WebAdmin Security Tips

LiteSpeed WebAdmin Security Tips

Recently we’ve had some reports of brute force attacks on LiteSpeed WebAdmin Console. So we thought it would be a good time to share our WebAdmin Security tips. Here are five things you can do to protect your WebAdmin Console and give yourself more peace of mind:

  • Verify the Administrator Email
  • Restrict access via the Allowed List
  • Change the Listener Port
  • Set a strong password
  • Obtain a CA-signed SSL certificate

Let’s look at each of those steps in more detail.

Verify the Administrator Email

First thing’s first: it’s crucial that your Administrator email is configured correctly. This email address is used to keep you informed about important events such as:

  • Failed login attempts to WebAdmin Console
  • LiteSpeed Web Server crashes
  • License expiration

To verify that your admin email address is correct, navigate to Configuration > Server > General > General Settings section and check the Administrator Email setting.

This field accepts a comma-delimited list, in case you want admin alerts to go to multiple people. For example:

me@example.com, him@example.com, her@example.com, them@example.com

If you update this field, click Save and then perform a Graceful Restart to apply your changes.

Restrict access via the Allowed List

One very effective way to avoid brute force login attacks is to prevent attackers from reaching your server login page in the first place. You can do this through the Allowed List.

Your own IP address should be added to that list first. If you have a fixed IP address, you can add it directly. If you don’t have a fixed IP address, we recommend that you set up VPN access with a fixed IP, and then add that fixed IP to the Allowed List.

To add IP addresses to the WebAdmin Console, navigate to Web Console > General > Security > Access Control. Click the Edit link and set the Denied List to all. In the Allowed List field, type in a comma-separated list of the IP addresses allowed to access the WebAdmin Console. Click Save and then perform a Graceful Restart to apply your changes.

To test if the configuration is working as expected, try connecting to your WebAdmin Console from a public IP address that is not listed in the Allowed List. If access control is set up correctly, you will see a 403 forbidden error message.

Change the Listener Port

The standard way to access the WebAdmin Console for your domain is by visiting https://example.com:7080 (or https://example.com:7088 in a Plesk environment). This is the place that attackers would expect to find your LSWS admin. You can effectively “hide” your WebAdmin Console by changing the listener Port to a custom value.

Navigate to Web Console > Listeners > Action. Find the listener called adminListener and edit it. Set Port to any unused number between 1024 and 65535. Click Save.

Adjust your firewall settings to allow the new port, if necessary, and then perform a Graceful Restart to apply your changes.

TIP: You may choose to always keep the new port blocked at the firewall until you need it. You would have to update your firewall config every time you wanted to use the WebAdmin Console, but you would be guaranteed nobody else can access it in the meantime.

Set a strong password

We highly recommend that you set a strong password for the WebAdmin Console. You can use a password generator such as Avast to create a secure password. We recommend a password that is at least 8 characters long, contains mixed capitalization, numbers, and special characters.

If multiple admins need to access this server, it’s best to set up an account for each admin. Do not share passwords.

To update your password, navigate to Web Console > General > Security > WebAdmin Users, and edit your user. Enter your old WebAdmin Console password. Type or paste the new password into the New Password and Retype Password fields. Click Save to apply the changes.

Obtain a CA-Signed SSL certificate

Our final recommendation is to obtain an SSL certificate from a Certificate Authority (or CA), instead of using the default self-signed certificate. This will ensure that you always access the console using a secure HTTPS connection verified by an SSL certificate authority.

Obtain a certificate from the CA of your choice. They will provide the following three files:

  • private.key
  • certificate.crt
  • ca_bundle.crt

Copy these files to the /usr/local/lsws/admin/conf/cert directory.

Change the owner of the files to lsadm, like so:

chown -R lsadm:lsadm /usr/local/lsws/admin/conf/cert/* 

Return to the WebAdmin Console, navigate to the adminListener listener, and click Edit. Set Secure to Yes. Navigate to SSL and click Edit. Set the following:

  • Private Key = /usr/local/lsws/admin/conf/cert/private.key
  • Certificate = /usr/local/lsws/admin/conf/cert/certificate.crt
  • Chained Certificate = Yes
  • CA Certificate Path = /usr/local/lsws/admin/conf/cert/
  • CA Certificate File = /usr/local/lsws/admin/conf/cert/ca_bundle.crt

Click Save and then perform a Graceful Restart to apply your changes.

Conclusion

We hope that implementing these tips will give you some peace of mind. If you’d like to see these suggestions demonstrated, have a look at our recent YouTube video:

For more information about LiteSpeed WebAdmin Console, please see the documentation.


Tags:

Related Posts


Comments