ModSecurity Module

< Back

The ModSecurity module allows OpenLiteSpeed to use common ModSecurity rules to improve server security. For this guide, we assume you already have a working installation of OpenLiteSpeed 1.4.29 or greater. OpenLiteSpeed began supporting modules in version 1.3 but has only included and supported the ModSecurity module as of version 1.4.29.

If you install OpenLiteSpeed through packages, such as yum or apt-get, you will get the included ModSecurity module. If you install OpenLiteSpeed through source code, The ModSecurity module may not be added to OpenLiteSpeed installations automatically and you must build it yourself.

The OLS ModSecurity engine uses the latest ModSecurity 3.x, hence you can try OWASP ModSecurity Core Rule Set (CRS) Version 3.  A ModSecurity 2.x rule set, such as Comodo LiteSpeed rule set, won’t match the ModSecurity 3.x engine, hence it may not work.

This wiki discusses how to add and configure OpenLiteSpeed’s ModSecurity module.

Installing The LiteSpeed ModSecurity Module

Download and install OpenLiteSpeed 1.4.29 or higher if you have not done so already

The ModSecurity module is available as of OpenLiteSpeed version 1.4.29.

Add & Build The ModSecurity Module(Optional)

Go into the ModSecurity module directory /openlitespeed_download/src/modules/modsecurity-ls and run the make -f Makefile.f command to get the latest version supported by OpenLiteSpeed. Do not use other versions of ModSecurity as they may not be supported. (The currently supported version of ModSecurity can be found in our release log.)

cd /openlitespeed_download/src/modules/modsecurity-ls
make -f Makefile.f

All dependencies should be automatically handled in this step. If you encounter any problems at this stage, you can build the module manually by following the instructions here.

Move The Compiled Module To The Modules Directory:

cp mod_security.so /usr/local/lsws/modules

Set up Module From httpd_config.conf

Instead of adding the ModSecurity module from the WebAdmin Console, you can also edit OpenliteSpeed’s conf file directly from the command line and append the following content to httpd_config.conf. You may combine rules, or list them out over multiple lines.

A simple rule which would deny access to phpinfo.php might look something like this (you might choose to take this out later, to allow the use of phpinfo):

module mod_security {
modsecurity  on
modsecurity_rules `
SecRuleEngine On
SecRule REQUEST_URI "@pm phpinfo.php" "phase:1,id:'10',log,deny,status:403"
`
}

To test this:

  • Before adding the definition, verify that https://127.0.0.1:8088/phpinfo.php works and delivers a phpinfo as expected in your browser.
  • Add the sample rule above
  • Recycle openlitespeed
  • Retry the URI in your browser and you should see a 403 message on the screen.

Again, this is just a sample and you may want to remove it before going into production.

A more useful example will point to downloaded rules.  In the example below, it’s pointing to one of the files in the Comodo rule set:

module mod_security {
modsecurity  on
modsecurity_rules `
SecRuleEngine On
`
modsecurity_rules_file /usr/local/lsws/comodo/rules.conf
}

Before going into production decide on the ruleset to use and make sure to have the files updated regularly.

Troubleshooting

You can turn on detailed auditing, including debug logging, if the rules are not working as expected.

module mod_security {
modsecurity  on
modsecurity_rules `
SecRuleEngine On
SecDebugLog /tmp/auditlog-debug.txt
SecDebugLogLevel 9
SecAuditLogParts AB
SecAuditEngine On
SecAuditLog /tmp/auditlog.txt
SecAuditLogType Serial
SecAuditLogStorageDir /tmp/
SecRule REQUEST_URI "@pm phpinfo.php" "phase:1,id:'10',log,deny,status:403"
`
}

An attempt to access the phpinfo.php file will result in a large number of updates to the /tmp/auditlog-debug.txt file and a smaller number to the /tmp/auditlog.txt file.  We recommend that you not enable debug logging unless necessary in production. Additionally, we suggest that you only enable more limited audit logging when there are techniques in place to prune the logs.

Notes:

  • The last occurrence of mod_security on|off will be the one that takes effect.
  • We recommend that you use backticks ` (as shown above) to surround mod_security_rules rules to avoid any possible issues with single and double quotes used in the rules themselves.
  • mod_security_rulesmod_security_rules_file, and mod_security_rules_remote can mixed and used multiple times each if desired with all rules being combined.