Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Assistance Required with ModSecurity Rule Compatibility for OpenLiteSpeed #3169

Open
admiral504 opened this issue Jun 9, 2024 · 4 comments
Labels
3.x Related to ModSecurity version 3.x help wanted

Comments

@admiral504
Copy link

admiral504 commented Jun 9, 2024

I recently came across the following ModSecurity rule intended to limit client hits by user agent:

SecRule REQUEST_HEADERS:User-Agent "@pm facebookexternalhit" \
    "id:400009,phase:2,nolog,pass,setvar:global.ratelimit_facebookexternalhit=+1,expirevar:global.ratelimit_facebookexternalhit=3"
SecRule GLOBAL:RATELIMIT_FACEBOOKEXTERNALHIT "@gt 1" \
    "chain,id:4000010,phase:2,pause:300,deny,status:429,setenv:RATELIMITED,log,msg:'RATELIMITED BOT'"
    SecRule REQUEST_HEADERS:User-Agent "@pm facebookexternalhit"
Header always set Retry-After "3" env=RATELIMITED
ErrorDocument 429 "Too Many Requests"

Unfortunately, this rule does not seem to work with OpenLiteSpeed. Could you please help me rewrite this ModSecurity rule to make it compatible with OpenLiteSpeed?

Thank you for your assistance.

@admiral504 admiral504 added the 2.x Related to ModSecurity version 2.x label Jun 9, 2024
@airween
Copy link
Member

airween commented Jun 9, 2024

Hi @admiral504,

you've tagged this issue with 2.x, but as I know OpenLiteSpeed uses libmodsecurity3 - doesn't it?

Btw. would you take a look to our issue template, and fill the issue with expected content?

Based on your report, there is no any relevant information, eg.: what's the problem? What do you see in your error log? What do you mean when you write "rule does not seems to work"?

@admiral504
Copy link
Author

admiral504 commented Jun 11, 2024

Hi @admiral504,

you've tagged this issue with 2.x, but as I know OpenLiteSpeed uses libmodsecurity3 - doesn't it?

Btw. would you take a look to our issue template, and fill the issue with expected content?

Based on your report, there is no any relevant information, eg.: what's the problem? What do you see in your error log? What do you mean when you write "rule does not seems to work"?

I found in /usr/local/lsws/logs/error.log

2024-06-10 12:33:01.730873 [NOTICE] Loading LiteSpeed/1.7.19 Open (lsquic 3.3.2, modgzip 1.1, cache 1.66, mod_security 1.4 (with libmodsecurity v3.0.12)) BUILD (built: Tue Apr 16 15:14:26 UTC 2024) ...

Do you think im using mod_security ver 1.4 or 3.0.12.

These packages come with cyberpanel install.

Rule does not seems to work
I mean, after I placed the rule in /usr/local/lsws/conf/modsec/rules.conf and then restarted OpenLiteSpeed. Afterward, I made several requests by repeatedly crawling at Facebook Debugger.
However, all the requests still returned a status of 200, not the expected 429

"172.68.26.8 - - [11/Jun/2024:01:21:31 +0700] "GET /robots.txt HTTP/1.1" 200 128 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"" "172.71.174.164 - - [11/Jun/2024:01:21:32 +0700] "GET / HTTP/1.1" 200 34326 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"" "162.158.175.172 - - [11/Jun/2024:01:21:32 +0700] "GET / HTTP/1.1" 200 34326 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"" "172.71.166.170 - - [11/Jun/2024:01:21:34 +0700] "GET / HTTP/1.1" 200 34331 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"" "172.68.26.185 - - [11/Jun/2024:01:21:36 +0700] "GET / HTTP/1.1" 200 34326 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"" "162.158.114.2 - - [11/Jun/2024:01:21:38 +0700] "POST /wp-cron.php?doing_wp_cron=1718043698.6080009937286376953125 HTTP/1.1" 200 0 "-" "WordPress/6.5.3; https://truyenthongdps.com"" "172.69.65.211 - - [11/Jun/2024:01:21:37 +0700] "GET / HTTP/1.1" 200 34329 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"" "172.68.26.185 - - [11/Jun/2024:01:21:40 +0700] "GET / HTTP/1.1" 200 34326 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"" "172.68.26.37 - - [11/Jun/2024:01:21:41 +0700] "GET / HTTP/1.1" 200 34331 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"" "172.69.65.34 - - [11/Jun/2024:01:21:45 +0700] "GET / HTTP/1.1" 200 34326 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"".

@airween
Copy link
Member

airween commented Jun 19, 2024

I found in /usr/local/lsws/logs/error.log

2024-06-10 12:33:01.730873 [NOTICE] Loading LiteSpeed/1.7.19 Open (lsquic 3.3.2, modgzip 1.1, cache 1.66, mod_security 1.4 (with libmodsecurity v3.0.12)) BUILD (built: Tue Apr 16 15:14:26 UTC 2024) ...

Do you think im using mod_security ver 1.4 or 3.0.12.

I think you use libmodsecurity3, version 3.0.12, and your LightSpeed connector's version is 1.4.

Rule does not seems to work I mean, after I placed the rule in /usr/local/lsws/conf/modsec/rules.conf and then restarted OpenLiteSpeed. Afterward, I made several requests by repeatedly crawling at Facebook Debugger. However, all the requests still returned a status of 200, not the expected 429

there might be several reason why your rules don't work:

  • your engine is turned off/in detection only mode (see SecRuleEngine settings)
  • your rule's condition does not match with parameters

Please note that pause action does not support in libmodsecurity3 - see the reference.

Could you try to turn of your debug.log, and send a request, then check that log? Set the loglevel to 9. It's enough for few requests.

@marcstern marcstern added 3.x Related to ModSecurity version 3.x help wanted and removed 2.x Related to ModSecurity version 2.x labels Oct 3, 2024
@airween
Copy link
Member

airween commented Oct 14, 2024

@admiral504 is there anything we can help you?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3.x Related to ModSecurity version 3.x help wanted
Projects
None yet
Development

No branches or pull requests

3 participants