LiteSpeed, noabort and security implications

  • Resolved nicksloan

    (@nicksloan)


    7 years, 2 months ago

    Hi,
    On recently changing my hosting to a new host with a LiteSpeed server (and installing LiteSpeed Cache), I received the standard WordFence alert advising me to edit my .htaccess file with the Litespeed noabort section.

    Before making the change I ran it past the host support team who said:

    I’ve taken a closer look at WordFence’s advice. It seems a bit extreme, as it would completely disable a feature of LiteSpeed which prevents certain types of DoS attack (and other wasting of system resources).

    There is probably a middle-ground that would achieve what they want, without completely disabling the feature, but I am unsure of how Wordfence works, so I can’t be sure what that would be.

    [# BEGIN…]
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^wp-cron.php$ – [E=noabort:1]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin
    RewriteCond %{HTTP_COOKIE} ^.*wordpress_logged_in_.*$
    RewriteRule .* – [E=noabort:1]
    </IfModule>
    [# END…]

    You could either add the above to the website’s .htaccess file, and hope that it works,
    or you could try contacting Wordfence themselves to see if they think the above would work.

    It seems odd to me that nobody here (as far as I can tell) has raised the question of security issues. Any thoughts on the above comment and proposed solution?

    • This topic was modified 7 years, 2 months ago by nicksloan.
Viewing 2 replies - 1 through 2 (of 2 total)
  • wfdave

    (@wfdave)

    7 years, 2 months ago

    Hi @nicksloan,

    I’ve looked over the snippet they suggested, and it will work with Wordfence.

    However, if you use any other plugins that require an extended amount of time to run, LiteSpeed may terminate those processes.

    It’s important to note that the type of attack they are preventing is only possible when your server has a vulnerable endpoint.

    Let me provide an example:

    Suppose you have a script that searches through your database:

    /search.php?term=something&max_results=100

    You search for something and it will at most return 100 results. Seems OK, but if an attacker were to visit:

    /search.php?term=something&max_results=1000000000000

    Your server might take an enormous amount of time to generate that result, using up a lot of resources.

    This is where their LiteSpeed abort system would kick-in. They will see that search.php is taking a long time to finish, so they just terminate the script.

    I think it’s a fine system, but you will need to make sure that no other plugins run long scripts, or else they just won’t work.

    I’d recommend running with the htaccess they provided to see if there are any conflicts.

    Dave

    Thread Starter nicksloan

    (@nicksloan)

    7 years, 2 months ago

    Thanks Dave,
    I’ll try that and report back if I have any issues
    Nick

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘LiteSpeed, noabort and security implications’ is closed to new replies.