How to setup Litespeed LSWS for a shared environment?

[mistwang]

If you got some spare memory in your server not being actively used, there is one tip to improve PHP and overall server performance.

Requirements:

* there are enough free memory to spare.
* /dev/shm/ should be mounted as tmpfs.

Install eaccelerator with PHP suEXEC, set disk cache storage to /dev/shm/eaccelerator/ instead of /tmp/eaccelerator/, then add a cron job to clean the cache directory every 5-10 minutes, so cache files not being used frequently will not fill up the precious shared memory storage.

Noticed that the server load going down from 4.x to 1.x on one client's server.

 

[DraCoola]

Noticed that the server load going down from 4.x to 1.x on one client's server.

On my server?
Thank you mistwang for your helps and advices

Btw on my eAccelerator, it could only caching from 1 to 19 scripts, maximum.
Or it perhaps caused by shm value/size has set to just 16mb?

Because if I increase it to more than 16mb, some of random pages will suddenly blank, not completely load, or shows an alien codes on it.

 

[anewday]

Do you mean the value for "eaccelerator.shm_size" ?

 

[Tony]

If you got some spare memory in your server not being actively used, there is one tip to improve PHP and overall server performance.

Requirements:

* there are enough free memory to spare.
* /dev/shm/ should be mounted as tmpfs.

Install eaccelerator with PHP suEXEC, set disk cache storage to /dev/shm/eaccelerator/ instead of /tmp/eaccelerator/, then add a cron job to clean the cache directory every 5-10 minutes, so cache files not being used frequently will not fill up the precious shared memory storage.

Noticed that the server load going down from 4.x to 1.x on one client's server.

Interesting.

We played around with eaccelerator a bit on one machine but for the density of our machines it's not even worth doing. We actually had higher i/o wait due to the amount of cached files it ended up writing. I think in the end we had about 12GB of cached files eccelerator does have a memory only feature but I did not see any real improvements. I'm guessing it has to do with the timeout of the PHP processes and such.

This /dev/shm idea seems interesting though. I might play around with that when we start deploying nehalem based servers with 12+GB of ram.

 

[DraCoola]

Do you mean the value for "eaccelerator.shm_size" ?

Yes that is.
I've been with php as DSO (on Cpanel-Apache), and set the eaccelerator.shm_size to 2048 and that were fine.
Except it were doesn't fine on DSO-nobody security.

 

[Tony]

Yes that is.
I've been with php as DSO (on Cpanel-Apache), and set the eaccelerator.shm_size to 2048 and that were fine.
Except it were doesn't fine on DSO-nobody security.

If my memory serves me right with PHP processes running as their user this changes the meaning of this slightly. The shm size would be on a per process or user basis I cannot remember which. So when you say a max of 2048 when running LSAPI or even FastCGI on Apache it's not doing shared between all the pools that's just one user set.

This is also why it gets confusing the reporting of eaccelerator you'd need the script for each user account to see the accurate numbers.

I'm pretty sure on most of this as I did some testing to see what exactly happens as I had never ran caching extensions when PHP was running as various users.

 

[mistwang]

We played around with eaccelerator a bit on one machine but for the density of our machines it's not even worth doing. We actually had higher i/o wait due to the amount of cached files it ended up writing. I think in the end we had about 12GB of cached files eccelerator does have a memory only feature but I did not see any real improvements. I'm guessing it has to do with the timeout of the PHP processes and such.

Yes, that's true that it will cause high I/O wait if you use /tmp/eaccelerator/ as the storage. However, using /dev/shm/ is more like using a memory disk, which is lightening fast without increasing I/O wait.

 

[mistwang]

Btw on my eAccelerator, it could only caching from 1 to 19 scripts, maximum.
Or it perhaps caused by shm value/size has set to just 16mb?

Because if I increase it to more than 16mb, some of random pages will suddenly blank, not completely load, or shows an alien codes on it.

No need to increase it or let it cache more pages in memory, as the disk cache is actually in memory, also PHP process will start/stop more frequently in PHP suEXEC mode for shared hosting. As long as PHP process can grab a copy of parsed PHP opcode from memory disk, it is fine.

 

[anewday]

Are these setting right to optimize? I'm confused on what value eaccelerator.shm_size should be if i set the disk cache to /dev/shm with 1.5G of space.


php.ini

extension_dir = "/usr/local/lsws/lsphp4/lib/php/extensions/no-debug-non-zts-20020429"
extension="eaccelerator.so"
eaccelerator.shm_size="64"
eaccelerator.cache_dir="/dev/shm/lswsphp4eacc"
eaccelerator.enable="1"                
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.shm_max="0"                  
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"
eaccelerator.keys="shm"
eaccelerator.sessions="shm"
eaccelerator.content="shm"

/etc/fstab

none                    /dev/shm                tmpfs   noexec,nosuid   0 0

df -h

none                  1.5G     0  1.5G   0% /dev/shm

 

[mistwang]

looks good to me.

 

[anewday]

Does it have to be PHP suExec?

 

[grniyce]

usr/local/lib/ php.ini

 

[masood_y]

If you got some spare memory in your server not being actively used, there is one tip to improve PHP and overall server performance.

Requirements:

* there are enough free memory to spare.
* /dev/shm/ should be mounted as tmpfs.

Install eaccelerator with PHP suEXEC, set disk cache storage to /dev/shm/eaccelerator/ instead of /tmp/eaccelerator/, then add a cron job to clean the cache directory every 5-10 minutes, so cache files not being used frequently will not fill up the precious shared memory storage.

Noticed that the server load going down from 4.x to 1.x on one client's server.

How can do it?

* there are enough free memory to spare.
* /dev/shm/ should be mounted as tmpfs.

 

[mistwang]

df shows that you already have it. check /etc/fstab for configuration.

 

[anewday]

Does Litespeed have to be using PHP suEXEC?

George, could you answer this?

 

[Michael.Terence]

George, could you answer this?

I'm not george but I'll take a stab - this portion of the thread is mostly about eaccelerator and /dev/shm - so if your question was whether or not you can use eaccelerator, and place the cache files in /dev/shm while not using PHP suEXEC the answer is yes, just be sure the user php is running as has access to the directory.

 

[mistwang]

it benefit PHP suEXEC most as each PHP process use its own in memory cache, this way, just like we share a global in-memory cache.

 

[grniyce]

For PHP there are some security measures in CSF Server security check such as open_basedir, disable_functions, enable_dl

What mod_security rules are you using? you can find some up2date rules from http://www.gotroot.com/tiki-index.php?page=mod_security+rules

Mod_security audit_log has been implemented in LSWS 4.0 also, you can set your audit_log path in CSF and check for security logs there which is very userfriendly, or set LFD rules in your CSF configuration to block attackers automatically


Yes, using disable_functions directive in php.ini

I disabled these functions on my shared servers:

fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict,psockopen,php_ini_scanned_files,hell-exec,system,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software,get_current_user,HTTP_HOST,php_uname,ini_restore,popen,pclose,exec,shell_exec,suExec,passthru,proc_open,proc_nice,proc_terminate,proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod,posix_strerror,posix_initgroups,posix_setsidposix_setuid

various functions disabled but it kills all of phpshells/exploits and all of my scripts are working as well, you may remove some functions if it breaks your scripts

you can disable posix functions in php configure script using '--disable-posix' too

turned off? you mean open_basedir protection has been enabled in WHM -> Security Center -> Tweak PHP open_basedir Security ?


You can turn safe_mode on globally and turn if off individually for each VH using php_admin_value safe_mode 0 directive in VirtualHost section in httpd.conf

for suhosin i use this values in php.ini:

[suhosin]
extension=suhosin.so
suhosin.post.max_vars = 1024
suhosin.request.max_vars = 1024
suhosin.get.max_value_length = 1024

We know Litespeed is awesome in performances, but there is alot of security features in LSWS either!

To increase your CGI security you may re-install LSWS with chroot enabled but it may break some scripts, however its working like a charm for me

Also you can secure your server for DDoS attacks, check this out: http://www.litespeedtech.com/library/howto/#qa_dos

I suggest you restrict your SSH and WHM daemons only to your own IP addresses if its static, or to your range if dynamic in WHM -> Security Center -> Host Access Control
If you allow your own IP addresses and DENY ALL no one can access into your server even with root pw!

Also upgrade to mysql5 if you are on mysql4, there are vulnerabilities in mysql4 which attacker can bypass open_basedir and access files out of its home, there is a lot of performances in mysql5 either

Now you may upload some phpshells and make sure they are fully killed
common phpshells are available here: www[dot]shellci[dot]biz

Good luck

I have done most of the above, however I don't know how to get the mod_security logs and so forth to work with csf and litespeed. I think I need to specify the paths and so forth.

I uploaded a couple scripts to the server and after disabling all of the functions and everything above, they still ran.

I'm confused and might need to hire someone to help me make sure my server is secure against these attacks, because a lot of my associates are experiencing these attacks, and I myself have unfortunately lost an entire server due to an attack about 4 months ago.

Please help.

 

[DraCoola]

I have done most of the above, however I don't know how to get the mod_security logs and so forth to work with csf and litespeed. I think I need to specify the paths and so forth.

I uploaded a couple scripts to the server and after disabling all of the functions and everything above, they still ran.

I'm confused and might need to hire someone to help me make sure my server is secure against these attacks, because a lot of my associates are experiencing these attacks, and I myself have unfortunately lost an entire server due to an attack about 4 months ago.

Please help.

They still can run on XSS way?
On my server, I have put all of those php disable_function, except php_uname, and I try my self for some of shell scripts can not execute any important command to hack to another account.

 

[grniyce]

They still can run on XSS way?
On my server, I have put all of those php disable_function, except php_uname, and I try my self for some of shell scripts can not execute any important command to hack to another account.

I added the commands, and rebuilt apache with modsecurity, suhosin, php 5.2.9, ea accelerator, zend optimizer, and then I added the suhosin suggestion above to php.ini and added the includes line to httpd.conf for mod security at the bottom. I also have ClamAv installed.

I then built matching php, and I reinstalled LSWS most recent with the chroot on and set it to /usr/local/lsws

Now I went to the scripts site and had to turn off my pc antivirus, and then I downloaded a handful of the scripts there, uploaded them thru ftp to a mock domain on my server, and relabled them like c99.php, r57.php etc etc. I accessed each one of them just like regular pages, and they let me navigate my server. It is my understanding that these scripts should have been stopped by ClamAV, as well as ModSecurity and CSF, but none of them have. ALL of the php.ini functions suggested above have been disabled also, and devshm has been remounted also. I'm totally confused. This isn't working.... (

However, when I go to view modsecurity log in CSF here is what I get:

So, I am assuming I need to redefine somewhere in the server where the log should be found? How can I setup LSWS and WHM and CSF to all collaborate with the modsecurity log?