WebAdmin Security Tips
Recently we’ve had some reports of brute force attacks on LiteSpeed WebAdmin Console. So we thought it would be a good time to share our WebAdmin Security tips. Here are five things you can do to protect your WebAdmin Console and give yourself more peace of mind:
- Verify the Administrator Email
- Restrict access via the Allowed List
- Change the Listener Port
- Set a strong password
- Obtain a CA-signed SSL certificate
Let’s look at each of those steps in more detail.
Verify the Administrator Email
First thing’s first: it’s crucial that your Administrator email is configured correctly. This email address is used to keep you informed about important events such as:
- Failed login attempts to WebAdmin Console
- LiteSpeed Web Server crashes
- License expiration
To verify that your admin email address is correct, navigate to Configuration > Server > General > General Settings section and check the Administrator Email setting.
This field accepts a comma-delimited list, in case you want admin alerts to go to multiple people. For example:
me@example.com, him@example.com, her@example.com, them@example.com
If you update this field, click Save and then perform a Graceful Restart to apply your changes.
Restrict access via the Allowed List
One very effective way to avoid brute force login attacks is to prevent attackers from reaching your server login page in the first place. You can do this through the Allowed List.
Your own IP address should be added to that list first. If you have a fixed IP address, you can add it directly. If you don’t have a fixed IP address, we recommend that you set up VPN access with a fixed IP, and then add that fixed IP to the Allowed List.
To add IP addresses to the WebAdmin Console, navigate to Web Console > General > Security > Access Control. Click the Edit link and set the Denied List to all
. In the Allowed List field, type in a comma-separated list of the IP addresses allowed to access the WebAdmin Console. Click Save and then perform a Graceful Restart to apply your changes.
To test if the configuration is working as expected, try connecting to your WebAdmin Console from a public IP address that is not listed in the Allowed List. If access control is set up correctly, you will see a 403 forbidden
error message.
Change the Listener Port
The standard way to access the WebAdmin Console for your domain is by visiting https://example.com:7080
(or https://example.com:7088
in a Plesk environment). This is the place that attackers would expect to find your LSWS admin. You can effectively “hide” your WebAdmin Console by changing the listener Port to a custom value.
Navigate to Web Console > Listeners > Action. Find the listener called adminListener
and edit it. Set Port to any unused number between 1024
and 65535
. Click Save.
Adjust your firewall settings to allow the new port, if necessary, and then perform a Graceful Restart to apply your changes.
TIP: You may choose to always keep the new port blocked at the firewall until you need it. You would have to update your firewall config every time you wanted to use the WebAdmin Console, but you would be guaranteed nobody else can access it in the meantime.
Set a strong password
We highly recommend that you set a strong password for the WebAdmin Console. You can use a password generator such as Avast to create a secure password. We recommend a password that is at least 8 characters long, contains mixed capitalization, numbers, and special characters.
If multiple admins need to access this server, it’s best to set up an account for each admin. Do not share passwords.
To update your password, navigate to Web Console > General > Security > WebAdmin Users, and edit your user. Enter your old WebAdmin Console password. Type or paste the new password into the New Password and Retype Password fields. Click Save to apply the changes.
Obtain a CA-Signed SSL certificate
Our final recommendation is to obtain an SSL certificate from a Certificate Authority (or CA), instead of using the default self-signed certificate. This will ensure that you always access the console using a secure HTTPS connection verified by an SSL certificate authority.
Obtain a certificate from the CA of your choice. They will provide the following three files:
private.key
certificate.crt
ca_bundle.crt
Copy these files to the /usr/local/lsws/admin/conf/cert
directory.
Change the owner of the files to lsadm
, like so:
chown -R lsadm:lsadm /usr/local/lsws/admin/conf/cert/*
Return to the WebAdmin Console, navigate to the adminListener
listener, and click Edit. Set Secure to Yes
. Navigate to SSL and click Edit. Set the following:
- Private Key =
/usr/local/lsws/admin/conf/cert/private.key
- Certificate =
/usr/local/lsws/admin/conf/cert/certificate.crt
- Chained Certificate =
Yes
- CA Certificate Path =
/usr/local/lsws/admin/conf/cert/
- CA Certificate File =
/usr/local/lsws/admin/conf/cert/ca_bundle.crt
Click Save and then perform a Graceful Restart to apply your changes.
Conclusion
We hope that implementing these tips will give you some peace of mind. If you’d like to see these suggestions demonstrated, have a look at our recent YouTube video:
For more information about LiteSpeed WebAdmin Console, please see the documentation.
Comments