Virtual Host Security

Table of Contents

WordPress Brute Force Attack Protection

Protection Mode | Allowed Login Attempts

Web Application Firewall (WAF)

Enable WAF | Log Level | Default Action | Scan Request Body

Web Application Firewall (WAF) Rule Set

Name | Rule Set Action | Enabled | Rules Definition

reCAPTCHA Protection

Trigger Sensitivity

Containers

Bubblewrap Container | Namespace Container | Additional Namespace Template File

Hotlink Protection

Enable Hotlink Protection | Suffix | Redirect URL | Allow Direct Access | Only Self Reference | Allowed Domains | REGEX Matched Domains

Access Control

Allowed List | Denied List

Authorization Realms

Realm Name | DB Type | User DB Location | Password Attribute | Member-of Attribute | User DB Max Cache Size | User DB Cache Timeout (secs) | Group DB Location | Group Member Attribute | Group DB Max Cache Size | Group DB Cache Timeout (secs) | LDAP Bind DN | LDAP Bind Password

Protection Mode

Description

Specifies the action to be taken when the specified Allowed Login Attempts limit is reached within 5 minutes.

Throttle gradually slows down the speed of the server response, Drop severs the connection without any reply, Deny returns a 403 response, and CAPTCHA or Drop redirects to a CAPTCHA if reCAPTCHA Protection is enabled and drops otherwise.

WP Login CAPTCHA Full Protection can also be selected. This setting will redirect to a CAPTCHA if ReCAPTCHA Protection is enabled regardless of Allowed Login Attempts limit and falls back to use Throttle otherwise.

Default values:
Server level: Throttle
VH level: Inherit Server level setting. If Server level is set to Disable, Throttle will be used.

Syntax

Select from drop down list

Tips

Trusted IPs or sub-networks are not affected.
This feature is enabled by default (Throttle) and does not need any further configuration in the WebAdmin GUI or in Apache configurations.
This setting will override Apache conf WordPressProtect setting for LSWS only. Apache will be unaffected.

This can be set at the Server level and overwritten at the Virtual Host level. If not overridden at the Virtual Host level, this setting can also be overridden in a user's docroot .htaccess file using Apache configuration directive WordPressProtect with value 0 (disabled), 1 (use server level setting), throttle, deny, or drop.

Allowed Login Attempts

Description

Specifies the maximum number of wp-login.php and xmlrpc.php POST attempts allowed by an IP within 5 minutes before the action specified in Protection Mode is taken.

This limit is handled using a quota system where remaining attempts = limit. Each POST attempt will decrease the number of remaining attempts by 1, with the number of remaining attempts increasing back to the set limit over time. An IP will be throttled once the number of remaining attempts for that IP falls to 1/2 the set limit, throttling more as the remaining attempts drops further below the 1/2 mark. When remaining attempts reaches 0, the specified action is taken toward the IP.

In addition to this, if Enable reCAPTCHA is also enabled, an additional per worker protection will be added. If wp-login.php and xmlrpc.php are visited by the same worker at a rate of 4x the set limit in a 30 second time frame, those URLs will be put into reCAPTCHA mode until the number of visits to these files decreases.

Resetting the server will clear blocked IPs.

Default values:
Server-level: 10
VH-Level: Inherit Server level setting

Syntax

Valid Range: 3 - 1000.

Example

With an Attempt limit of 10, and a Mode of drop:

After the first POST attempt, the quota is decreased to 9.

Quota decreases by 1 for each POST attempt.

After Quota reaches half of the limit (5), the IP will be throttled.

Throttling will get worse with each POST attempt.

Once the quota reaches 0, the connection will be dropped.

Tips

Trusted IPs or sub-networks are not affected.

This setting will override Apache conf WordPressProtect setting for LSWS only. Apache will be unaffected.

This can be set at the Server level and overwritten at the Virtual Host level. If not overridden at the Virtual Host level, this setting can also be overridden in a user's docroot .htaccess file using Apache configuration directive WordPressProtect with integer value between 3 and 1000.

Enable WAF

Description

Specifies whether to enable request content deep inspection. This feature is equivalent to Apache's mod_security, which can be used to detect and block requests with ill intention by matching them to known signatures.

Syntax

Select from radio box

Log Level

Description

Specifies the level of detail of the Web Application Firewall engine's debug output. This value ranges from 0 - 9. 0 disables logging. 9 produces the most detailed log. The the server and virtual host's error log Log Level must be set to at least INFO for this option to take effect. This is useful when testing request filtering rules.

Syntax

Integer number

See Also

Server Log Level, Virtual Host Log Level

Default Action

Description

Specifies the default actions that should be taken when a censoring rule is met. Default value is deny,log,status:403, which means to deny access with status code 403 and log the incident in the error log.

See Also

Rule Set Action

Scan Request Body

Description

Specifies whether to check the body of an HTTP POST request. Default is "No".

Syntax

Select from radio box

Web Application Firewall (WAF) Rule Set

Description

Rules configured here only work for virtual hosts configured with a native LSWS configuration, not for virtual hosts using Apache httpd.conf.

Name

Description

Give a group of censorship rules a name. For display only.

Syntax

String

Enabled

Description

Specifies whether to enable this rule set. With this option, a rule set can be quickly turned on and off without adding or removing the rule set. Default is "Yes".

Syntax

Select from radio box

Rules Definition

Description

Specifies a list of censorship rules.

If you are using an Apache config file, you have to set up rules in httpd.conf. Rules defined here will have no effect.

Syntax

String. Syntax of censoring rules follows that of Apache's mod_security directives. "SecFilter", "SecFilterSelective", and "SecRule" can be used here. You can copy and paste security rules from an Apache configuration file.

For more details about rule syntax, please refer to the Mod Security documentation.

Tips

Rules configured here only work for vhosts configured in native LSWS configuration, not for vhosts from Apache httpd.conf.

reCAPTCHA Protection

Description

reCAPTCHA Protection is a service provided as a way to mitigate heavy server load. reCAPTCHA Protection will activate after one of the below situations is hit. Once active, all requests by NON TRUSTED(as configured) clients will be redirected to a reCAPTCHA validation page. After validation, the client will be redirected to their desired page.

The following situations will activate reCAPTCHA Protection:
1. The server or vhost concurrent requests count passes the configured connection limit.
2. Anti-DDoS is enabled and a client is hitting a url in a suspicious manner. The client will redirect to reCAPTCHA first instead of getting denied when triggered.
3. WordPress Brute Force Attack Protection is enabled and action is set to 'CAPTCHA or Drop’. When a brute force attack is detected, the client will redirect to reCAPTCHA first. After max tries is reached, the connection will be dropped, as per the ‘drop’ option.
4. WordPress Brute Force Attack Protection is enabled and action is set to 'WP Login CAPTCHA Full Protection'. The client will always redirect to reCAPTCHA first.
5. A new rewrite rule environment is provided to activate reCAPTCHA via RewriteRules. 'verifycaptcha' can be set to redirect clients to reCAPTCHA. A special value ': deny' can be set to deny the client if it failed too many times. For example, [E=verifycaptcha] will always redirect to reCAPTCHA until verified. [E=verifycaptcha: deny] will redirect to reCAPTCHA until Max Tries is hit, after which the client will be denied.

Trigger Sensitivity

Description

Automatic reCAPTCHA sensitivity. The higher the value, the more likely reCAPTCHA Protection will be used. A value of 0 is equivalent to "Off" while a value of 100 is equivalent to "Always On".

Default values:
Server level: 0
Virtual Host level: Inherit Server level setting

Syntax

Integer value between 0 and 100.

Bubblewrap Container

Description

Set to Enabled if you wish to start CGI processes (including PHP programs) in a bubblewrap sandbox. See https://wiki.archlinux.org/title/Bubblewrap for details on using bubblewrap. Bubblewrap must be installed on your system prior to using this setting.

This setting cannot be turned on at the Virtual Host level if set to "Disabled" at the Server level.

Default values:
Server level: Disabled
VH level: Inherit Server level setting

Syntax

Select from drop down list

Namespace Container

Description

Set to Enabled if you wish to start CGI processes (including PHP programs) in a namespace container sandbox. Only used when Bubblewrap Container is set to Disabled.

When not Disabled at the Server level, this settings value can be overridden at the Virtual Host level.

Default values:
Server level: Disabled
Virtual Host Level: Inherit Server level setting

Syntax

Select from drop down list

Additional Namespace Template File

Description

Path to an existing configuration file containing a list of directories to be mounted along with the methods used to mount them. If Namespace Template File is also set at the Server level, both files will be used.

Syntax

A path which can be absolute, relative to $SERVER_ROOT, or relative to $VH_ROOT.

Description

Hotlinks are requests made from an external website to files on your own website often referred to as "leeching". This practice introduces additional bandwidth usage that you should not be responsible for.

LiteSpeed web server can prevent others from hotlinking to content on your web site by checking the Referer header within an HTTP request. If the Referer header does not match your website, the request will be denied.

Enable Hotlink Protection

Description

Specifies whether to activate hotlink protection.

Syntax

Select from radio box

Suffix

Description

Specifies what kinds of files will be protected from hotlinking by listing file suffixes.

Syntax

Comma delimited list. "." is prohibited

Redirect URL

Description

Specifies a URL that a user will be redirected to when a hotlinking action is detected. You can redirect users to an image or page saying hotlinking is not allowed. If it is not specified, 403 Forbidden will be returned.

Syntax

Absolute URL

Allow Direct Access

Description

Specifies whether to allow direct access without a referrer. A referrer header identifies the web page that linked to the current page. There is no "referrer" header in HTTP requests when a user types in an address directly in the address box or uses a feature like "save target link as".

Syntax

Select from radio box

Only Self Reference

Description

Specifies whether to only allow references from the current web site itself. When set to Yes, Allowed Domains has no effect and no other web site can link to protected files. This can be convenient if you wish to park multiple domain names on the current web site.

Syntax

Select from radio box

Allowed Domains

Description

Specifies which web sites can link to protected content.

Syntax

Comma delimited list of domain names.

REGEX Matched Domains

Description

Specifies web sites that can link to protected content in regular expressions. The regular expression will match the domain name only and not the full URL.

Syntax

Regular expressions

Example

^.*\.mydomain\.com$

Access Control

Description

Specifies what sub networks and/or IP addresses can access the server. At the server level, this setting will affect all virtual hosts. You can also set up access control unique to each virtual host at the virtual host level. Virtual host level settings will NOT override server level settings.

Blocking/Allowing an IP is determined by the combination of the allowed list and the denied list. If you want to block only certain IPs or sub-networks, put * or ALL in the Allowed List and list the blocked IPs or sub-networks in the Denied List. If you want to allow only certain IPs or sub-networks, put * or ALL in the Denied List and list the allowed IPs or sub-networks in the Allowed List. The setting of the smallest scope that fits for an IP will be used to determine access.

Server Level: Trusted IPs or sub-networks must be specified in the Allowed List by adding a trailing "T". Trusted IPs or sub-networks are not affected by connection/throttling limits. Only server level access control can set up trusted IPs/sub-networks.

Tips

Use this at the server level for general restrictions that apply to all virtual hosts.

Allowed List

Description

Specifies the list of IPs or sub-networks allowed. * or ALL are accepted.

Syntax

Comma delimited list of IP addresses or sub-networks. A trailing "T" can be used to indicate a trusted IP or sub-network, such as 192.168.1.*T.

Example

Sub-networks: 192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1, or 192.168.1.*
IPv6 addresses: ::1 or [::1]
IPv6 subnets: 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64

Tips

Trusted IPs or sub-networks set at the server level access control will be excluded from connection/throttling limits.

Denied List

Description

Specifies the list of IPs or sub-networks disallowed.

Syntax

Comma delimited list of IP addresses or sub-networks. * or ALL are accepted.

Example

Sub-networks: 192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1, or 192.168.1.*
IPv6 addresses: ::1 or [::1]
IPv6 subnets: 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64

Authorization Realms

Description

Lists all authorization realms for this virtual host. Authorization realms are used to block unauthorized users from accessing protected web pages. A realm is a user directory containing usernames and passwords with optional group classifications. Authorization is performed at the context level. Because different contexts can share the same realm (user database), realms are defined separately from the contexts that use them. You can refer to a realm by these names in a contexts configuration.

Realm Name

Description

Specifies a unique name for the authorization realm.

DB Type

Description

Specifies how user/group data is stored for an authorization realm. Currently, user/group data can be stored in flat files or on a LDAP server.

Syntax

Select from drop down list

User DB Location

Description

Specifies the location of the user database. For DB type Password File, it is the path to the flat file containing user/password definitions. You can edit this file through the WebAdmin console by clicking on the filename.

Each line of the user file contains a username followed by a colon, followed by a crypt() encrypted password, optionally followed by a colon and group names that user belongs to. Group names are delimitated by commas. If group information is specified in the user database, then the group database will not be checked.

Example:

john:HZ.U8kgjnMOHo:admin,user


For DB type LDAP, it is the LDAP URL to query for the user information. For each valid user, the authentication data stored in the LDAP server should contain at least the user id and user password. One and only one record should be returned in the LDAP search request based on the URL and username received in the HTTP Authentication header. "$k" must be specified in the filter part of the URL and it will be replaced with the username. The user password attribute must be returned in the query result. The attribute name of the user password is specified by Password Attribute. Group information can be optionally specified by the Member-of Attribute.

Example: At minimum, a user can be defined in LDAP with object classes: uidObject, simpleSecurityObject and organizationalRole. The following URL could be used:

ldap://localhost/ou=UserDB,dc=example,dc=com???(&(objectClass=*)(uid=$k))

Syntax

Path to user DB file or LDAP URL (RFC 2255).

Tips

It is recommended to store user password files outside of the document tree. If a user password file has to be placed inside document tree, simply name it with a leading ".ht" like .htuser to prevent it being served as a static file. LiteSpeed Web Server does not serve files prefixed with ".ht".

See Also

Group DB Location, Password Attribute, Member-of Attribute

Password Attribute

Description

Specifies the name of the password attribute for a user record stored in an LDAP server. The default value is userPassword.

Syntax

string

Member-of Attribute

Description

Specifies the name of the "Member-of" attribute for a user record stored in an LDAP server. The default value is memberOf. The "Member-of" attribute can be used to specify the group name that the user belongs to.

Syntax

string

User DB Max Cache Size

Description

Specifies the maximum cache size of the user database. Recently accessed user authentication data will be cached in memory to provide maximum performance.

Syntax

Integer number

Tips

As a larger cache will consume more memory, a higher value may or may not provide better performance. Set it to an appropriate size according to your user database size and site usage.

User DB Cache Timeout (secs)

Description

Specifies how often the backend user database will be checked for changes. Every entry in the cache has a timestamp. When cached data is older than the specified timeout, the backend database will be checked for changes. If there is no change, the timestamp will be reset to the current time, otherwise the new data will be loaded. Sevrer reload and graceful restart will clear the cache immediately.

Syntax

Integer number

Tips

If the backend database does not change very often, set a longer timeout for better performance.

Group DB Location

Description

Specifies the location of the group database.

Group information can be set either in the user database or in this standalone group DB. For user authentication, the user DB will be checked first. If the user DB also contains group information, then the group DB will not be checked.

For the DB type Password File, the group DB location should be the path to the flat file containing group definitions. You can edit this file through the WebAdmin console by clicking on the filename.

Each line of a group file should contain a groupname followed by a colon, followed by space delimited group of usernames. Example:

testgroup: user1 user2 user3


For the DB type LDAP, the group DB location should be the LDAP URL to query for group information. For each valid group, one and only one record should be returned in the LDAP search request based on this URL and the group name specified in Require (Authorized Users/Groups). "$k" must be specified in the filter part of the URL and it will be replaced with the group name. The name of the attribute that specifies members in this group is specified by the Group Member Attribute.

Example: If objectClass posixGroup is being used to store group information. The following URL could be used:
ldap://localhost/ou=GroupDB,dc=example,dc=com???(&(objectClass=*)(cn=$k))

Syntax

Filename which can be an absolute path or a relative path to $SERVER_ROOT, $VH_ROOT.

Tips

It is recommended to store a group file outside the document tree. If it has to be placed inside document tree, simply name it with a leading ".ht" like .htgroup, to prevent the file being served as a static file. LiteSpeed Web Server does not serve files prefixed with ".ht".

See Also

User DB Location, Context Require (Authorized Users/Groups), Group Member Attribute

Group Member Attribute

Description

Specifies the name of the "Member" attribute for a group record stored in an LDAP server. The default value is memberUid.

Syntax

string

Group DB Max Cache Size

Description

Specifies the maximum cache size of the group database.

Syntax

Integer number

Tips

As a larger cache will consume more memory, a higher value may or may not provide better performance. Set it to an appropriate size according to your user database size and site usage.

See Also

User DB Max Cache Size

LDAP Bind DN

Description

Specifies a DN used to bind to the server. If the LDAP server requires authentication, a bind DN and password must be specified. If not specified, anonymous bind will be used.

Syntax

string

See Also

LDAP Bind Password

LDAP Bind Password

Description

Specifies a password used to bind to the server. If the LDAP Server requires authentication, a bind DN and password must be specified.

Syntax

string

See Also

LDAP Bind DN