Security Configuration¶
Set up Site Authentication¶
Authentication is the process of confirming a user's identity, and it provides a way to ensure that only legitimate users can create content on your site. The steps in the methods below (WebAdmin Console and By Hand) are interchangeable. You can manually create a database file and then load it via the WebAdmin Console, or vice versa.
WebAdmin Console¶
There are three steps in this method: 1. Create Authorization Realms Database 2. Create Authorized User 3. Add Access Required by Context
Create Authorization Realms Database¶
To create a new Authorization Realm for Virtual Host Example
, navigate to Virtual Hosts > Example > Security and click Add.
Set DB Type to Password File
.
Set:
- Realm name, e.g.
TEST
- DB Location, e.g.
$VH_ROOT/conf/TESTDB
Create Authorized User¶
Set User/Password, e.g. TEST
/TEST
Add Access Required by Context¶
Add a Context and select type as Static
Set:
- URI
/
- Location
$VH_ROOT/html/
- Accessible
Yes
- Realm
TEST
- Access Allowed
*
By Hand¶
There are two steps to this method:
- Create Account Through
htpasswd
- Add Access Required by
htaccess
Create Account Through htpasswd¶
Run the following command to generate TESTDB
file from console, making sure this file and its parent directory are both readable for the web server user (typically nobody
or apache
):
htpasswd -c /PATH_YOU_WANT/TESTDB TEST
Then enter the password (e.g.TEST
) two times.
Add Access Required by htaccess¶
Add the following rules into your .htaccess file.
AuthType Basic
AuthName "My Protected Area"
AuthUserFile /path/to/.htpasswd
Require valid-user
AuthName
can be set to anything, e.g.TEST
AuthUserFile
needs a valid file, e.g./usr/local/lsws/DEFAULT/conf/TESTDB
How to Verify¶
Access the site. It will require an authorized login.
ModSecurity and Cache¶
When a page is cached, it is not scanned through the ModSecurity engine again. ModSecurity scans can be CPU intensive, and are best avoided in the interest of superior performance. In many cases it is not necessary to scan a static request anyway.
However, you may have a reason to block certain requests based on server environment variables, for example, requests submitted by a particular user agent, or requests that have a specific query string attached.
In ModSecurity, you may have a rule like this:
SecRule REQUEST_HEADERS:User-Agent "abc"
"id:1000001,phase:1,log,deny,status:403,msg:'Blocking exact User-Agent abc'"
For cache misses that are processed through the ModSecurity engine, this rule will block the request for user agent abc
. But if the requested page is already cached, it will not be processed again through ModSecurity, and the request will not be blocked.
The Cache Engine always takes precedence over the ModSecurity engine. For a cache hit, the content is served directly from cache, bypassing any other processing.
To work around this for our user-agent example above, we can use the Rewrite Engine, or the SetEnvIf
method.
Tip
A rewrite rule is better to use at the virtual host level. It should be added to the vhost configuration file.
If you need the rule globally, SetEnvIf
is the better option, as it is faster and uses fewer resources than ModSecurity.
The only drawback to using either of these methods instead of ModSecurity is that any denied requests are not going to show up in ModSecurity's audit log. They will appear in your access log, though.
Rewrite Rule¶
The ModSecurity rule above would look like this as a rewrite rule:
<IfModule LiteSpeed>
RewriteCond %{HTTP_USER_AGENT} abc [NC]
RewriteRule ^ - [F,L]
</IfModule>
Restart LSWS to put this rule into effect.
SetEnvIf¶
We can use SetEnvIf
to reproduce the ModSecurity example rule like this:
<IfModule LiteSpeed>
SetEnvIfNoCase User-Agent "abc" block_bot
Order allow,deny
Allow from all
Deny from env=block_bot
</IfModule>
Restart LSWS to put this into effect.
Block a Bot Attack¶
Your server may experience heavy hits from bots. Here are three different examples of bot attacks and how to block them using rewrite rules.
"BUbiNG" bot¶
The "BUbiNG" bot can cause a massive load spike in the server. To prevent further problems, you can deny the BUbiNG
user agent globally.
Use a rewrite rule to detect the user agent, and set the environment with the action [E=blockbot]
. This will drop the direct connection from that client IP.
Add the following to the .htaccess
of your example.com
domain:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} "BUbiNG"
RewriteRule .* - [E=blockbot:1]
To verify that the rules are effectively blocking the user agent, you can run the following command:
curl -A "BUbiNG" example.com
If your rules need further debugging, you can enable the rewrite log for more details.
"xmlrpc.php" bot¶
In this example, cPanel Piped Logging was configured to push entries to /usr/local/apache/logs/error_log
. The log shows many entries like this:
404 File not found [/var/www/html/xmlrpc.php]
Because these requests look like they are being processed by the default virtual host, LiteSpeed's WordPress Protection feature is not triggered.
To block this bot, locate the virtual host serving the requests, and add a vhost-level rewrite rule to drop the connection using [E=blockbot]
:
RewriteRule ^/xmlrpc.php - [E=blockbot:1]
Warning
Do not apply the above rewrite rule at the server level since it will block everyone accessing xmlrpc.php
globally.
Cookie Bots¶
If the bots are cookie related, you can also try a rule like the following, and tailor it to what you need:
RewriteCond %{HTTP_COOKIE} yourcookiename
RewriteRule .* - [F]
Anti-DDoS for ConfigServer or iptables¶
Note
This feature is only available under a Web Host Elite license!
LiteSpeed Web Server's Anti-DDoS feature can be used to modify a firewall via ifconfig
and ipset
to block suspicious IPs. This guide explains how to integrate this feature with either ConfigServer Security & Firewall (CSF), or iptables.
LiteSpeed Web Server Configuration¶
Log into your WebAdmin Console at https://SERVER_IP:7080
. Navigate to Configuration > Security.
Set Enable Anti-DDoS Protection and Enable Firewall Modifications to Yes
to enable Anti-DDoS protection.
ConfigServer Security & Firewall Configuration¶
For csf, create the file /etc/csf/csfpost.sh
, and add the following content:
#!/bin/bash
ipset create ls-anti-ddos hash:ip hashsize 4096
ipset create ls-quic-ports bitmap:port range 0-65535 -exist
iptables -I INPUT -m set --match-set ls-anti-ddos src -j DROP
iptables -I FORWARD -m set --match-set ls-anti-ddos src -j DROP
iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT
Reload with the command csf -r
.
iptables Configuration¶
For iptables, run the following commands to set up the list and rules:
ipset create ls-anti-ddos hash:ip hashsize 4096
ipset create ls-quic-ports bitmap:port range 0-65535 -exist
iptables -I INPUT -m set --match-set ls-anti-ddos src -j DROP
iptables -I FORWARD -m set --match-set ls-anti-ddos src -j DROP
iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT
Verify the script works as intended by checking with the ipset list
command. You should see two blocks: ls-anti-ddos and ls-quic-ports.
[root@test]# ipset list
...
...
Name: ls-anti-ddos
Type: hash:ip
Revision: 1
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 65680
References: 2
Members:
Name: ls-quic-ports
Type: bitmap:port
Revision: 1
Header: range 0-65535
Size in memory: 524432
References: 1
Members:
Test¶
There are several cases where LiteSpeed will consider an incoming request suspicious. For example, a failed reCAPTCHA test, or a badly formatted request.
For demonstration purposes, we will use a reCAPTCHA failed verification to trigger the block. So, if a visitor fails to verify repeatedly in a short period of time, the firewall block will be triggered and a log generated, like this one:
[root@test logs]# grep ipset error.log
2019-12-04 20:27:15.594490 [NOTICE] [24606] [T0] [FIREWALL] execute command: 'ipset add ls-anti-ddos 192.0.2.0 ', ret: -1, status: 0
If you run ipset list
again, you will see content like this:
Name: ls-anti-ddos
Type: hash:ip
Revision: 1
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 65696
References: 1
Members:
192.0.2.0
The block on the IP will be removed in 10 minutes, if the suspicious behavior stops. At that point, you should see this in the log:
2019-12-04 20:37:20.304327 [NOTICE] [24823] [T0] [FIREWALL] execute command: 'ipset del ls-anti-ddos 192.0.2.0 ', ret: -1, status: 0
Cipher Configuration¶
In a control-panel environment, ciphers are configured via the Apache configuration. Please refer to your control panel's documentation for instructions.
You can configure ciphers in a LiteSpeed Native environment via the WebAdmin Console.
Server-Level Cipher¶
Navigate to Server > Tuning > SSL Global Settings and update the value of Default Cipher Suite. This server-level cipher will be applied to all virtual hosts unless it is overridden by a virtual-host-level cipher configuration.
Virtual Host Cipher¶
Virtual-host-level ciphers are configured at Virtual Host > SSL > Virtual Host SSL Protocol > Ciphers. When you set an SSL certificate at the domain level, the SSL handshake uses SNI mode to switch to the domain-level SSL configuration.
Listener-Level Cipher¶
Listener level ciphers can be configured at Listeners > 443 Listener > SSL > SSL Protocol > Ciphers. The listener-level configuration is never used with domain names, like https://example.com
, as they are handled at the virtual-host level or the server level. The listener-level cipher is used when there is no domain-level configuration, as with requests addressed to IPs like https://192.0.2.0/
.
chroot Jail¶
chroot
is a function on Unix-like systems which can change the root directory of a process. A changed root process and its child processes cannot access any file beyond the new root directory. It is like putting a process in a jail with physical file access boundaries. Fittingly, this mechanism is often referred to as "chroot jail".
Why chroot a web server?¶
chroot
is a great way to enhance the security of any web-facing server. It is not possible to guarantee that a system will never be compromised by a hacker. However, by running the server inside a chroot jail, potential damage can be minimized.
How to set up chroot environment¶
LiteSpeed Web Server has built-in chroot
support which can automatically build a working chroot environment with PHP support at installation time, and provide a general tool to help you identify missing files required by a CGI application.