Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
litespeed_wiki:config:web-application-protection [2017/11/28 20:06] Jackson Zhang |
litespeed_wiki:config:web-application-protection [2017/11/28 20:46] (current) Johathan Kagan [WordPress 'brute force attack protection built in to LSWS] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== WordPress 'brute force attack protection built in to LSWS ====== | ====== WordPress 'brute force attack protection built in to LSWS ====== | ||
| - | A ‘brute force’ login attack is a type of attack against a website to gain access to the site by guessing the username and password, over and over again. WordPress is the most popular CMS and therefore it’s a frequent target of these type of attacks. ''wp-login.php'' and ''xmlrpc.php'' pages are the most common target from brute force attack by POST method. WordPress doesn’t have any built in feature to prevent these types of attacks, hence you may need to find some third-party solutions. | + | A ‘brute force’ login attack is a type of attack against a website to gain access to the site by guessing the username and password, over and over again. WordPress is the most popular CMS and therefore it’s a frequent target of these type of attacks. ''wp-login.php'' and ''xmlrpc.php'' pages are the most common target from brute force attack by POST method. WordPress doesn’t have any built in protection to prevent these types of attacks, hence you may need to find some third-party solutions. |
| - | Since 5.2.3, LSWS build-in wordpress brute force attack protection is introduced and it will well protect your shared hosting WordPress environment from large-scale DDoS attack, which may even bring down your server. | + | Starting with version 5.2.3 of LSWS, LSWS has a built-in WordPress brute force attack protection system. It will protect shared hosting WordPress environments from large-scale DDoS attacks, which may bring down entire servers. |
| ===== How Brute Force Protection works ===== | ===== How Brute Force Protection works ===== | ||
| Line 9: | Line 9: | ||
| * **0** will disable it. | * **0** will disable it. | ||
| * **>=1** will enable it. ''10'' is default value and feature is enabled by default | * **>=1** will enable it. ''10'' is default value and feature is enabled by default | ||
| - | * **Value is only valid to be within 5-1000**, 1-4 will be rounded up to 5, value over 1000 will be rounded up to ''1000''. | + | * **Value is only valid to be within 5-1000**, 1-4 will be rounded up to 5, value over 1000 will be rounded down to ''1000''. |
| - | The directive can be placed in apache configuration or .htaccess. | + | This directive can be placed in Apache configuration or .htaccess. |
| - | The above value specifies the maximum number''wp-login.php'' and ''xmlrpc.php'' pages attempts allowed within 5 minutes before the IP is blocked. \\ | + | The above values specify the maximum number''wp-login.php'' and ''xmlrpc.php'' pages attempts allowed within 5 minutes before the IP is blocked. \\ |
| This limit is handled using a quota system where limit = quota. Each POST attempt will decrease the quota by 1 with the quota increasing back to the set limit over time. The IP will be throttled starting at half of the limit, slowing more as the quota drops further. When the quota reached 0, the IP is blocked. \\ {{:litespeed_wiki:config:protection-1.png?600|}} | This limit is handled using a quota system where limit = quota. Each POST attempt will decrease the quota by 1 with the quota increasing back to the set limit over time. The IP will be throttled starting at half of the limit, slowing more as the quota drops further. When the quota reached 0, the IP is blocked. \\ {{:litespeed_wiki:config:protection-1.png?600|}} | ||
| Line 19: | Line 19: | ||
| * For Example: If the limit is 10, it start to throttle when there are more than 5 attempts within the short period of time. It is a quota system, that each IP get quota of 10, each attempt will reduce it. and after 30 second, quota will increase 1. Once quota reach 0, the client will be blocked. So, it is not reset all at once, but gradually increase to the maximum if not keep hit the URL. | * For Example: If the limit is 10, it start to throttle when there are more than 5 attempts within the short period of time. It is a quota system, that each IP get quota of 10, each attempt will reduce it. and after 30 second, quota will increase 1. Once quota reach 0, the client will be blocked. So, it is not reset all at once, but gradually increase to the maximum if not keep hit the URL. | ||
| - | * Restarting LSWS will reset the above. | + | * Restarting LSWS will reset the quota back to its limit. |
| ===== How to enable LSWS WordPressProtect feature on cPanel ===== | ===== How to enable LSWS WordPressProtect feature on cPanel ===== | ||
| - | As far as you upgrade to 5.2.3 and above version, LSWS WordPressProtect feature is enabled by default and you don't need to place any extra configuration on LSWS Admin Console or in apache configuration. | + | As long as LSWS version is 5.2.3 or above, LSWS WordPressProtect feature is enabled by default and does not need any extra configuration in the LSWS WebAdmin GUI or in Apache configurations. |
| - | You may want to overwrite it on the server level, virtual host level or .htaccess level. What 's the logic behind it? | + | One may want to overwrite it on the server level, virtual host level or even the .htaccess level. What 's the logic behind it? |
| - | Setting it on Apache server level configuration will override setting for apache based virtual host, but there is no impact on LSWS native virtual host, which can only be controlled by LSWS native settings. | + | Setting it on Apache server level configuration will override the setting for Apache based virtual host, but there is no impact on LSWS native virtual host, which can only be controlled by LSWS native settings. |
| - | Setting it on Apache virtual host level configuration will overide server level of configuration as well as .htaccess level of configuration, which means server administrator's virtual host setting will override end user's setting in .htaccess. | + | Setting it on Apache virtual host level configuration will override server level configuration as well as .htaccess level of configuration, which means server administrator's virtual host setting will override end user's setting in .htaccess. |
| Let 's look at some examples for WHM/cpanel EA4 environment: | Let 's look at some examples for WHM/cpanel EA4 environment: | ||
| Line 70: | Line 70: | ||
| WordPressProtect 0 | WordPressProtect 0 | ||
| </IfModule> | </IfModule> | ||
| - | | + | |
| + | To verify and check how server and virtual host level set, you may run the following command: | ||
| + | |||
| + | cd /etc/apache2/ | ||
| + | grep -i -r wordpressprotect * | ||
| The design logic looks like the following: | The design logic looks like the following: | ||
| Line 80: | Line 85: | ||
| ===== Real Testing===== | ===== Real Testing===== | ||
| - | Test 10 limit with brute access script. We can see time increasing from Round 6 and finally got connection error on Round 11. | + | This test was conducted with ''WordPressProtect'' set to ''10''. We can see the time start to increase at Round 6 and finally get a connection error at Round 11. |
| <code> | <code> | ||
| Round: 1 Fail 0.626 | Round: 1 Fail 0.626 | ||