store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Wed Jul 23, 2014 7:54 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: ASL on cpanel server w/ litespeed
Unread postPosted: Thu Oct 04, 2012 5:32 pm 
Offline
Forum User
Forum User

Joined: Mon Jun 11, 2012 1:10 pm
Posts: 60
Location: usa
has anyone here ever gotten this setup to work?
does it require any custom configuration to get this working properly?
from searching, i saw that litespeed doesn't fully support ASL due to old mod_rewrite they use.
but this post was from several years ago and i'm thinking it must have changed as i see litespeed made several new updates to their software, stating they have improved mod_rewrite rules compatibility.


Top
 Profile  
 
 Post subject: Re: ASL on cpanel server w/ litespeed
Unread postPosted: Thu Oct 04, 2012 6:02 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3600
Location: Chantilly, VA
Thanks for the question. You can use litespeed, but you must use the T-WAF to protect web applications served with litespeed. Also, litespeed has been compiled (in some versions) with a nasty stack smashing flag set. The ASL kernel wont allow an application to open a nasty hole like this on your system, so if you have a version of litespeed that has this vulnerability we recommend you report this to litespeed as a vulnerability (because it is). If you wish to ignore this vulnerability, just run with a non-secure kernel.

The big issue though is litespeeds modsecurity support. As you may know, Litespeeds waf module does not correctly support or completely implement the mod_security rule language, so it does not work with mod_security rules. If you load modsecurity rules with it, and it can not correctly parse a rule, it will both not load it and it will do this silently. So you wont know that it hasnt loaded them correctly, and because it does not understand the modern rule language theres no telling what the loaded rules will or will not do. Modern modsecurity rules use branching logic (if then, else, etc.), so they are nothing like the rules of old when you just specific a regex and move on. The rules contain all kinds of complex logic, its almost unfair to call them rules anymore, its a language. And with LUA, some of the rules ARE in a programming language.

None of this appears or behaves as if its supported in litespeed. From our end, if they just documented what they did and did not support we'd have a place to potentially start, but they don't document that so its a total black box. We can say the rules just dont work right, all sorts of crazy things seem to happen.

So, unfortunately, right now there is nothing we can do to make our rules work with their waf module. We don't know what it supports, but we do know that it doesn't seem to understand the current modsecurity rule language (and it hasn't since at least 2.0 came out, and that was years ago).

We'd be thrilled if they supported the language correctly. You can read some of the thread opened by litespeed customers on this issue here:

http://www.litespeedtech.com/support/fo ... php?t=4619

We've given them access to the real time rules for years (for free), so the ball is in their court to make their module support the rule language. When the day comes they actually support the whole modsecurity rule language, and all the features in modsecurity, we'll throw them a parade.

So, use the T-WAF to protect litespeed.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: ASL on cpanel server w/ litespeed
Unread postPosted: Thu Oct 04, 2012 6:17 pm 
Offline
Forum User
Forum User

Joined: Mon Jun 11, 2012 1:10 pm
Posts: 60
Location: usa
Quote:
Also, litespeed has been compiled (in some versions)


can you state which versions?
i'm currently on the latest stable version of theirs, which is 4.1.13.

i'd like the ability to use the ASL kernel on it, but please confirm if this won't work.
thanks.


Top
 Profile  
 
 Post subject: Re: ASL on cpanel server w/ litespeed
Unread postPosted: Thu Oct 04, 2012 6:20 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3600
Location: Chantilly, VA
Quote:
can you state which versions?


Unfortunately no. These seems to happen occasionally with their builds. You'll know if you have one with this vulnerability if litespeed wont start.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: ASL on cpanel server w/ litespeed
Unread postPosted: Thu Oct 04, 2012 6:38 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7861
Location: earth
Partial update here:

4.1.11 <- absolutely vulnerable
4.1.12 <- absolutely vulnerable
4.1.13 <- absolutely vulnerable


Top
 Profile  
 
 Post subject: Re: ASL on cpanel server w/ litespeed
Unread postPosted: Thu Oct 04, 2012 7:49 pm 
Offline
Forum User
Forum User

Joined: Mon Jun 11, 2012 1:10 pm
Posts: 60
Location: usa
thanks for clarification.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group