Read More

Server Security

Table of Contents

Per Client Throttling

Requests/Second | Outbound Bandwidth (bytes/sec) | Inbound Bandwidth (bytes/sec) | Connection Soft Limit | Connection Hard Limit | Block Bad Request | Grace Period (sec) | Banned Period (sec)

Access Control

Allowed List | Denied List

Web Application Firewall (WAF)

Enable WAF | Log Level | Default Action | Scan Request Body | Temporary File Path | Temporary File Permissions | Enable Security Audit Log | Security Audit Log

Web Application Firewall (WAF) Rule Set

Name | Rule Set Action | Enabled | Rules Definition

Per Client Throttling

Description

These are connection control setting on a per client/IP basis. These settings help to mitigate DoS (Denied of Service) and DDoS (Distributed Denied of Service) attacks.

Requests/Second

Description

Specifies the maximum number of requests for dynamically generated content coming from a single IP address that can be processed in each second, regardless of the number of connections established. When this limit is reached, all future requests for dynamic content are tar-pitted until the next second. The per client request limit can be set at the server or virtual host level where virtual host level settings override server level settings.

Syntax

Integer number

Tips

Trusted IPs or sub-networks are not effected

Outbound Bandwidth (bytes/sec)

Description

The maximum allowed outgoing throughput to a single IP address, regardless of the number of connections established. The real bandwidth may end up being slightly higher than this setting for efficiency reasons. Bandwidth is allocated in 4KB units. Set to 0 to disable throttling. Per-client bandwidth limits (bytes/sec) can be set at the server or virtual host level where virtual host level settings override server level settings.

Syntax

Integer number

Tips

Set the bandwidth in 8KB units for better performance.

Trusted IPs or sub-networks are not affected.

See Also

Inbound Bandwidth (bytes/sec)

Inbound Bandwidth (bytes/sec)

Description

The maximum allowed incoming throughput from a single IP address, regardless of the number of connections established. The real bandwidth may end up being slightly higher than this setting for efficiency reasons. Bandwidth is allocated in 1KB units. Set to 0 to disable throttling. Per-client bandwidth limits (bytes/sec) can be set at the server or virtual host level where virtual host level settings override server level settings.

Syntax

Integer number

Tips

Trusted IPs or sub-networks are not affected.

See Also

Outbound Bandwidth (bytes/sec)

Connection Soft Limit

Description

Specifies the soft limit of concurrent connections allowed from one IP. This soft limit can be exceeded temporarily during Grace Period (sec) as long as the number is below the Connection Hard Limit, but Keep-Alive connections will be closed as soon as possible until the number of connections is lower than the limit. If number of connections is still over the limit after the Grace Period (sec), that IP will be blocked for the Banned Period (sec).

For example, if a page contains many small graphs, the browser may try to set up many connections at same time, especially for HTTP/1.0 clients. You would want to allow those connections for a short period.

HTTP/1.1 clients may also set up multiple connections to speed up downloading and SSL requires separate connections from non-SSL connections. Make sure the limit is set properly, as not to adversely affect normal service. The recommended limit is between 5 and 10.

Syntax

Integer number

Tips

A lower number will enable serving more distinct clients.
Trusted IPs or sub-networks are not affected.
Set to a high value when you are performing benchmark tests with a large number of concurrent client machines.

Connection Hard Limit

Description

Specifies the maximum number of allowed concurrent connections from a single IP address. This limit is always enforced and a client will never be able to exceed this limit. HTTP/1.0 clients usually try to set up as many connections as they need to download embedded content at the same time. This limit should be set high enough so that HTTP/1.0 clients can still access the site. Use Connection Soft Limit to set the desired connection limit.

The recommended limit is between 20 and 50 depending on the content of your web page and your traffic load.

Syntax

Integer number

Tips

A lower number will enable serving more distinct clients.
Trusted IPs or sub-networks are not affected.
Set to a high value when you are performing benchmark tests with a large number of concurrent client machines.

Block Bad Request

Description

Block IPs that keep sending badly-formated HTTP requests for the Banned Period (sec). Default is Yes. This helps to block botnet attacks that repeatedly sending junk requests.

Syntax

Select from radio box

Grace Period (sec)

Description

Specifies how long new connections can be accepted after the number of connections established from one IP is over the Connection Soft Limit. Within this period, new connections will be accepted if the total connections is still below the Connection Hard Limit. After this period has elapsed, if the number of connections still higher than the Connection Soft Limit, then the offending IP will be blocked for the Banned Period (sec).

Syntax

Integer number

Tips

Set to a proper number big enough for downloading a complete page but low enough to prevent deliberate attacks.

Banned Period (sec)

Description

Specifies how long new connections will be rejected from an IP if, after the Grace Period (sec) has elapsed, the number of connections is still more than the Connection Soft Limit. If IPs are getting banned repeatedly, we suggest that you increase your banned period to stiffen the penalty for abuse.

Syntax

Integer number

Access Control

Description

Specifies what sub networks and/or IP addresses can access the server. At the server level, this setting will affect all virtual hosts. You can also set up access control unique to each virtual host at the virtual host level. Virtual host level settings will NOT override server level settings.

Blocking/Allowing an IP is determined by the combination of the allowed list and the denied list. If you want to block only certain IPs or sub-networks, put * or ALL in the Allowed List and list the blocked IPs or sub-networks in the Denied List. If you want to allow only certain IPs or sub-networks, put * or ALL in the Denied List and list the allowed IPs or sub-networks in the Allowed List. The setting of the smallest scope that fits for an IP will be used to determine access.

Server Level: Trusted IPs or sub-networks must be specified in the Allowed List by adding a trailing "T". Trusted IPs or sub-networks are not affected by connection/throttling limits. Only server level access control can set up trusted IPs/sub-networks.

Tips

Use this at the server level for general restrictions that apply to all virtual hosts.

Allowed List

Description

Specifies the list of IPs or sub-networks allowed. * or ALL are accepted.

Syntax

Comma delimited list of IP addresses or sub-networks. A trailing "T" can be used to indicate a trusted IP or sub-network, such as 192.168.1.*T.

Example

Sub-networks: 192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1, or 192.168.1.*
IPv6 addresses: ::1 or [::1]
IPv6 subnets: 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64

Tips

Trusted IPs or sub-networks set at the server level access control will be excluded from connection/throttling limits.

Denied List

Description

Specifies the list of IPs or sub-networks disallowed.

Syntax

Comma delimited list of IP addresses or sub-networks. * or ALL are accepted.

Example

Sub-networks: 192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1, or 192.168.1.*
IPv6 addresses: ::1 or [::1]
IPv6 subnets: 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64

Enable WAF

Description

Specifies whether to enable request content deep inspection. This feature is equivalent to Apache's mod_security, which can be used to detect and block requests with ill intention by matching them to known signatures.

Syntax

Select from radio box

Log Level

Description

Specifies the level of detail of the Web Application Firewall engine's debug output. This value ranges from 0 - 9. 0 disables logging. 9 produces the most detailed log. The the server and virtual host's error log Log Level must be set to at least INFO for this option to take effect. This is useful when testing request filtering rules.

Syntax

Integer number

See Also

Server Log Level, Virtual Host Log Level

Default Action

Description

Specifies the default actions that should be taken when a censoring rule is met. Default value is deny,log,status:403, which means to deny access with status code 403 and log the incident in the error log.

See Also

Rule Set Action

Scan Request Body

Description

Specifies whether to check the body of an HTTP POST request. Default is "No".

Syntax

Select from radio box

Temporary File Path

Description

Temporary directory where files being uploaded to server will be stored while request body parser is working. Default value is /tmp.

Syntax

Absolute path or path starting with $SERVER_ROOT (for Server and VHost levels).

Temporary File Permissions

Description

Global setting determining file permissions used for files stored in the Temporary File Path directory.

Syntax

3 digits octet number. Default value is 666.

Enable Security Audit Log

Description

Specifies whether to enable audit logging. This feature is equivalent to Apache's mod_security audit engine. If it is enabled and Security Audit Log is set, detailed request information will be saved.

Syntax

Select from radio box

See Also

Security Audit Log

Security Audit Log

Description

Specifies the path of the security audit log, which gives more detailed information. This extra information can be useful if, for example, you wish to track the actions of a particular user. Use Enable Security Audit Log to turn on the logging.

Syntax

Filename which can be an absolute path or a relative path to $SERVER_ROOT.

See Also

Enable Security Audit Log

Web Application Firewall (WAF) Rule Set

Description

Rules configured here only work for virtual hosts configured with a native LSWS configuration, not for virtual hosts using Apache httpd.conf.

Name

Description

Give a group of censorship rules a name. For display only.

Syntax

String

Enabled

Description

Specifies whether to enable this rule set. With this option, a rule set can be quickly turned on and off without adding or removing the rule set. Default is "Yes".

Syntax

Select from radio box

Rules Definition

Description

Specifies a list of censorship rules.

If you are using an Apache config file, you have to set up rules in httpd.conf. Rules defined here will have no effect.

Syntax

String. Syntax of censoring rules follows that of Apache's mod_security directives. "SecFilter", "SecFilterSelective", and "SecRule" can be used here. You can copy and paste security rules from an Apache configuration file.

For more details about rule syntax, please refer to the Mod Security documentation.

Tips

Rules configured here only work for vhosts configured in native LSWS configuration, not for vhosts from Apache httpd.conf.

Accelerate your internet now.