usmannasir / cyberpanel

Cyber Panel - The hosting control panel for OpenLiteSpeed
GNU General Public License v3.0
1.62k stars 618 forks source link

Add "limit failed login" to prevent brute-force attacks #892

Open hadi060 opened 2 years ago

hadi060 commented 2 years ago

I suggest adding a limit to failed login feature as an additional layer of security to prevent brute-force attacks easily, as there is no limit currently to that in CyberPanel login page.

lsthompson commented 2 years ago

Have you installed CSF+LFD? I'd imagine this should work out-of-the-box.

They finalised the proper version of the CyberPanel integration a while back.

hadi060 commented 2 years ago

No, as I'm using the default firewall, and I think the limit failed login feature will be a great addition to CyberPanel. Is LFD available in CyberPanel?

lsthompson commented 2 years ago

LFD is part of CSF (ConfigServer Firewall). Under "Security" in the left-hand menu, click "CSF" then Install it.

I'd imagine that it would have brute force protections available/enabled within the default configuration.

Let us know how you get on once that's running, so we can help if you're still worried about it!

hadi060 commented 2 years ago

Thank you. In fact, I posted this issue after @usmannasir asked me to do it, so he will add it to v2.3.2, as most users are using the default firewall, so it will be a very good addition to it.

lsthompson commented 2 years ago

That sounds good. It'd be great to see CSF+LFD getting more of a default positioning, it's nice and flexible.

It sounds like a few nice features are coming with v2.3.2!

nickchomey commented 2 years ago

This is a bit out of the scope of this issue/pr, but I've been working with the crowdsec.net team to get their modern, crowdsourced fail2ban alternative working with litespeed.

https://hub.crowdsec.net/author/crowdsecurity/collections/litespeed

So far they've made a parser to work with the 7080 web admin, but surely can also make one for 8090.

It just works by reading and parsing logs and then presents a captcha and eventually a ban. The banned IPs sync with a global database for everyone to benefit from.

They also have a WordPress bouncer that works for wp login. And it works for ssh, and really any other interface. It really is the future of this sort of brute force security. And it's all open-source.

usmannasir commented 2 years ago

@nickchomey how can they present a captcha, is it by editing conf files?

nickchomey commented 2 years ago

@usmannasir I'm really not sure how any of it works. I think the captcha needs to be specifically coded for an interface, so is only working for the wordpress bouncer and a few others right now. It would surely need a bit of customization to work for the Cyberpanel login screen. But the brute force protection should be able to work with a tiny bit of work to make a parser for the access log.

I'm still testing out the litespeed admin and WordPress tools, but am in direct contact with their team. They're eager for any collaboration, particularly with hosts and control panels. I'm happy to connect you if you would like to work together?

As I said, this really seems to be the perfect solution for this issue and many others. And it's simple to install - just a single cli command.

usmannasir commented 2 years ago

OK. You need to keep in mind that CyberPanel works through lscpd and it does not have any config file, everything is coded into LSCPD binary.

If it can still work, let me know.

nickchomey commented 2 years ago

Ok. I'll help them test out what exists already (OLS webadmin parser) and then create an issue here for some sort of Cyberpanel Parser/integration that hopeuflly you guys can figure out one way or another. The captcha is less important than the crowdsourced brute force protection.

usmannasir commented 2 years ago

thanks

CassMel commented 2 years ago

Hello all, just to a little bit info on this, CSF+LFD are working great on Cyberpanel. By default, it blocks only the default protocols, like SSH and FTP, by using the default OS log files.

But there is more! It offers the Custom Regex solution. I have been using them succesfully with custom regex rules for blocking brute force attacks on wp-login, woo-account, contact-form-7 submissions, ddos-alike add to wishlist, OpenLiteSpeed Webadmin brute force attacks, etc. It really works.

To use custom regex with CSF+LFD do the following:

1) Find your desired access.log files from the Openlitespeed Webadmin. You can add Website access logs (VHosts->YourWebsite->Logs->Access Log), Openlitespeed Webadmin access log (Webadmin->General->Access log), etc. 2) Connect to your server via SSH 3) Locate csf.conf file 4) Almost at the end of the file, there is a section with CUSTOMx_LOG variables. Replace them with your desired access.log files from step 1. 5) Locate regex.custom.pm in CSF directory and add your desired regex rules:

Example 1 WP Login brute force: if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^"(\S+)\s-\s-.POST \/wp-login.php HTTP. 200/)) { return ("WPLogAttk",$1,"wplogin","5","","1"); } Example 2 Openlitespeed Web admin brute force: if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /^(\S+)\s-\s-. "POST \/login.php HTTP\/2" 200/)) { return ("OLSwebadmn",$1,"olswebadmn","4","","1"); } Example 3 Cyberpanel Dashboard brute force: if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /^(\S+)\s-\s-. "POST \/verifyLogin HTTP. 200.:8090/)) { return ("CyberpWebAdmn",$1,"cbwebadmn","4","","3600"); } 6) After replacing the variables with the new paths, restart CSF+LFD with "csf -ra"

At the initial writting of the article, I haven't even noticed than Cyberpanel brute force protection is also available, it was added after the edit!

In any case, Cyberpanel is awesome by default, and these are just refinings for those of us who take it a step further :)

Regards!