This is an old revision of the document!

ConfigServer Security & Firewall (CSF) LiteSpeed Configuration

If you're using ConfigServer Security & Firewall (CSF), you have to make a few changes to the CSF configuration. This guide will explain the various changes that need to be done!

Since LiteSpeed Web Server release 5.3.6, we moved /tmp/lshttpd to /dev/shm to decrease disk IO performed, as a result, we introduced a symlink from the original location so existing configuration doesn't break.

However, this can cause alerts from CSF/LFD such as this: 

Time:   Wed Feb 13 06:05:29 2019 +0100
File:   /tmp/lshttpd/.rtreport
Reason: Suspicious symlink (->/dev/shm/lsws/lshttpd/status/.rtreport)
Owner:  nobody:nobody (99:99)
Action: No action taken

You have to add: /tmp/lshttpd/\.rtreport.* to /etc/csf/csf.fignore

Make sure to restart csf afterward using csf -ra

Prevent lsphp alert from lfd

Depending on your settings, or the amount of traffic your customers receive, you can easily end up with lsphp processes that run for a long time, this happens because we spawn a parent lsphp process per vhost or customer, this process is used for e.g. shared memory for opcache as well as keeping the process alive to be able to handle traffic quicker (we skip the startup delay).

However, this can trigger some lfd alerts such as the one below: 

Time:         Tue Feb 12 16:33:02 2019 +0100
Account:      XXXXXXXX
Resource:     Process Time
Exceeded:     64846 > 43200 (seconds)
Executable:   /opt/cpanel/ea-php56/root/usr/bin/lsphp
Command Line: lsphp                                  
PID:          14899 (Parent PID:14899)
Killed:       No

We can prevent this by adding pexe:/opt/cpanel/ea-php.*/root/usr/bin/lsphp.* to /etc/csf/csf.pignore.

Make sure to restart csf afterward using csf -ra

Prevent lshttpd alert from lfd

The lshttpd binary is unknown to lfd, so you can also receive alerts like this: 

Time:    Tue Feb 12 19:03:40 2019 +0100
PID:     13751 (Parent PID:13739)
Account: nobody
Uptime:  21627 seconds

Executable:
/usr/local/lsws/bin/lshttpd.5.3.1

Command Line (often faked in exploits):
litespeed (lshttpd - #01)

Network connections by the process (if any):
tcp: xx.xx.xx.xx:80 -> xx.xx.xx.xx:4007

We can prevent this from adding pexe:/usr/local/lsws/bin/lshttpd.* to /etc/csf/csf.pignore.

Make sure to restart csf afterward using csf -ra

Other

If you're using QUIC, then make sure to open up port UDP 443 on your firewall, this can be done in CSF under UDP_IN and UDP_OUT. You can read more about enabling QUIC here.

  • Admin
  • Last modified: 2019/02/13 05:50
  • by Lucas Rolff