How to setup Litespeed LSWS for a shared environment?

[grniyce]

Here is php.ini showing functions disabled:

Here is suhosin section added in php.ini:

...and here is the /usr/local/lsws/conf/httpd_config.xml:

<?xml version="1.0" encoding="UTF-8"?>
<httpServerConfig>
  <serverName>server.legithost.net</serverName>
  <user>nobody</user>
  <group>nobody</group>
  <priority>-19</priority>
  <chrootPath>/</chrootPath>
  <enableChroot>0</enableChroot>
  <inMemBufSize>60M</inMemBufSize>
  <swappingDir>/tmp/lshttpd/swap</swappingDir>
  <autoRestart>1</autoRestart>
  <autoFix503>1</autoFix503>
  <loadApacheConf>1</loadApacheConf>
  <autoReloadApacheConf>2</autoReloadApacheConf>
  <apacheBinPath>/usr/local/apache/bin/httpd</apacheBinPath>
  <apacheConfFile>/usr/local/apache/conf/httpd.conf</apacheConfFile>
  <apachePortOffset>0</apachePortOffset>
  <apacheIpOffset>0</apacheIpOffset>
  <apacheHandledContent></apacheHandledContent>
  <phpSuExec>1</phpSuExec>
  <phpSuExecMaxConn>10</phpSuExecMaxConn>
  <apacheEnableFP>1</apacheEnableFP>
  <mime>$SERVER_ROOT/conf/mime.properties</mime>
  <disableInitLogRotation>1</disableInitLogRotation>
  <showVersionNumber>0</showVersionNumber>
  <enableIpGeo></enableIpGeo>
  <useIpInProxyHeader></useIpInProxyHeader>
  <autoUpdateInterval>86400</autoUpdateInterval>
  <autoUpdateDownloadPkg>1</autoUpdateDownloadPkg>
  <adminEmails>grniyce@gmail.com</adminEmails>
  <adminRoot>$SERVER_ROOT/admin/</adminRoot>
  <logging>
    <log>
      <fileName>/usr/local/apache/logs/error_log</fileName>
      <logLevel>DEBUG</logLevel>
      <debugLevel>0</debugLevel>
      <rollingSize>2000M</rollingSize>
      <enableStderrLog>0</enableStderrLog>
    </log>
    <accessLog>
      <fileName>$SERVER_ROOT/logs/access.log</fileName>
      <rollingSize>2000M</rollingSize>
      <keepDays>30</keepDays>
      <compressArchive>0</compressArchive>
    </accessLog>
  </logging>
  <indexFiles>index.html, index.php, index.php5, index.htm</indexFiles>
  <autoIndex></autoIndex>
  <autoIndexURI></autoIndexURI>
  <htAccess>
    <allowOverride>31</allowOverride>
    <accessFileName>.htaccess</accessFileName>
  </htAccess>
  <expires>
    <enableExpires>1</enableExpires>
    <expiresByType>image/*=A604800, text/css=A604800, application/x-javascript=A604800</expiresByType>
  </expires>
  <tuning>
    <maxConnections>650</maxConnections>
    <maxSSLConnections>50</maxSSLConnections>
    <connTimeout>60</connTimeout>
    <maxKeepAliveReq>90</maxKeepAliveReq>
    <smartKeepAlive>1</smartKeepAlive>
    <keepAliveTimeout>3</keepAliveTimeout>
    <sndBufSize>0</sndBufSize>
    <rcvBufSize>0</rcvBufSize>
    <eventDispatcher>best</eventDispatcher>
    <maxCachedFileSize>4096</maxCachedFileSize>
    <totalInMemCacheSize>20M</totalInMemCacheSize>
    <maxMMapFileSize>256K</maxMMapFileSize>
    <totalMMapCacheSize>40M</totalMMapCacheSize>
    <useSendfile>1</useSendfile>
    <etagNoInode>1</etagNoInode>
    <SSLCryptoDevice>null</SSLCryptoDevice>
    <maxReqURLLen>8192</maxReqURLLen>
    <maxReqHeaderSize>16380</maxReqHeaderSize>
    <maxReqBodySize>10M</maxReqBodySize>
    <maxDynRespHeaderSize>4K</maxDynRespHeaderSize>
    <maxDynRespSize>10M</maxDynRespSize>
    <enableGzipCompress>1</enableGzipCompress>
    <enableDynGzipCompress>1</enableDynGzipCompress>
    <gzipCompressLevel>1</gzipCompressLevel>
    <compressibleTypes>text/*, application/x-javascript, application/xml</compressibleTypes>
    <gzipAutoUpdateStatic>1</gzipAutoUpdateStatic>
    <gzipCacheDir></gzipCacheDir>
    <gzipStaticCompressLevel>1</gzipStaticCompressLevel>
    <gzipMaxFileSize>1M</gzipMaxFileSize>
    <gzipMinFileSize>300</gzipMinFileSize>
  </tuning>
  <security>
    <fileAccessControl>
      <followSymbolLink>1</followSymbolLink>
      <checkSymbolLink>0</checkSymbolLink>
      <requiredPermissionMask>000</requiredPermissionMask>
      <restrictedPermissionMask>000</restrictedPermissionMask>
    </fileAccessControl>
    <perClientConnLimit>
      <staticReqPerSec>25</staticReqPerSec>
      <dynReqPerSec>10</dynReqPerSec>
      <outBandwidth>0</outBandwidth>
      <inBandwidth>0</inBandwidth>
      <softLimit>400</softLimit>
      <hardLimit>500</hardLimit>
      <gracePeriod>15</gracePeriod>
      <banPeriod>300</banPeriod>
    </perClientConnLimit>
    <CGIRLimit>
      <maxCGIInstances>20</maxCGIInstances>
      <minUID>11</minUID>
      <minGID>10</minGID>
      <priority>0</priority>
      <CPUSoftLimit>60</CPUSoftLimit>
      <CPUHardLimit>120</CPUHardLimit>
      <memSoftLimit>250M</memSoftLimit>
      <memHardLimit>300M</memHardLimit>
      <procSoftLimit>400</procSoftLimit>
      <procHardLimit>450</procHardLimit>
    </CGIRLimit>
    <censorshipControl>
      <enableCensorship>1</enableCensorship>
      <logLevel>1</logLevel>
      <defaultAction>deny,log,status:403</defaultAction>
      <scanPOST>1</scanPOST>
    </censorshipControl>
    <accessDenyDir>
      <dir>/</dir>
      <dir>/etc/*</dir>
      <dir>/dev/*</dir>
      <dir>$SERVER_ROOT/conf/*</dir>
      <dir>$SERVER_ROOT/admin/conf/*</dir>
    </accessDenyDir>
    <accessControl>
      <allow>ALL</allow>
      <deny></deny>
    </accessControl>
  </security>
  <extProcessorList>
    <extProcessor>
      <type>lsapi</type>
      <name>lsphp5</name>
      <address>uds://tmp/lshttpd/lsphp5.sock</address>
      <note></note>
      <maxConns>35</maxConns>
      <env>PHP_LSAPI_MAX_REQUESTS=500</env>
      <env>PHP_LSAPI_CHILDREN=35</env>
      <initTimeout>60</initTimeout>
      <retryTimeout>0</retryTimeout>
      <persistConn>1</persistConn>
      <pcKeepAliveTimeout></pcKeepAliveTimeout>
      <respBuffer>0</respBuffer>
      <autoStart>1</autoStart>
      <path>$SERVER_ROOT/fcgi-bin/lsphp5</path>
      <backlog>100</backlog>
      <instances>1</instances>
      <runOnStartUp></runOnStartUp>
      <extMaxIdleTime></extMaxIdleTime>
      <priority>0</priority>
      <memSoftLimit>450M</memSoftLimit>
      <memHardLimit>500M</memHardLimit>
      <procSoftLimit>200</procSoftLimit>
      <procHardLimit>200</procHardLimit>
    </extProcessor>
    <extProcessor>
      <type>lsapi</type>
      <name>lsphp4</name>
      <address>uds://tmp/lshttpd/lsphp4.sock</address>
      <note></note>
      <maxConns>35</maxConns>
      <env>PHP_LSAPI_MAX_REQUESTS=500</env>
      <env>PHP_LSAPI_CHILDREN=35</env>
      <initTimeout>60</initTimeout>
      <retryTimeout>0</retryTimeout>
      <persistConn>1</persistConn>
      <pcKeepAliveTimeout></pcKeepAliveTimeout>
      <respBuffer>0</respBuffer>
      <autoStart>1</autoStart>
      <path>$SERVER_ROOT/fcgi-bin/lsphp4</path>
      <backlog>100</backlog>
      <instances>1</instances>
      <runOnStartUp></runOnStartUp>
      <extMaxIdleTime></extMaxIdleTime>
      <priority>0</priority>
      <memSoftLimit>450M</memSoftLimit>
      <memHardLimit>500M</memHardLimit>
      <procSoftLimit>200</procSoftLimit>
      <procHardLimit>200</procHardLimit>
    </extProcessor>
    <extProcessor>
      <type>proxy</type>
      <name>127.0.0.1:2082</name>
      <address>127.0.0.1:2082</address>
      <note>for cPanel backend</note>
      <maxConns>100</maxConns>
      <pcKeepAliveTimeout>0</pcKeepAliveTimeout>
      <initTimeout>60</initTimeout>
      <retryTimeout>0</retryTimeout>
      <respBuffer>0</respBuffer>
    </extProcessor>
    <extProcessor>
      <type>proxy</type>
      <name>127.0.0.1:2095</name>
      <address>127.0.0.1:2095</address>
      <note>for webmail backend</note>
      <maxConns>100</maxConns>
      <pcKeepAliveTimeout>0</pcKeepAliveTimeout>
      <initTimeout>60</initTimeout>
      <retryTimeout>0</retryTimeout>
      <respBuffer>0</respBuffer>
    </extProcessor>
    <extProcessor>
      <type>proxy</type>
      <name>127.0.0.1:2086</name>
      <address>127.0.0.1:2086</address>
      <note>for WHM backend</note>
      <maxConns>100</maxConns>
      <pcKeepAliveTimeout>0</pcKeepAliveTimeout>
      <initTimeout>60</initTimeout>
      <retryTimeout>0</retryTimeout>
      <respBuffer>0</respBuffer>
    </extProcessor>
    <extProcessor>
      <type>proxy</type>
      <name>127.0.0.1:2077</name>
      <address>127.0.0.1:2077</address>
      <note>for webdisk backend</note>
      <maxConns>100</maxConns>
      <pcKeepAliveTimeout>0</pcKeepAliveTimeout>
      <initTimeout>60</initTimeout>
      <retryTimeout>0</retryTimeout>
      <respBuffer>0</respBuffer>
    </extProcessor>
  </extProcessorList>
  <scriptHandlerList>
    <scriptHandler>
      <suffix>php</suffix>
      <type>lsapi</type>
      <handler>lsphp5</handler>
    </scriptHandler>
    <scriptHandler>
      <suffix>php4</suffix>
      <type>lsapi</type>
      <handler>lsphp4</handler>
    </scriptHandler>
    <scriptHandler>
      <suffix>php5</suffix>
      <type>lsapi</type>
      <handler>lsphp5</handler>
      <note></note>
    </scriptHandler>
  </scriptHandlerList>
  <railsDefaults>
    <rubyBin></rubyBin>
    <railsEnv>1</railsEnv>
    <maxConns>5</maxConns>
    <env>LSAPI_MAX_REQS=1000</env>
    <env>LSAPI_MAX_IDLE=60</env>
    <initTimeout>60</initTimeout>
    <retryTimeout>0</retryTimeout>
    <pcKeepAliveTimeout>60</pcKeepAliveTimeout>
    <respBuffer>0</respBuffer>
    <backlog>50</backlog>
    <runOnStartUp>1</runOnStartUp>
    <extMaxIdleTime>300</extMaxIdleTime>
    <priority>3</priority>
    <memSoftLimit>450M</memSoftLimit>
    <memHardLimit>500M</memHardLimit>
    <procSoftLimit>200</procSoftLimit>
    <procHardLimit>300</procHardLimit>
  </railsDefaults>
</httpServerConfig>

 

[DraCoola]

Perhaps you should add the mod_sec rules first? Or it have been missing?
The path for mode_sec was on /usr/local/apache/conf/

Btw some of C99 has succesfully made them self "disappear" from ClamAV.
ClamAV cannot recognize that special C99 as a trojan/virus.
So ClamAV will be unused on that case.

Mod_Sec is just only as the first gate with their rules.
If, sometimes, php shells can get through over it, so the last defend is phpSuexec (Suphp is better) and php disable_functions.
And ofcourse suhosin.

The most important thing is how to prevent that script to read/write all files and directories on our servers.
It can be made by php_disable functions and php priveledge as per user.
Are you sure that php.ini that being used (disable_functions edited) is the right php.ini for all web users?

 

[grniyce]

Both the php.ini's are identical, so I am positive all the disable functions are effective now.

 

[grniyce]

As an update, everything is working beautifully and I thank everyone that has contributed to this thread!

 

[auser]

Now I went to the scripts site and had to turn off my pc antivirus, and then I downloaded a handful of the scripts there, uploaded them thru ftp to a mock domain on my server, and relabled them like c99.php, r57.php etc etc. I accessed each one of them just like regular pages, and they let me navigate my server. It is my understanding that these scripts should have been stopped by ClamAV, as well as ModSecurity and CSF, but none of them have. ALL of the php.ini functions suggested above have been disabled also, and devshm has been remounted also. I'm totally confused. This isn't working.... (

I'd like to download 1 of the scripts, to try on my local box, see if LSWS can stop it, or how to stop it. Can you tell the location of the scripts site, and point out 1 which looks most troublesome? This will break down big issues into smaller ones, and help resolve them finally.

 

[grniyce]

NOTE: VERY IMPORTANT THAT THE BELOW SITE IS TO BE USED BY INDIVIDUALS WHOM KNOW EXACTLY WHAT THEY ARE DOING IN EFFORT(S) TO TEST THE SECURITY OF YOUR SERVER. REALIZE THAT LEAVING -ANY- OF THESE SHELLS CAN PLACE YOUR SERVER AT SEVERE RISK IF YOU DO NOT KNOW WHAT YOU ARE DOING!

common phpshells are available here: www.shellci.biz

 

[nixell]

If php function disable, is whmcs or other script still can't run?

 

[grniyce]

Yes WHMCS works fine with the php functions mentioned disabled. Most if not 99% of the time you will run into ini_set errors (not on whmcs but on various other scripts). If you simply edit out the ini_set from the configuration files or have someone knowledgable do it you won't run into any errors.

To directly answer your question, "you will have no issues running whmcs and most other scripts with all of the above recommendations".

My server runs vBulletin, IPB, PHPbb, WHMSonic, WHMCS, Shoutcast, and many other scripts without any flaws.

 

[Nokki]

thanks for the guide

 

[onisoc]

I'm using cPanel and apache for server shared hosting. I'm planning transfer to use LSWS + cPanel, but i have some question:
1. .htaccess : is LSWS compatible with cPanel users ?
2. I have some configs in httpd.conf like:

<Directory "/home/">
Options Indexes -Includes IncludesNOEXEC -FollowSymLinks -SymLinksifOwnerMatch ExecCGI
AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,Includes,ExecCGI
</Directory>

<Directory "/usr/local/apache/htdocs">
Options IncludesNOEXEC Indexes -FollowSymLinks +SymLinksIfOwnerMatch -ExecCGI
AllowOverride None
Order allow,deny
Allow from all

</Directory>

for anti phpshell, cgishell effect symlink.
May i use it with LSWS ?

I hope you can advise me smt.

 

[NiteWave]

1.LSWS is compatible with apache .htaccess

2.the example directives are from apache too. Yes, LSWS compatible with them.

since you're running trial LSWS, it should be easier for you to verify these directives one by one, to see if it works fine as expected as apache. if not, please report us.

 

[prandah]

hello,
i have several question
as far as i know cPanel use nobody group
but kloxo use apache default group
so can i install lsws under apache group ?

 

[jamdwade]

Thanks for this information. I appreciate it a lot.

 

[mrbiki]

go support team

 

[grniyce]

Wow, just checking in. I'm excited to load up LiteSpeed on a new cluster I'm having implemented for my site worldtruth.org. Right now I'm running the 15 day enterprise trial until the setup is ready in a couple days, then I'm purchasing the whole shabang. I know people keep saying to run nginx + php-fpm and apc, but I'm here to testify that LiteSpeed + APC ---> DESTROYS nginx. I don't care what their benchmarks are.

I don't know how they're testing it, or what they're running, but if you want an all around super fast, secure, compatible webserver with easy interface, and exceptional customization options even for the novice user; LITESPEED is the ""ONLY CHOICE""

Viva LiteSpeed 2013!

 

[remas100]

ut still curious on how to enable the pure phpsuexec to this LS-Cpanel.
Because I think the security of LS will totally null if any user still can walk around to other users teritories.

It is just as the same as php-DSO (nobody), which username means nothing to php security.

 

[tungphatcomputer]

After I edit /usr/local/lib/php.ini, it always changed for the phpinfo() value on /home/user/public_html/phpinfo.php
Is there something wrong with my installation?

 

[Pong]

For cpanel ea4, it normally should not use /usr/local/lib/php.ini unless you change the php.ini location.

 

[tungphatcomputer]

Thanks for this information. I really need that !

 

[Pong]

I am not clear what do you want to achieve.

On cpanel ea4, you can either pick ea-phpxx or alt-php from whm multiPHP manager, then the php.ini will be loaded from

/opt/cpanel/ea-phpxx/root/etc/php.ini
or
/opt/alt/phpxx/etc/php.ini

If you are not sure the right setup, fresh install LiteSpeed will reset evrything good for you.
https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:cpanel:easyapache4