====== ConfigServer Security & Firewall (CSF) LiteSpeed Configuration ======

If you're using [[https://configserver.com/cp/csf.html|ConfigServer Security & Firewall (CSF)]], you have to make a few changes to the CSF configuration. This guide will explain the various changes that need to be done!

=====Prevent Symlink Alert From LFD=====

In LiteSpeed Web Server version 5.3.6, we moved ''/tmp/lshttpd/.rtreport'' to ''/dev/shm'' to decrease disk IO. As a result, we introduced a symlink from the original location so any existing configuration doesn't break.

However, this can cause alerts from CSF/LFD such as this:

  Time:   Wed Feb 13 06:05:29 2019 +0100
  File:   /tmp/lshttpd/.rtreport
  Reason: Suspicious symlink (->/dev/shm/lsws/lshttpd/status/.rtreport)
  Owner:  nobody:nobody (99:99)
  Action: No action taken

Add ''/tmp/lshttpd/\.rtreport.*'' to ''/etc/csf/csf.fignore'' to suppress this alert, and then restart CSF using ''csf -ra''.

=====Prevent LSPHP Alert From LFD=====

Depending on your settings, or the amount of traffic your customers receive, you can easily end up with ''lsphp'' processes that run for a long time. This happens because we spawn a parent lsphp process for each vhost or customer. This process is used for a few things including shared memory for opcache and keeping the process alive for faster traffic handling (we skip the startup delay).

However, this can trigger some LFD alerts such as the one below:

  Time:         Tue Feb 12 16:33:02 2019 +0100
  Account:      XXXXXXXX
  Resource:     Process Time
  Exceeded:     64846 > 43200 (seconds)
  Executable:   /opt/cpanel/ea-php56/root/usr/bin/lsphp
  Command Line: lsphp                                  
  PID:          14899 (Parent PID:14899)
  Killed:       No

We can prevent this by adding ''pexe:/opt/cpanel/ea-php.*/root/usr/bin/lsphp.*'' to ''/etc/csf/csf.pignore'', and then restarting CSF using ''csf -ra''.

=====Prevent LSHTTPD Alert From LFD=====

The ''lshttpd'' binary is unknown to LFD, so you may also receive alerts like this:

  Time:    Tue Feb 12 19:03:40 2019 +0100
  PID:     13751 (Parent PID:13739)
  Account: nobody
  Uptime:  21627 seconds
  
  Executable:
  /usr/local/lsws/bin/lshttpd.5.3.1
  
  Command Line (often faked in exploits):
  litespeed (lshttpd - #01)
  
  Network connections by the process (if any):
  tcp: xx.xx.xx.xx:80 -> xx.xx.xx.xx:4007

We can prevent this by adding ''pexe:/usr/local/lsws/bin/lshttpd.*'' to ''/etc/csf/csf.pignore'', and then restarting CSF using ''csf -ra''.

=====Other=====

If you're using QUIC, then make sure to open up port UDP 443 on your firewall. This can be done in CSF under ''UDP_IN'' and ''UDP_OUT''. You can read more about enabling QUIC [[litespeed_wiki:config:enable_quic:apache_configuration_with_cpanel|here]].