Making the switch from Apache to OpenLiteSpeed. What should I know? (ie how to block brute force attacks)

[webbasica]

I'm finally ready to make the switch from Apache to OpenLiteSpeed (I recently moved to a server with Directadmin and it makes it seem so easy).

But before I pull the trigger I wanted to ask the community with way more experience than me: What should I know? What should I prepare for right from the start?

I mean, I know for example that Apache directives are not supported, so how will I fight wp-login/xmlrpc attacks now? What do you guys use?

I see OLS uses captcha as an alternative. Do you guys recommend it?

TIA

 

[Colcol]

I mean, I know for example that Apache directives are not supported, so how will I fight wp-login/xmlrpc attacks now? What do you guys use?

A useful link: https://openlitespeed.org/kb/access-control/

RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
RewriteRule ^test/.*$ - [F,L]

This seems to work for me:

RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
RewriteRule wp-login.php$ - [F,L]

Gives a 403 to any IP visiting wp-login.php that is not 123.123.123.123 (alter for your IP of course).

I am not sure how to allow multiple IPs in the Rewrite.

I now notice my Rewrite does not have a ^ before wp-login (unlike ^test above). But another example in that link -- RewriteRule xmlpc.php$ - [F,L] -- does not have the ^ either. Not sure what the ^ represents.

I have set up the same for xmlprc, too:

RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
RewriteRule xmlrpc.php$ - [F,L]

Would be useful to learn more about blocking brute force attacks from more seasoned OLS users.

 

[webbasica]

Regarding xmlrpc actually there is an easy to follow guide on how to achieve this on the KB:
https://openlitespeed.org/kb/customization-hooks-in-directadmin/

I'm now trying to implement recaptcha on the wp-login page:
https://forum.openlitespeed.org/threads/trying-to-make-recaptcha-work-on-directadmin.4839/