Security Configuration¶

Set up Site Authentication¶

Authentication is the process of confirming a user's identity, and it provides a way to ensure that only legitimate users can create content on your site. The steps in the methods below (WebAdmin Console and By Hand) are interchangeable. You can manually create a database file and then load it via the WebAdmin Console, or vice versa.

WebAdmin Console¶

There are three steps in this method: 1. Create Authorization Realms Database 2. Create Authorized User 3. Add Access Required by Context

Create Authorization Realms Database¶

To create a new Authorization Realm for Virtual Host Example, navigate to Virtual Hosts > Example > Security and click Add.

Set DB Type to Password File.

Set:

1. Realm name, e.g. TEST
2. DB Location, e.g. $VH_ROOT/conf/TESTDB

Create Authorized User¶

Set User/Password, e.g. TEST/TEST

Add Access Required by Context¶

Add a Context and select type as Static

Set:

1. URI /
2. Location $VH_ROOT/html/
3. Accessible Yes
4. Realm TEST
5. Access Allowed *

By Hand¶

There are two steps to this method:

1. Create Account Through htpasswd
2. Add Access Required by htaccess

Create Account Through htpasswd¶

Run the following command to generate TESTDB file from console, making sure this file and its parent directory are both readable for the web server user (typically nobody or apache):

htpasswd -c /PATH_YOU_WANT/TESTDB TEST

Then enter the password (e.g.TEST) two times.

Add Access Required by htaccess¶

Add the following rules into your .htaccess file.

AuthType Basic
AuthName "My Protected Area"
AuthUserFile /path/to/.htpasswd
Require valid-user

• AuthName can be set to anything, e.g. TEST
• AuthUserFile needs a valid file, e.g./usr/local/lsws/DEFAULT/conf/TESTDB

How to Verify¶

Access the site. It will require an authorized login.

ModSecurity and Cache¶

When a page is cached, it is not scanned through the ModSecurity engine again. ModSecurity scans can be CPU intensive, and are best avoided in the interest of superior performance. In many cases it is not necessary to scan a static request anyway.

However, you may have a reason to block certain requests based on server environment variables, for example, requests submitted by a particular user agent, or requests that have a specific query string attached.

In ModSecurity, you may have a rule like this:

SecRule REQUEST_HEADERS:User-Agent "abc"
"id:1000001,phase:1,log,deny,status:403,msg:'Blocking exact User-Agent abc'"

For cache misses that are processed through the ModSecurity engine, this rule will block the request for user agent abc. But if the requested page is already cached, it will not be processed again through ModSecurity, and the request will not be blocked.

The Cache Engine always takes precedence over the ModSecurity engine. For a cache hit, the content is served directly from cache, bypassing any other processing.

To work around this for our user-agent example above, we can use the Rewrite Engine, or the SetEnvIf method.

The only drawback to using either of these methods instead of ModSecurity is that any denied requests are not going to show up in ModSecurity's audit log. They will appear in your access log, though.

Rewrite Rule¶

The ModSecurity rule above would look like this as a rewrite rule:

<IfModule LiteSpeed>
RewriteCond %{HTTP_USER_AGENT} abc [NC]
RewriteRule ^ - [F,L]
</IfModule>

Restart LSWS to put this rule into effect.

SetEnvIf¶

We can use SetEnvIf to reproduce the ModSecurity example rule like this:

<IfModule LiteSpeed>
SetEnvIfNoCase User-Agent "abc" block_bot
Order allow,deny
Allow from all
Deny from env=block_bot
</IfModule>

Restart LSWS to put this into effect.

Block a Bot Attack¶

Your server may experience heavy hits from bots. Here are three different examples of bot attacks and how to block them using rewrite rules.

"BUbiNG" bot¶

The "BUbiNG" bot can cause a massive load spike in the server. To prevent further problems, you can deny the BUbiNG user agent globally.

Use a rewrite rule to detect the user agent, and set the environment with the action [E=blockbot]. This will drop the direct connection from that client IP.

Add the following to the .htaccess of your example.com domain:

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} "BUbiNG"
RewriteRule .* - [E=blockbot:1]

To verify that the rules are effectively blocking the user agent, you can run the following command:

curl -A "BUbiNG" example.com

If your rules need further debugging, you can enable the rewrite log for more details.

"xmlrpc.php" bot¶

In this example, cPanel Piped Logging was configured to push entries to /usr/local/apache/logs/error_log. The log shows many entries like this:

404 File not found [/var/www/html/xmlrpc.php]

Because these requests look like they are being processed by the default virtual host, LiteSpeed's WordPress Protection feature is not triggered.

To block this bot, locate the virtual host serving the requests, and add a vhost-level rewrite rule to drop the connection using [E=blockbot]:

RewriteRule ^/xmlrpc.php - [E=blockbot:1]

Cookie Bots¶

If the bots are cookie related, you can also try a rule like the following, and tailor it to what you need:

RewriteCond %{HTTP_COOKIE} yourcookiename
RewriteRule .* - [F]

Anti-DDoS for ConfigServer or iptables¶

LiteSpeed Web Server's Anti-DDoS feature can be used to modify a firewall via ifconfig and ipset to block suspicious IPs. This guide explains how to integrate this feature with either ConfigServer Security & Firewall (CSF), or iptables.

LiteSpeed Web Server Configuration¶

Log into your WebAdmin Console at https://SERVER_IP:7080. Navigate to Configuration > Security.

Set Enable Anti-DDoS Protection and Enable Firewall Modifications to Yes to enable Anti-DDoS protection.

ConfigServer Security & Firewall Configuration¶

For csf, create the file /etc/csf/csfpost.sh, and add the following content:

#!/bin/bash
ipset create ls-anti-ddos hash:ip hashsize 4096
ipset create ls-quic-ports bitmap:port range 0-65535 -exist
iptables -I INPUT -m set --match-set ls-anti-ddos src -j DROP
iptables -I FORWARD -m set --match-set ls-anti-ddos src -j DROP
iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT

Reload with the command csf -r.

iptables Configuration¶

For iptables, run the following commands to set up the list and rules:

ipset create ls-anti-ddos hash:ip hashsize 4096
ipset create ls-quic-ports bitmap:port range 0-65535 -exist
iptables -I INPUT -m set --match-set ls-anti-ddos src -j DROP
iptables -I FORWARD -m set --match-set ls-anti-ddos src -j DROP
iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT

Verify the script works as intended by checking with the ipset list command. You should see two blocks: ls-anti-ddos and ls-quic-ports.

[root@test]# ipset list
...
...
Name: ls-anti-ddos
Type: hash:ip
Revision: 1
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 65680
References: 2
Members:

Name: ls-quic-ports
Type: bitmap:port
Revision: 1
Header: range 0-65535
Size in memory: 524432
References: 1
Members:

Test¶

There are several cases where LiteSpeed will consider an incoming request suspicious. For example, a failed reCAPTCHA test, or a badly formatted request.

For demonstration purposes, we will use a reCAPTCHA failed verification to trigger the block. So, if a visitor fails to verify repeatedly in a short period of time, the firewall block will be triggered and a log generated, like this one:

[root@test logs]# grep ipset error.log
2019-12-04 20:27:15.594490 [NOTICE] [24606] [T0] [FIREWALL] execute command: 'ipset add ls-anti-ddos 192.0.2.0 ', ret: -1, status: 0

If you run ipset list again, you will see content like this:

Name: ls-anti-ddos
Type: hash:ip
Revision: 1
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 65696
References: 1
Members:
192.0.2.0

The block on the IP will be removed in 10 minutes, if the suspicious behavior stops. At that point, you should see this in the log:

2019-12-04 20:37:20.304327 [NOTICE] [24823] [T0] [FIREWALL] execute command: 'ipset del ls-anti-ddos 192.0.2.0 ', ret: -1, status: 0

Cipher Configuration¶

In a control-panel environment, ciphers are configured via the Apache configuration. Please refer to your control panel's documentation for instructions.

You can configure ciphers in a LiteSpeed Native environment via the WebAdmin Console.

Server-Level Cipher¶

Navigate to Server > Tuning > SSL Global Settings and update the value of Default Cipher Suite. This server-level cipher will be applied to all virtual hosts unless it is overridden by a virtual-host-level cipher configuration.

Virtual Host Cipher¶

Virtual-host-level ciphers are configured at Virtual Host > SSL > Virtual Host SSL Protocol > Ciphers. When you set an SSL certificate at the domain level, the SSL handshake uses SNI mode to switch to the domain-level SSL configuration.

Listener-Level Cipher¶

Listener level ciphers can be configured at Listeners > 443 Listener > SSL > SSL Protocol > Ciphers. The listener-level configuration is never used with domain names, like https://example.com, as they are handled at the virtual-host level or the server level. The listener-level cipher is used when there is no domain-level configuration, as with requests addressed to IPs like https://192.0.2.0/.

chroot Jail¶

chroot is a function on Unix-like systems which can change the root directory of a process. A changed root process and its child processes cannot access any file beyond the new root directory. It is like putting a process in a jail with physical file access boundaries. Fittingly, this mechanism is often referred to as "chroot jail".

Why chroot a web server?¶

chroot is a great way to enhance the security of any web-facing server. It is not possible to guarantee that a system will never be compromised by a hacker. However, by running the server inside a chroot jail, potential damage can be minimized.

How to set up chroot environment¶

LiteSpeed Web Server has built-in chroot support which can automatically build a working chroot environment with PHP support at installation time, and provide a general tool to help you identify missing files required by a CGI application.