Install Modsecurity to Directadmin with LiteSpeed Server (Custombuild)

CustomBuild – options.conf

Go to Custombuild folder ( /usr/local/directadmin/custombuild ) and Change options.conf file

modsecurity=yes
modsecurity_ruleset=none

Configuration file – malware_expert.conf

Generate custom folder first, where we put malware_expert.conf configuration file:

[root@directadmin]# cd /usr/local/directadmin/custombuild
[root@directadmin]# mkdir custom
[root@directadmin]# mkdir custom/modsecurity
[root@directadmin]# mkdir custom/modsecurity/conf

Add new file malware_expert.conf to custom/modsecurity/conf folder:

[root@directadmin]# nano -w /usr/local/directadmin/custombuild/custom/modsecurity/conf/malware_expert.conf

Add line to file and replace SerialKey with your subscription serial key!

SecRemoteRules SerialKey https://rules.malware.expert/download.php?rules=generic

NOTE! Make sure you update custombuild:

[root@directadmin]# ./build modsecurity_rules

ModSecurity is built-in with LiteSpeed, there is no need to install it.
ModSecurity has been installed successfully.
Copying custom ModSecurity rules to /etc/modsecurity.d/...
Installation of ModSecurity Rule Set has been finished.

and check that custombuild add malware_expert.conf file to /etc/modsecurity.d/ folder

Litespeed

Go to LiteSpeed Web Server Administrator panel:

Litespeed – Configuration – Server

Go to Security tab:

Go to bottom page: Web Application Firewall (WAF) and edit:

Litespeed – Configuration – Manual fix

Check out /etc/httpd/conf/httpd.conf configuration file, if there missing this Include:

# ModSecurity to LiteSpeed (need manually add to bottom of file)
Include conf/extra/httpd-modsecurity.conf

Litespeed – Restart

Restart LiteSpeed Web Server in Admin panel:

Testing rules

In /var/log/httpd/error_log file you should see:

2017-09-29 07:35:39.977 [INFO] Processing config file: /etc/httpd/conf/extra/httpd-modsecurity.conf
2017-09-29 07:35:39.977 [INFO] Processing config directory: /etc/modsecurity.d

If you but server address or ip in web browser:

http://fqdn.server.address/?malware_expert_test_rule

Refresh page twice, because LiteSpeed load rules after first request (feature, not bug).