS” are ModSecurity 2.x rule sets. Such Comodo “LiteSpeed” rule sets will not match the OpenLiteSpeed ModSecurity 3.x engine and should not be used.  To use the Comodo rules, use the “Nginx/ModSec_3.0″ release of their rules (don’t confuse it with the name Nginx since the RuleSet is just a ModSec_3.0 set and works with the OpenLiteSpeed mod_security Engine as well). The following snapshot of Comodo WAF download portal shows you the different rule set and make sure you download the right one to work with OpenLiteSpeed.

 

You should use only one set at a time (either Comodo or CRS) to avoid conflicts.

This wiki discusses how to add and configure OpenLiteSpeed’s ModSecurity module.

OpenLiteSpeed should be 1.4.29 or higher to use mod_security

Download and install or upgrade to OpenLiteSpeed 1.4.29 or higher if you have not done so already

The ModSecurity module is available as of OpenLiteSpeed version 1.4.29.

Add the ModSecurity Module when mod_security.so doesn’t exist

Please check if /usr/local/lsws/modules/mod_security.so exists or not. If so, you should skip this ModSecurity Module installation step. If it doesn’t exist, please choose one of the module installation methods the same as your OLS installation method so you don’t mix them up.

Method 1. Install from Repository

You may install via apt or yum with one of the following commands:

apt-get install ols-modsecurity -y
yum install ols-modsecurity -y

Method 2. Download from Binary

Visit the download page and download the binary file. Untar the file with the following command:

tar -zxf openlitespeed-x.x.x.tgz

Copy openlitespeed/modules/mod_security.so to your openlitespeed folder in /usr/local/lsws/modules.

Method 3. Build from source

Enter the ModSecurity module directory and run the make command to get the latest version supported by OpenLiteSpeed, like so:

cd /openlitespeed_download/src/modules/modsecurity-ls
make -f Makefile.f

Do not use other versions of ModSecurity as they may not be supported. (The currently supported version of ModSecurity can be found in our release log.)
All dependencies should be automatically handled in this step. If you encounter any problems at this stage, you can build the module manually by following the instructions here.

Copy the compiled module to the modules directory, like so:

cp mod_security.so /usr/local/lsws/modules

Set up the Module with a simple test rule and verify if mod_security works on OLS or not

You can set up ModSecurity module through OLS webadmin console if you like.

For the users who prefer the command line way, you can edit OpenliteSpeed’s conf file directly from the command line and append the following content to httpd_config.conf. You may combine rules, or list them out over multiple lines.

A simple rule which would deny access to phpinfo.php might look something like this (you might choose to take this out later, to allow the use of phpinfo):

module mod_security {
modsecurity  on
modsecurity_rules `
SecRuleEngine On
SecRule REQUEST_URI "@pm phpinfo.php" "phase:1,id:'10',log,deny,status:403"
`
modsecurity_rules_file          /rule/file/path
  ls_enabled              1
 }

Note:

modsecurity on|off, you will need to choose on or off (usually on).

modsecurity_rules should use “`” to enclose the ruleset at the beginning and the end of the rule. You can include multiple rules but keep in mind that mod_security rules are loading in order and make sure you sort the configuration files and load them on the right order.

modsecurity_rules_file should specify the file path to the rules. This file must exist and be correct (see below) if you specify this option.

ls_enabled 1 is used to have OpenLiteSpeed activate the modsecurity module. If using the user interface, this is not specified with the other rules but as described below.

To test this:

  • Before adding the definition, verify that https://example.com/phpinfo.php works and delivers a phpinfo as expected in your browser.
  • Add the sample rule above
  • Pull down the `Enable` option On to enable the mod_security plugin
  • Restart openlitespeed
  • Retry the URI in your browser and you should see a 403 message on the screen.

Again, this is just a test sample to verify ModSecurity working or not and you may want to remove it before going into production.

Enabling COMODO ModSec_3.0 rule set on OLS?

As we have already mentioned, the commonly used Comodo rule set for LiteSpeed Enterprise web server (or for other web servers) is ModSec_2.0 rule set and they won’t work on OLS ModSec_3.0 Engine.  Please ensure to download the “Nginx/ModSec_3.0″ release of their rules as indicated earlier.

Download ModSec_3.0 COMODO rule set

Login to your account at https://waf.comodo.com/ and download full rule set of Nginx/ModSec_3.0.  The file named with version number as .tgz file.

cwaf_rules_nginx_3-1.223.tgz

Use ftp tool to transfer this file to your server such as /usr/local/lsws/modsec/comodo/ ( create folder if it doesn’t exist).

comodo# pwd
/usr/local/lsws/modsec/comodo
comodo# ll
total 308
-rw-r--r-- 1 root root 312040 Oct 23 15:04 cwaf_rules_nginx_3-1.223.tgz
comodo# tar -zxvf cwaf_rules_nginx_3-1.223.tgz
comodo# mv rules.conf.main rules.conf

Comodo has already provided an example master file rules.conf.main to include all rules. We simply rename it to rules.conf. You can configure to use this Master COMODO rule file instead of manually include all rule files one by one in order.

comodo# cat rules.conf
Include 00_Init_Initialization.conf
Include 01_Init_AppsInitialization.conf
Include 02_Global_Generic.conf
Include 03_Global_Agents.conf
Include 04_Global_Domains.conf
Include 05_Global_Incoming.conf
Include 06_Global_Backdoor.conf
Include 07_XSS_XSS.conf
Include 08_Global_Other.conf
Include 09_Bruteforce_Bruteforce.conf
Include 10_HTTP_HTTP.conf
Include 11_HTTP_HTTPDoS.conf
Include 12_HTTP_Protocol.conf
Include 13_HTTP_Request.conf
Include 14_Outgoing_FilterGen.conf
Include 15_Outgoing_FilterASP.conf
Include 16_Outgoing_FilterPHP.conf
Include 17_Outgoing_FilterSQL.conf
Include 18_Outgoing_FilterOther.conf
Include 19_Outgoing_FilterInFrame.conf
Include 20_Outgoing_FiltersEnd.conf
Include 21_PHP_PHPGen.conf
Include 22_SQL_SQLi.conf
Include 23_ROR_RORGen.conf
Include 24_Apps_Joomla.conf
Include 25_Apps_JComponent.conf
Include 26_Apps_WordPress.conf
Include 27_Apps_WPPlugin.conf
Include 28_Apps_WHMCS.conf
Include 29_Apps_Drupal.conf
Include 30_Apps_OtherApps.conf

Configure OLS to use Comodo Master ModSecurity rule file

module mod_security {
modsecurity  on
modsecurity_rules `
SecRuleEngine On
`
modsecurity_rules_file /usr/local/lsws/modsec/comodo/rules.conf }

Save the change and restart OLS.

Testing Comodo ModSec 3.0 with OLS

Enabling OWASP ModSec_3.0 rule set on OLS?

Download OWASP 3 Rule set

mkdir -p  /usr/local/lsws/modsec/owasp
cd /usr/local/lsws/modsec/owasp/
wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v3.3.4.zip
unzip -qq v3.3.4.zip
mv coreruleset-* crs30
cd crs30
# pwd
/usr/local/lsws/modsec/owasp/crs30

Rename the sample crs-setup.conf.example to crs-setup.conf

mv crs-setup.conf.example crs-setup.conf

Rename some sample rules under rules/ directory

cd rules
# mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
# mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
cd ..

Create a Master file

vi owasp-master.conf

inside owasp-master.conf:

include /usr/local/lsws/modsec/owasp/crs30/crs-setup.conf
include /usr/local/lsws/modsec/owasp/crs30/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
include /usr/local/lsws/modsec/owasp/crs30/rules/REQUEST-901-INITIALIZATION.conf
include /usr/local/lsws/modsec/owasp/crs30/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
include /usr/local/lsws/modsec/owasp/crs30/rules/REQUEST-910-IP-REPUTATION.conf
include /usr/local/lsws/modsec/owasp/crs30/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
include /usr/local/lsws/modsec/owasp/crs30/rules/REQUEST-912-DOS-PROTECTION.conf
include /usr/local/lsws/modsec/owasp/crs30/rules/REQUEST-913-SCANNER-DETECTION.conf
include /usr/local/lsws/modsec/owasp/crs30/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
include /usr/local/lsws/modsec/owasp/crs30/rules/REQUEST-921-PROTOCOL-ATTACK.conf
include /usr/local/lsws/modsec/owasp/crs30/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
include /usr/local/lsws/modsec/owasp/crs30/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
include /usr/local/lsws/modsec/owasp/crs30/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
include /usr/local/lsws/modsec/owasp/crs30/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
include /usr/local/lsws/modsec/owasp/crs30/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
include /usr/local/lsws/modsec/owasp/crs30/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
include /usr/local/lsws/modsec/owasp/crs30/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
include /usr/local/lsws/modsec/owasp/crs30/rules/REQUEST-949-BLOCKING-EVALUATION.conf
include /usr/local/lsws/modsec/owasp/crs30/rules/RESPONSE-950-DATA-LEAKAGES.conf
include /usr/local/lsws/modsec/owasp/crs30/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
include /usr/local/lsws/modsec/owasp/crs30/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
include /usr/local/lsws/modsec/owasp/crs30/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
include /usr/local/lsws/modsec/owasp/crs30/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
include /usr/local/lsws/modsec/owasp/crs30/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
include /usr/local/lsws/modsec/owasp/crs30/rules/RESPONSE-980-CORRELATION.conf
include /usr/local/lsws/modsec/owasp/crs30/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

Configure OLS to use OWASP Master ModSecurity rule file

module mod_security {
modsecurity  on
modsecurity_rules `
SecRuleEngine On
`
modsecurity_rules_file         /usr/local/lsws/modsec/owasp/crs30/owasp-master.conf
}

Save and restart OLS.

Testing OWASP ModSec 3.0 with OLS

Troubleshooting

You can turn on detailed auditing, including debug logging, if the rules are not working as expected.

module mod_security {
modsecurity  on
modsecurity_rules `
SecRuleEngine On
SecDebugLog /tmp/auditlog-debug.txt
SecDebugLogLevel 9
SecAuditLogParts AB
SecAuditEngine On
SecAuditLog /tmp/auditlog.txt
SecAuditLogType Serial
SecAuditLogStorageDir /tmp/
SecRule REQUEST_URI "@pm phpinfo.php" "phase:1,id:'10',log,deny,status:403"
` }

An attempt to access the phpinfo.php file will result in a large number of updates to the /tmp/auditlog-debug.txt file and a smaller number to the /tmp/auditlog.txt file.  We recommend that you not enable debug logging unless necessary in production. Additionally, we suggest that you only enable more limited audit logging when there are techniques in place to prune the logs.

Another quick test method is XSS attack by appending ?user=<script>alert(123)</script>; on your URL, if the mod_security rule works, then we will expect a 403 status return.

 

Notes:

  • The last occurrence of mod_security on|off will be the one that takes effect.
  • We recommend that you use backticks ` (as shown above) to surround mod_security_rules rules to avoid any possible issues with single and double quotes used in the rules themselves.
  • mod_security_rulesmod_security_rules_file, and mod_security_rules_remote can mixed and used multiple times each if desired with all rules being combined.