Setting up a secure and fast php build for litespeed

[felosi]

I made a walkthrough on how to setup litespeed php with suhosin patch and extension. Also explained how to get eaccelerator, ioncube, and zend working all at once with this

Figured someone may get some use from this

http://nix101.com/2007/09/22/setting-up-a-secure-and-fast-php-build-for-litespeed/

may be nice for the wiki

 

[mistwang]

Thanks for the tutorial. Please feel free to update our wiki page by adding a link to your tutorial.

 

[felosi]

ok, Added. Only problem Ive ran into using the suhosin extension is logging alerts on the ini_set memory limit on vbulletin sites. I added some directives to get it not to log that to syslog or sdterr. Ill have to double check the stderr log to make sure its not logging there anymore.

But Overall I found out using this setup plus suxec on litespeed is the most secure and no speed loss besides the extra resource usage I mentioned before in another post.
But all my new servers Im setting up as suexec, that way I can leave home and not have to worry about one site using up all the php processes. Plus since using litespeed with the php build in my tut I have had almost a complete drop is web apps on the server getting explioited. The allow_url_include off helps tons too. Probably more then anything else.

You cant make every user update their stuff. But with that php build it will even protect a lot of weak apps. I noticed I hardly ever find any shells or crap running in tmp no more, and that if someone gets hacked its usually proginating from their own computer being trojaned or something.

One question George. What I been doing on new servers is setting up and installing mod_security on apache then just letting litespeed load it, Is it even needed to compile and install it through apache or I can simply add <if module> then config?

 

[mistwang]

What I been doing on new servers is setting up and installing mod_security on apache then just letting litespeed load it, Is it even needed to compile and install it through apache or I can simply add <if module> then config?

compiling Apache is not required by litespeed, but I am not sure that the control panel allow adding those configurations or not. If you add those manually, there is no problem.

 

[felosi]

Here is a very light but effective mod_security ruleset for apache1/litespeed combos, I guess it dont matter the apache version

http://nix101.com/mod_security.conf

This is a good ruleset for hosting enviorment. Sometimes you may see an htaccess error in litespeed admin, its one of these rules, just find the rule in it and comment out. But Im pretty sure I already cleaned these up

That is all the really usable rules from gotroot.com, took me about 4 hours to get out all these useless and old crap, and I finally came up with this one.

For people wanting to use it, just include that file from httpd.conf

 

[ffeingol]

How much does that large of a rule set affect LSWS? Apache (1.x) had a big problem with large rule sets / complex regex and 2.x is better but not that much.

Thanks,

Frank

 

[felosi]

doesnt affect it at all I dont think, and one server I use that on it pretty busy.
George:
I am a lil curious about which mod security rules work better with litespeed. apache 1 rules or apache 2 rules? Or does it read them both about the same?