search

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
https://www.modsecurity.org
Apache License 2.0
8.32k stars 1.61k forks source link

Assistance Required with ModSecurity Rule Compatibility for OpenLiteSpeed #3169

Open admiral504 opened 5 months ago

admiral504 commented 5 months ago

I recently came across the following ModSecurity rule intended to limit client hits by user agent:

SecRule REQUEST_HEADERS:User-Agent "@pm facebookexternalhit" \
    "id:400009,phase:2,nolog,pass,setvar:global.ratelimit_facebookexternalhit=+1,expirevar:global.ratelimit_facebookexternalhit=3"
SecRule GLOBAL:RATELIMIT_FACEBOOKEXTERNALHIT "@gt 1" \
    "chain,id:4000010,phase:2,pause:300,deny,status:429,setenv:RATELIMITED,log,msg:'RATELIMITED BOT'"
    SecRule REQUEST_HEADERS:User-Agent "@pm facebookexternalhit"
Header always set Retry-After "3" env=RATELIMITED
ErrorDocument 429 "Too Many Requests"

Unfortunately, this rule does not seem to work with OpenLiteSpeed. Could you please help me rewrite this ModSecurity rule to make it compatible with OpenLiteSpeed?

Thank you for your assistance.

airween commented 5 months ago

Hi @admiral504,

you've tagged this issue with 2.x, but as I know OpenLiteSpeed uses libmodsecurity3 - doesn't it?

Btw. would you take a look to our issue template, and fill the issue with expected content?

Based on your report, there is no any relevant information, eg.: what's the problem? What do you see in your error log? What do you mean when you write "rule does not seems to work"?

admiral504 commented 5 months ago

Hi @admiral504,

you've tagged this issue with 2.x, but as I know OpenLiteSpeed uses libmodsecurity3 - doesn't it?

Btw. would you take a look to our issue template, and fill the issue with expected content?

Based on your report, there is no any relevant information, eg.: what's the problem? What do you see in your error log? What do you mean when you write "rule does not seems to work"?

I found in /usr/local/lsws/logs/error.log

2024-06-10 12:33:01.730873 [NOTICE] Loading LiteSpeed/1.7.19 Open (lsquic 3.3.2, modgzip 1.1, cache 1.66, mod_security 1.4 (with libmodsecurity v3.0.12)) BUILD (built: Tue Apr 16 15:14:26 UTC 2024) ...

Do you think im using mod_security ver 1.4 or 3.0.12.

These packages come with cyberpanel install.

Rule does not seems to work I mean, after I placed the rule in /usr/local/lsws/conf/modsec/rules.conf and then restarted OpenLiteSpeed. Afterward, I made several requests by repeatedly crawling at Facebook Debugger. However, all the requests still returned a status of 200, not the expected 429

"172.68.26.8 - - [11/Jun/2024:01:21:31 +0700] "GET /robots.txt HTTP/1.1" 200 128 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"" "172.71.174.164 - - [11/Jun/2024:01:21:32 +0700] "GET / HTTP/1.1" 200 34326 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"" "162.158.175.172 - - [11/Jun/2024:01:21:32 +0700] "GET / HTTP/1.1" 200 34326 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"" "172.71.166.170 - - [11/Jun/2024:01:21:34 +0700] "GET / HTTP/1.1" 200 34331 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"" "172.68.26.185 - - [11/Jun/2024:01:21:36 +0700] "GET / HTTP/1.1" 200 34326 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"" "162.158.114.2 - - [11/Jun/2024:01:21:38 +0700] "POST /wp-cron.php?doing_wp_cron=1718043698.6080009937286376953125 HTTP/1.1" 200 0 "-" "WordPress/6.5.3; https://truyenthongdps.com"" "172.69.65.211 - - [11/Jun/2024:01:21:37 +0700] "GET / HTTP/1.1" 200 34329 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"" "172.68.26.185 - - [11/Jun/2024:01:21:40 +0700] "GET / HTTP/1.1" 200 34326 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"" "172.68.26.37 - - [11/Jun/2024:01:21:41 +0700] "GET / HTTP/1.1" 200 34331 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"" "172.69.65.34 - - [11/Jun/2024:01:21:45 +0700] "GET / HTTP/1.1" 200 34326 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"".

airween commented 5 months ago

I found in /usr/local/lsws/logs/error.log

2024-06-10 12:33:01.730873 [NOTICE] Loading LiteSpeed/1.7.19 Open (lsquic 3.3.2, modgzip 1.1, cache 1.66, mod_security 1.4 (with libmodsecurity v3.0.12)) BUILD (built: Tue Apr 16 15:14:26 UTC 2024) ...

Do you think im using mod_security ver 1.4 or 3.0.12.

I think you use libmodsecurity3, version 3.0.12, and your LightSpeed connector's version is 1.4.

Rule does not seems to work I mean, after I placed the rule in /usr/local/lsws/conf/modsec/rules.conf and then restarted OpenLiteSpeed. Afterward, I made several requests by repeatedly crawling at Facebook Debugger. However, all the requests still returned a status of 200, not the expected 429

there might be several reason why your rules don't work:

Please note that pause action does not support in libmodsecurity3 - see the reference.

Could you try to turn of your debug.log, and send a request, then check that log? Set the loglevel to 9. It's enough for few requests.

airween commented 1 month ago

@admiral504 is there anything we can help you?