Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
litespeed_wiki:config:csf [2019/02/13 05:21] Lucas Rolff created |
litespeed_wiki:config:csf [2019/02/13 16:05] (current) Lisa Clarke Proofreading |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== CSF ====== | + | ====== ConfigServer Security & Firewall (CSF) LiteSpeed Configuration ====== |
- | Coming soon | + | If you're using [[https://configserver.com/cp/csf.html|ConfigServer Security & Firewall (CSF)]], you have to make a few changes to the CSF configuration. This guide will explain the various changes that need to be done! |
+ | |||
+ | =====Prevent Symlink Alert From LFD===== | ||
+ | |||
+ | In LiteSpeed Web Server version 5.3.6, we moved ''/tmp/lshttpd/.rtreport'' to ''/dev/shm'' to decrease disk IO. As a result, we introduced a symlink from the original location so any existing configuration doesn't break. | ||
+ | |||
+ | However, this can cause alerts from CSF/LFD such as this: | ||
+ | |||
+ | Time: Wed Feb 13 06:05:29 2019 +0100 | ||
+ | File: /tmp/lshttpd/.rtreport | ||
+ | Reason: Suspicious symlink (->/dev/shm/lsws/lshttpd/status/.rtreport) | ||
+ | Owner: nobody:nobody (99:99) | ||
+ | Action: No action taken | ||
+ | |||
+ | Add ''/tmp/lshttpd/\.rtreport.*'' to ''/etc/csf/csf.fignore'' to suppress this alert, and then restart CSF using ''csf -ra''. | ||
+ | |||
+ | =====Prevent LSPHP Alert From LFD===== | ||
+ | |||
+ | Depending on your settings, or the amount of traffic your customers receive, you can easily end up with ''lsphp'' processes that run for a long time. This happens because we spawn a parent lsphp process for each vhost or customer. This process is used for a few things including shared memory for opcache and keeping the process alive for faster traffic handling (we skip the startup delay). | ||
+ | |||
+ | However, this can trigger some LFD alerts such as the one below: | ||
+ | |||
+ | Time: Tue Feb 12 16:33:02 2019 +0100 | ||
+ | Account: XXXXXXXX | ||
+ | Resource: Process Time | ||
+ | Exceeded: 64846 > 43200 (seconds) | ||
+ | Executable: /opt/cpanel/ea-php56/root/usr/bin/lsphp | ||
+ | Command Line: lsphp | ||
+ | PID: 14899 (Parent PID:14899) | ||
+ | Killed: No | ||
+ | |||
+ | We can prevent this by adding ''pexe:/opt/cpanel/ea-php.*/root/usr/bin/lsphp.*'' to ''/etc/csf/csf.pignore'', and then restarting CSF using ''csf -ra''. | ||
+ | |||
+ | =====Prevent LSHTTPD Alert From LFD===== | ||
+ | |||
+ | The ''lshttpd'' binary is unknown to LFD, so you may also receive alerts like this: | ||
+ | |||
+ | Time: Tue Feb 12 19:03:40 2019 +0100 | ||
+ | PID: 13751 (Parent PID:13739) | ||
+ | Account: nobody | ||
+ | Uptime: 21627 seconds | ||
+ | |||
+ | Executable: | ||
+ | /usr/local/lsws/bin/lshttpd.5.3.1 | ||
+ | |||
+ | Command Line (often faked in exploits): | ||
+ | litespeed (lshttpd - #01) | ||
+ | |||
+ | Network connections by the process (if any): | ||
+ | tcp: xx.xx.xx.xx:80 -> xx.xx.xx.xx:4007 | ||
+ | |||
+ | We can prevent this by adding ''pexe:/usr/local/lsws/bin/lshttpd.*'' to ''/etc/csf/csf.pignore'', and then restarting CSF using ''csf -ra''. | ||
+ | |||
+ | =====Other===== | ||
+ | |||
+ | If you're using QUIC, then make sure to open up port UDP 443 on your firewall. This can be done in CSF under ''UDP_IN'' and ''UDP_OUT''. You can read more about enabling QUIC [[litespeed_wiki:config:enable_quic:apache_configuration_with_cpanel|here]]. |