Read More

Server Security

Table of Contents

Anti-DDoS Protection

Enable Anti-DDoS Protection | Enable Firewall Modifications

WordPress Brute Force Attack Protection

Protection Mode | Allowed Login Attempts | Trust Jetpack

Web Application Firewall (WAF)

Enable WAF | Log Level | Default Action | Scan Request Body | Temporary File Path | Temporary File Permissions | Enable Security Audit Log | Security Audit Log

Web Application Firewall (WAF) Rule Set

Name | Rule Set Action | Enabled | Rules Definition

Per Client Throttling

Requests/Second | Outbound Bandwidth (bytes/sec) | Inbound Bandwidth (bytes/sec) | Connection Soft Limit | Connection Hard Limit | Block Bad Request | Grace Period (sec) | Banned Period (sec)

reCAPTCHA Protection

Enable reCAPTCHA | Site Key | Secret Key | reCAPTCHA Type | Max Tries | Allowed Robot Hits | Bot White List | Connection Limit | SSL Connection Limit

Access Control

Allowed List | Denied List

Enable Anti-DDoS Protection

Description

This will enable bot detection and address them by denying or redirecting the client to reCAPTCHA. If firewall is enabled, the client IP will be denied at the firewall level.

Default value is Yes.

Syntax

Select from radio box

Enable Firewall Modifications

Description

Enable firewall modifications via iptables. iptables must be enabled on this system for this setting to take effect.

If ipset is also installed and enabled on this system, it will be used to more efficiently manage firewall rulesets for iptables.

Default value is Yes.

Syntax

Select from radio box

Tips

ipset should be installed and enabled on the system to more efficiently manage firewall rulesets for iptables.

Protection Mode

Description

Specifies the action to be taken when the specified Allowed Login Attempts limit is reached within 5 minutes.

Throttle gradually slows down the speed of the server response, Drop severs the connection without any reply, Deny returns a 403 response, and CAPTCHA or Drop redirects to a CAPTCHA if reCAPTCHA Protection is enabled and drops otherwise.

WP Login CAPTCHA Full Protection can also be selected. This setting will redirect to a CAPTCHA if ReCAPTCHA Protection is enabled regardless of Allowed Login Attempts limit and falls back to use Throttle otherwise.

Default values:
Server level: Throttle
VH level: Inherit Server level setting. If Server level is set to Disable, Throttle will be used.

Syntax

Select from drop down list

Tips

Trusted IPs or sub-networks are not affected.
This can be set at the Server level and overwritten at the Virtual Host level. If not overridden at the Virtual Host level, this setting can also be overridden in a user's docroot .htaccess file using Apache configuration directive WordPressProtect with value 0 (disabled), 1 (use server level setting), throttle, deny, or drop.

Allowed Login Attempts

Description

Specifies the maximum number of wp-login.php and xmlrpc.php POST attempts allowed by an IP within 5 minutes before the action specified in Protection Mode is taken.

This limit is handled using a quota system where remaining attempts = limit. Each POST attempt will decrease the number of remaining attempts by 1, with the number of remaining attempts increasing back to the set limit over time. An IP will be throttled once the number of remaining attempts for that IP falls to 1/2 the set limit, throttling more as the remaining attempts drops further below the 1/2 mark. When remaining attempts reaches 0, the specified action is taken toward the IP.

In addition to this, if Enable reCAPTCHA is also enabled, an additional per worker protection will be added. If wp-login.php and xmlrpc.php are visited by the same worker at a rate of 4x the set limit in a 30 second time frame, those URLs will be put into reCAPTCHA mode until the number of visits to these files decreases.

Resetting the server will clear blocked IPs.

Default values:
Server-level: 10
VH-Level: Inherit Server level setting

Syntax

Valid Range: 3 - 1000.

Example

With an Attempt limit of 10, and a Mode of drop:

After the first POST attempt, the quota is decreased to 9.

Quota decreases by 1 for each POST attempt.

After Quota reaches half of the limit (5), the IP will be throttled.

Throttling will get worse with each POST attempt.

Once the quota reaches 0, the connection will be dropped.

Tips

Trusted IPs or sub-networks are not affected.

This can be set at the Server level and overwritten at the Virtual Host level. If not overridden at the Virtual Host level, this setting can also be overridden in a user's docroot .htaccess file using Apache configuration directive WordPressProtect with integer value between 3 and 1000.

Trust Jetpack

Description

Automatically set Jetpack IPs as VHost trusted. Jetpack IPs list is updated dynamically on a daily basis.

Default values:
Server level: No
VH level: Inherit Server level setting.

Syntax

Select from drop down list

Enable WAF

Description

Specifies whether to enable request content deep inspection. This feature is equivalent to Apache's mod_security, which can be used to detect and block requests with ill intention by matching them to known signatures.

Syntax

Select from radio box

Log Level

Description

Specifies the level of detail of the Web Application Firewall engine's debug output. This value ranges from 0 - 9. 0 disables logging. 9 produces the most detailed log. The the server and virtual host's error log Log Level must be set to at least INFO for this option to take effect. This is useful when testing request filtering rules.

Syntax

Integer number

See Also

Server Log Level, Virtual Host Log Level

Default Action

Description

Specifies the default actions that should be taken when a censoring rule is met. Default value is deny,log,status:403, which means to deny access with status code 403 and log the incident in the error log.

See Also

Rule Set Action

Scan Request Body

Description

Specifies whether to check the body of an HTTP POST request. Default is "No".

Syntax

Select from radio box

Temporary File Path

Description

Temporary directory where files being uploaded to server will be stored while request body parser is working. Default value is /tmp.

Syntax

Absolute path or path starting with $SERVER_ROOT (for Server and VHost levels).

Temporary File Permissions

Description

Global setting determining file permissions used for files stored in the Temporary File Path directory.

Syntax

3 digits octet number. Default value is 666.

Enable Security Audit Log

Description

Specifies whether to enable audit logging and in what format (Native, JSON, or Pretty JSON). This feature is equivalent to Apache's mod_security audit engine.

If this setting is enabled and the Security Audit Log setting is set, detailed request information will be saved.

Syntax

Select from drop down list

See Also

Security Audit Log

Security Audit Log

Description

Specifies the path of the security audit log, which gives more detailed information. This extra information can be useful if, for example, you wish to track the actions of a particular user. Use Enable Security Audit Log to turn on the logging.

Syntax

Filename which can be an absolute path or a relative path to $SERVER_ROOT.

See Also

Enable Security Audit Log

Web Application Firewall (WAF) Rule Set

Description

Rules configured here only work for virtual hosts configured with a native LSWS configuration, not for virtual hosts using Apache httpd.conf.

Name

Description

Give a group of censorship rules a name. For display only.

Syntax

String

Enabled

Description

Specifies whether to enable this rule set. With this option, a rule set can be quickly turned on and off without adding or removing the rule set. Default is "Yes".

Syntax

Select from radio box

Rules Definition

Description

Specifies a list of censorship rules.

Syntax

String. Syntax of censoring rules follows that of Apache's mod_security directives. "SecFilter", "SecFilterSelective", and "SecRule" can be used here. You can copy and paste security rules from an Apache configuration file.

For more details about rule syntax, please refer to the Mod Security documentation.

Tips

Rules configured here only work for vhosts configured in native LSWS configuration, not for vhosts from Apache httpd.conf.

Per Client Throttling

Description

These are connection control setting on a per client/IP basis. These settings help to mitigate DoS (Denied of Service) and DDoS (Distributed Denied of Service) attacks.

Requests/Second

Description

Specifies the maximum number of requests for dynamically generated content coming from a single IP address that can be processed in each second, regardless of the number of connections established. When this limit is reached, all future requests for dynamic content are tar-pitted until the next second. The per client request limit can be set at the server or virtual host level where virtual host level settings override server level settings.

Syntax

Integer number

Tips

Trusted IPs or sub-networks are not effected

Outbound Bandwidth (bytes/sec)

Description

The maximum allowed outgoing throughput to a single IP address, regardless of the number of connections established. The real bandwidth may end up being slightly higher than this setting for efficiency reasons. Bandwidth is allocated in 4KB units. Set to 0 to disable throttling. Per-client bandwidth limits (bytes/sec) can be set at the server or virtual host level where virtual host level settings override server level settings.

Syntax

Integer number

Tips

Set the bandwidth in 8KB units for better performance.

Trusted IPs or sub-networks are not affected.

See Also

Inbound Bandwidth (bytes/sec)

Inbound Bandwidth (bytes/sec)

Description

The maximum allowed incoming throughput from a single IP address, regardless of the number of connections established. The real bandwidth may end up being slightly higher than this setting for efficiency reasons. Bandwidth is allocated in 1KB units. Set to 0 to disable throttling. Per-client bandwidth limits (bytes/sec) can be set at the server or virtual host level where virtual host level settings override server level settings.

Syntax

Integer number

Tips

Trusted IPs or sub-networks are not affected.

See Also

Outbound Bandwidth (bytes/sec)

Connection Soft Limit

Description

Specifies the soft limit of concurrent connections allowed from one IP. This soft limit can be exceeded temporarily during Grace Period (sec) as long as the number is below the Connection Hard Limit, but Keep-Alive connections will be closed as soon as possible until the number of connections is lower than the limit. If number of connections is still over the limit after the Grace Period (sec), that IP will be blocked for the Banned Period (sec).

For example, if a page contains many small graphs, the browser may try to set up many connections at same time, especially for HTTP/1.0 clients. You would want to allow those connections for a short period.

HTTP/1.1 clients may also set up multiple connections to speed up downloading and SSL requires separate connections from non-SSL connections. Make sure the limit is set properly, as not to adversely affect normal service. The recommended limit is between 5 and 10.

Syntax

Integer number

Tips

A lower number will enable serving more distinct clients.
Trusted IPs or sub-networks are not affected.
Set to a high value when you are performing benchmark tests with a large number of concurrent client machines.

Connection Hard Limit

Description

Specifies the maximum number of allowed concurrent connections from a single IP address. This limit is always enforced and a client will never be able to exceed this limit. HTTP/1.0 clients usually try to set up as many connections as they need to download embedded content at the same time. This limit should be set high enough so that HTTP/1.0 clients can still access the site. Use Connection Soft Limit to set the desired connection limit.

The recommended limit is between 20 and 50 depending on the content of your web page and your traffic load.

Syntax

Integer number

Tips

A lower number will enable serving more distinct clients.
Trusted IPs or sub-networks are not affected.
Set to a high value when you are performing benchmark tests with a large number of concurrent client machines.

Block Bad Request

Description

Block IPs that keep sending badly-formated HTTP requests for the Banned Period (sec). Default is Yes. This helps to block botnet attacks that repeatedly sending junk requests.

Syntax

Select from radio box

Grace Period (sec)

Description

Specifies how long new connections can be accepted after the number of connections established from one IP is over the Connection Soft Limit. Within this period, new connections will be accepted if the total connections is still below the Connection Hard Limit. After this period has elapsed, if the number of connections still higher than the Connection Soft Limit, then the offending IP will be blocked for the Banned Period (sec).

Syntax

Integer number

Tips

Set to a proper number big enough for downloading a complete page but low enough to prevent deliberate attacks.

Banned Period (sec)

Description

Specifies how long new connections will be rejected from an IP if, after the Grace Period (sec) has elapsed, the number of connections is still more than the Connection Soft Limit. If IPs are getting banned repeatedly, we suggest that you increase your banned period to stiffen the penalty for abuse.

Syntax

Integer number

reCAPTCHA Protection

Description

reCAPTCHA Protection is a service provided as a way to mitigate heavy server load. reCAPTCHA Protection will activate after one of the below situations is hit. Once active, all requests by NON TRUSTED(as configured) clients will be redirected to a reCAPTCHA validation page. After validation, the client will be redirected to their desired page.

The following situations will activate reCAPTCHA Protection:
1. The server or vhost concurrent requests count passes the configured connection limit.
2. Anti-DDoS is enabled and a client is hitting a url in a suspicious manner. The client will redirect to reCAPTCHA first instead of getting denied when triggered.
3. WordPress Brute Force Attack Protection is enabled and action is set to 'CAPTCHA or Drop’. When a brute force attack is detected, the client will redirect to reCAPTCHA first. After max tries is reached, the connection will be dropped, as per the ‘drop’ option.
4. WordPress Brute Force Attack Protection is enabled and action is set to 'WP Login CAPTCHA Full Protection'. The client will always redirect to reCAPTCHA first.
5. A new rewrite rule environment is provided to activate reCAPTCHA via RewriteRules. 'verifycaptcha' can be set to redirect clients to reCAPTCHA. A special value ': deny' can be set to deny the client if it failed too many times. For example, [E=verifycaptcha] will always redirect to reCAPTCHA until verified. [E=verifycaptcha: deny] will redirect to reCAPTCHA until Max Tries is hit, after which the client will be denied.

Enable reCAPTCHA

Description

Enable the reCAPTCHA Protection feature at the current level. This setting must be set to Yes at the Server level before the reCAPTCHA Protection feature can be used.

Default values:
Server-level: Yes
VH-Level: Inherit Server level setting

Syntax

Select from radio box

Site Key

Description

The site key is the public key provided by Google via its reCAPTCHA service. A default Site Key will be used if not set.

Secret Key

Description

The secret key is the private key provided by Google via its reCAPTCHA service. A default Secret Key will be used if not set.

reCAPTCHA Type

Description

Specify the reCAPTCHA type to use with the key pairs. If a key pair has not been provided and this setting is set to Not Set, a default key pair of type Invisible will be used.
Checkbox will display a checkbox reCAPTCHA for the visitor to validate.
Invisible will attempt to validate the reCAPTCHA automatically and if successful, will redirect to the desired page.

Default value is Invisible.

Syntax

Select from drop down list

Max Tries

Description

Max Tries specifies the maximum number of reCAPTCHA attempts permitted before denying the visitor.

Default value is 3.

Syntax

Integer number

Allowed Robot Hits

Description

Number of hits per 10 seconds to allow ‘good bots’ to pass. Bots will still be throttled when the server is under load.

Default value is 3.

Syntax

Integer number

Bot White List

Description

List of custom user agents to allow access. Will be subject to the ‘good bots’ limitations, including allowedRobotHits.

Syntax

List of user agents, one per line. Regex is supported.

Connection Limit

Description

The number of concurrent connections (SSL & non-SSL) needed to activate reCAPTCHA. reCAPTCHA will be used until concurrent connections drop below this number.

Default value is 15000.

Syntax

Integer number

SSL Connection Limit

Description

The number of concurrent SSL connections needed to activate reCAPTCHA. reCAPTCHA will be used until concurrent connections drop below this number.

Default value is 10000.

Syntax

Integer number

Access Control

Description

Specifies what sub networks and/or IP addresses can access the server. At the server level, this setting will affect all virtual hosts. You can also set up access control unique to each virtual host at the virtual host level. Virtual host level settings will NOT override server level settings.

Blocking/Allowing an IP is determined by the combination of the allowed list and the denied list. If you want to block only certain IPs or sub-networks, put * or ALL in the Allowed List and list the blocked IPs or sub-networks in the Denied List. If you want to allow only certain IPs or sub-networks, put * or ALL in the Denied List and list the allowed IPs or sub-networks in the Allowed List. The setting of the smallest scope that fits for an IP will be used to determine access.

Server Level: Trusted IPs or sub-networks must be specified in the Allowed List by adding a trailing "T". Trusted IPs or sub-networks are not affected by connection/throttling limits. Only server level access control can set up trusted IPs/sub-networks.

Tips

Use this at the server level for general restrictions that apply to all virtual hosts.

Allowed List

Description

Specifies the list of IPs or sub-networks allowed. * or ALL are accepted.

Syntax

Comma delimited list of IP addresses or sub-networks. A trailing "T" can be used to indicate a trusted IP or sub-network, such as 192.168.1.*T.

Example

Sub-networks: 192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1, or 192.168.1.*
IPv6 addresses: ::1 or [::1]
IPv6 subnets: 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64

Tips

Trusted IPs or sub-networks set at the server level access control will be excluded from connection/throttling limits.

Denied List

Description

Specifies the list of IPs or sub-networks disallowed.

Syntax

Comma delimited list of IP addresses or sub-networks. * or ALL are accepted.

Example

Sub-networks: 192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1, or 192.168.1.*
IPv6 addresses: ::1 or [::1]
IPv6 subnets: 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64

Privacy Policy

Privacy Policy

LiteSpeed Technologies, Inc. (aka “LiteSpeed”) is committed to protecting your privacy. This policy ("Privacy Policy" or "Policy") explains our practices for our site, www.litespeedtech.com ("Site"). You can visit most pages of the Site without giving us any information about yourself, but sometimes we do need information to provide services that you request. By using this Site or any products or services provided through the Site, you expressly consent to the use and disclosure of information as described in this Privacy Policy.

LiteSpeed reserves the right to revise, modify, add, or remove provisions to this Privacy Policy at any time. If we make changes to this Privacy Policy, we will update the Effective Date to note the date of such changes. LiteSpeed encourages you to review this Privacy Policy periodically for any changes. IF YOU DO NOT AGREE WITH ANY OF THE TERMS BELOW, YOU SHOULD NOT USE THIS SITE OR THE PRODUCTS OR SERVICES OFFERED BY LITESPEED TECHNOLOGIES AT THIS SITE.

Collection of Information

Personal Information.

LiteSpeed will ask you for certain “Personal Information” when you complete registration or product information request forms on the Site, including but not limited to your name, address, telephone number, email address, and credit card information. You can always choose not to provide us with the requested information, however, you may not be able to complete the transaction or use our products or services if you do not provide the information requested.

Non-Personal Information.

LiteSpeed may collect non-personally identifiable information from you such as the type of browser you use, your operating system, the screen resolution of your browser, your ISP, your IP address, which pages you view on the Site and the time and duration of your visits to the Site (collectively, “Non-Personal Information”). LiteSpeed may associate Non-Personal Information with Personal Information if you register with the Site.

User Communications.

If you communicate with us, we may collect information relating to that communication whether it takes the form of email, fax, letter, forum posting, blog comments, testimonials or any other form of communication between you and LiteSpeed or Submitted by you to the Site (collectively, “User Communications”).

Server Information.

If you use one of our software products such as LiteSpeed Web Server or LiteSpeed Web ADC, we may collect certain information concerning such software and concerning the server upon which the software operates. This information includes: (a) the licensed or unlicensed status of the software; (b) the source from which the license for the software was obtained (i.e., LiteSpeed or a LiteSpeed affiliate); or (c) information about the server upon which the software is installed including (i) the public IP address, (ii) the operating system and (iii) the use of any virtualization technologies on such server ((a) through (c) collectively, “Server Information”). Additionally, “Server Information” may also include information collected from you by LiteSpeed in the event that you request technical support services including without limitation, IP addresses, usernames, and passwords necessary to login to SSH, the root directory of the server upon which you installed the LiteSpeed software and any affected accounts including email accounts, control panel accounts, MySQL accounts, CMS accounts and other accounts.

Use and Storage of Collected Information

LiteSpeed may use Personal Information to create and authenticate your account, to respond to your requests, to provide you with customer and technical support, or to provide you with information regarding our products, services, partners, and company. You may update your Personal Information with us at any time, but we may maintain records of any Personal Information you disclose to us indefinitely, unless otherwise requested as outlined below.

We may use User Communications in the same ways we use Personal Information. If you communicate with us for a particular purpose, we may use your User Communications for that purpose. For example, if you contact us for technical support, we may use your communications to provide technical support to you. We may maintain records of User Communications you transmit to us indefinitely, unless otherwise requested as outlined below.

LiteSpeed may use Non-Personal Information to maintain, evaluate, improve and provide our Site, the Services and any other LiteSpeed products and services. We may retain Non-Personal Information indefinitely.

We may use Server Information to provide you with technical support services and to maintain, evaluate, improve and provide LiteSpeed products and services. We may also use such information to investigate unlicensed (and therefore unauthorized) uses of our software. LiteSpeed may maintain Server Information indefinitely, with the exception of usernames, passwords, and other login information given in connection with support service requests. Such login information will be purged when the ticket is closed.

Disclosure of Collected Information

LiteSpeed will only disclose Personal Information to third parties if acting under a good faith belief that such action is necessary, including but not limited to: (a) to resolve disputes, investigate problems, or comply with laws or regulations; (b) to enforce our Terms of Service; (c) to protect and defend the rights, property, or safety of our company or our users; or (d) in the event of a merger, acquisition or sale of all or substantially all LiteSpeed assets. Other than this limited activity, we do not share, sell, or rent any personal information to third parties.

You will receive notice in the form of modifications to this Policy when information about you might go to third parties other than as described in this Policy, and you always have the opportunity to contact us as set forth below if you do not wish your information to go to third parties.

LiteSpeed cannot be responsible for protecting your information if you share such information in publicly available sections of the Site such as the user forums, blog comments, or testimonials section. You should use your own judgment in disclosing this information on the Site.

Use of Cookies

“Cookies” are small pieces of information that your browser stores on your computer on behalf of a website that you have visited. Cookies may be used in order to complete transactions on our site. You can always choose not to accept cookies with the settings of your web browser, however, you may not be able to complete these transactions if you do not accept cookies.

Security of Personal Information

We use reasonable security methods to protect your personal information from unauthorized access, use or disclosure. No data transmission over the Internet or any wireless network can be guaranteed to be perfectly secure. While we try to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk.

LiteSpeed uses industry-standard SSL-encryption to protect sensitive data.

In the event that LiteSpeed becomes aware of a security breach, unauthorized disclosure or inadvertent disclosure concerning your information, you agree that LiteSpeed may notify you of such an event using the Personal Information previously provided.

You are responsible for maintaining your account’s security.

GDPR Statement

LiteSpeed Technologies values your users’ privacy. Although our software does not directly collect any personally identifiable information from visitors to your site, LiteSpeed may still be considered a data processor, as user information may be temporarily cached and/or logged, as outlined in this document.

Servers

LiteSpeed Web Server, OpenLiteSpeed, LiteSpeed Web ADC, and related software may record IP addresses as a part of normal logging. An access log and an error log may record visitor IP addresses and URL visited. The logs are stored locally on the system where LiteSpeed server software is installed and are not transferred to or accessed by LiteSpeed employees in any way, except as necessary in providing routine technical support if you request it. This logging may be turned off through configuration. It is up to individual server administrators to come up with their own schedule for removing such logs from the file system.

Cache Solutions

Our cache plugins potentially store a duplicate copy of every web page on display on your site. The pages are stored locally on the system where LiteSpeed server software is installed and are not transferred to or accessed by LiteSpeed employees in any way, except as necessary in providing routine technical support if you request it. All cache files are temporary, and may easily be purged before their natural expiration, if necessary, via a Purge All command. It is up to individual site administrators to come up with their own cache expiration rules.

LSCache for WordPress

In addition to caching, our WordPress plugin has an Image Optimization feature. When optimization is requested, images are transmitted to a remote LiteSpeed server, processed, and then transmitted back for use on your site. LiteSpeed keeps copies of optimized images for 7 days (in case of network stability issues) and then permanently deletes them.

Similarly, the WordPress plugin has a Reporting feature whereby a site owner can transmit an environment report to our server so that we may better provide technical support.

Neither of these features collects any visitor data. Only server and site data is involved.

Support Services

Sometimes, when you request technical support, LiteSpeed may ask for login credentials to various areas of your site. You may refuse to share such credentials, however refusal may impact LiteSpeed’s ability to provide the requested support services.

Upon completion of a support ticket, LiteSpeed immediately deletes all login credentials you may have shared.

Any user data encountered by LiteSpeed is kept strictly confidential. We never provide your support ticket information to any third party without your explicit consent.

Contact Us

If you would like to update information that you have voluntarily provided to us, stop receiving information from us, or exercise any of the rights granted to you under Privacy Laws, including the EU’s General Data Protection Regulation, please e-mail info@litespeedtech.com.