Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
litespeed_wiki:config:web-application-protection [2017/11/28 19:30] Jackson Zhang [How to use web application protection] |
litespeed_wiki:config:web-application-protection [2017/11/28 20:46] Johathan Kagan [WordPress 'brute force attack protection built in to LSWS] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== WordPress 'brute force attack protection built in to LSWS ====== | ====== WordPress 'brute force attack protection built in to LSWS ====== | ||
| - | A ‘brute force’ login attack is a type of attack against a website to gain access to the site by guessing the username and password, over and over again. WordPress is the most popular CMS and therefore it’s a frequent target of these type of attacks. ''wp-login.php'' and ''xmlrpc.php'' pages are the most common target from brute force attack by POST method. WordPress doesn’t have any built in feature to prevent these types of attacks, hence you may need to find some third-party solutions. | + | A ‘brute force’ login attack is a type of attack against a website to gain access to the site by guessing the username and password, over and over again. WordPress is the most popular CMS and therefore it’s a frequent target of these type of attacks. ''wp-login.php'' and ''xmlrpc.php'' pages are the most common target from brute force attack by POST method. WordPress doesn’t have any built in protection to prevent these types of attacks, hence you may need to find some third-party solutions. |
| - | Since 5.2.3, LSWS build-in wordpress brute force attack protection is introduced and it will well protect your shared hosting WordPress environment from large-scale DDoS attack, which may even bring down your server. | + | Starting with version 5.2.3 of LSWS, LSWS has a built-in WordPress brute force attack protection system. It will protect shared hosting WordPress environments from large-scale DDoS attacks, which may bring down entire servers. |
| - | + | ||
| - | ===== Requirement ===== | + | |
| - | LiteSpeed Web Server version 5.2.3+ | + | |
| ===== How Brute Force Protection works ===== | ===== How Brute Force Protection works ===== | ||
| - | Specifies the maximum number, when ''wp-login.php'' and ''xmlrpc.php'' pages attempts allowed within 5 minutes before the IP is blocked. \\ | + | |
| + | The newly introduced WordPress Protection directive is: ''WordPressProtect (0|1|5-1000)'' \\ | ||
| + | * **0** will disable it. | ||
| + | * **>=1** will enable it. ''10'' is default value and feature is enabled by default | ||
| + | * **Value is only valid to be within 5-1000**, 1-4 will be rounded up to 5, value over 1000 will be rounded down to ''1000''. | ||
| + | |||
| + | This directive can be placed in Apache configuration or .htaccess. | ||
| + | |||
| + | The above values specify the maximum number''wp-login.php'' and ''xmlrpc.php'' pages attempts allowed within 5 minutes before the IP is blocked. \\ | ||
| This limit is handled using a quota system where limit = quota. Each POST attempt will decrease the quota by 1 with the quota increasing back to the set limit over time. The IP will be throttled starting at half of the limit, slowing more as the quota drops further. When the quota reached 0, the IP is blocked. \\ {{:litespeed_wiki:config:protection-1.png?600|}} | This limit is handled using a quota system where limit = quota. Each POST attempt will decrease the quota by 1 with the quota increasing back to the set limit over time. The IP will be throttled starting at half of the limit, slowing more as the quota drops further. When the quota reached 0, the IP is blocked. \\ {{:litespeed_wiki:config:protection-1.png?600|}} | ||
| Line 14: | Line 19: | ||
| * For Example: If the limit is 10, it start to throttle when there are more than 5 attempts within the short period of time. It is a quota system, that each IP get quota of 10, each attempt will reduce it. and after 30 second, quota will increase 1. Once quota reach 0, the client will be blocked. So, it is not reset all at once, but gradually increase to the maximum if not keep hit the URL. | * For Example: If the limit is 10, it start to throttle when there are more than 5 attempts within the short period of time. It is a quota system, that each IP get quota of 10, each attempt will reduce it. and after 30 second, quota will increase 1. Once quota reach 0, the client will be blocked. So, it is not reset all at once, but gradually increase to the maximum if not keep hit the URL. | ||
| + | * Restarting LSWS will reset the quota back to its limit. | ||
| + | ===== How to enable LSWS WordPressProtect feature on cPanel ===== | ||
| - | ====For cPanel Setup ==== | + | As long as LSWS version is 5.2.3 or above, LSWS WordPressProtect feature is enabled by default and does not need any extra configuration in the LSWS WebAdmin GUI or in Apache configurations. |
| - | The Syntax of Apache configuration directive: ''WordPressProtect (0|1|5-1000)'' \\ | + | |
| - | * **0** will disable it. | + | One may want to overwrite it on the server level, virtual host level or even the .htaccess level. What 's the logic behind it? |
| - | * **1** will enabled it. Use the server level config as default, if not set it is 10. | + | |
| - | * **Within 5-1000** will adjust the limit | + | Setting it on Apache server level configuration will override the setting for Apache based virtual host, but there is no impact on LSWS native virtual host, which can only be controlled by LSWS native settings. |
| + | |||
| + | Setting it on Apache virtual host level configuration will override server level configuration as well as .htaccess level of configuration, which means server administrator's virtual host setting will override end user's setting in .htaccess. | ||
| + | |||
| + | Let 's look at some examples for WHM/cpanel EA4 environment: | ||
| + | |||
| + | After you run the following, WordPressProtect feature will be enabled globaly automatically: | ||
| + | /usr/local/lsws/admin/misc/lsup.sh -f -v 5.2.3 (or above version) | ||
| + | |||
| + | You may want to overide the default limit ''10'' to other value, such as ''5''. Then you will need to set it in server level of apache configuration file: | ||
| + | |||
| + | vi /etc/apache2/conf.d/includes/pre_main_global.conf | ||
| + | |||
| + | and add: | ||
| + | <IfModule Litespeed> | ||
| + | WordPressProtect 5 | ||
| + | </IfModule> | ||
| + | |||
| + | which will set the limit to ''5'' for all virtual hosts. | ||
| + | |||
| + | You can also disable it globally as: | ||
| + | <IfModule Litespeed> | ||
| + | WordPressProtect 0 | ||
| + | </IfModule> | ||
| + | |||
| + | No matter how the server level set, end user has ability to enable or disable it through .htaccess by placing the following: | ||
| + | |||
| + | <IfModule Litespeed> | ||
| + | WordPressProtect 15 | ||
| + | </IfModule> | ||
| + | or | ||
| + | <IfModule Litespeed> | ||
| + | WordPressProtect 0 | ||
| + | </IfModule> | ||
| + | |||
| + | However, as far as virtual host level setting is set(disabled or enabled), such as for http and domain examle.com, the feature is disabled in virtual host level include file, then directives in .htaccess will not have any effect anymore. | ||
| + | |||
| + | cd /etc/apache2/conf.d/userdata/std/2_4/$USER/example.com/ | ||
| + | vi wordpress.conf | ||
| + | |||
| + | <IfModule Litespeed> | ||
| + | WordPressProtect 0 | ||
| + | </IfModule> | ||
| + | |||
| + | To verify and check how server and virtual host level set, you may run the following command: | ||
| - | Depends on which level you need to add the following lines to Server Level / Virtual Host Level / .htaccess \\ <code> | + | cd /etc/apache2/ |
| - | <IfModule Litespeed> | + | grep -i -r wordpressprotect * |
| - | WordPressProtect 10 | + | |
| - | </IfModule> | + | |
| - | </code> | + | |
| - | === On Server level === | + | |
| - | * For EA3''/usr/local/apache/conf/includes/pre_main_global.conf'' | + | |
| - | * For EA4 ''/etc/apache2/conf.d/includes/pre_main_global.conf'' | + | |
| - | === On Virtual Host level=== | + | |
| - | * For EA3''/usr/local/apache/conf/userdata/lscache_vhosts.conf'' | + | |
| - | * For EA4 ''/etc/apache2/conf.d/userdata/lscache_vhosts.conf'' | + | |
| - | ==== Design logic ==== | + | The design logic looks like the following: |
| - | * Virtual Host protect settings can rewrite both Server Level and .htaccess file | + | |
| - | * .htaccess file can rewrite Server Level only | + | |
| ^ Server Level ^ VHost Level^ .htaccess ^ Result ^ | ^ Server Level ^ VHost Level^ .htaccess ^ Result ^ | ||
| Line 44: | Line 84: | ||
| |5|10|20|10| | |5|10|20|10| | ||
| - | ==== Real Testing==== | + | ===== Real Testing===== |
| - | Test 10 limit with brute access script. We can see time increasing from Round 6 and finally got connection error on Round 11. | + | This test was conducted with ''WordPressProtect'' set to ''10''. We can see the time start to increase at Round 6 and finally get a connection error at Round 11. |
| <code> | <code> | ||
| Round: 1 Fail 0.626 | Round: 1 Fail 0.626 | ||