Ways of improving security in Litespeed
LiteSpeed Web Server is the leading high-performance, high-scalability web server . It is completely Apache interchangeable, so it can quickly replace in your existing web delivery platform. The important security features and its configurations are given below:
a) SSL (Litespeed administration security)
We need to secure the administration area. We will do this by adding a SSL connection to the administration port and configuring the server to accept connections to that port from our IP only (or from a group of IPs).
b) DDoS Protection
LiteSpeed web server is much less vulnerable to HTTP Denial Of Service(DoS) and Distributed Denial of Service (DDoS) attacks, thanks to the IP level throttling, connection accounting and its outstanding performance and scalability.
This is a server level setting that affects all virtual hosts. Virtual host setting will not override the server setting. If you want to block a certain IP or network, put * or ALL in “Allowed List” and list the blocked IP or network in Denied List. If you want to only allow certain IP or sub-network, put * or ALL in Denied List and list the allowed IP or sub-network in Allowed List. The setting of the smallest scope that fits for an IP will be used to determine whether to block or allow. Trusted IP or sub-network must be specified in the Allowed List by adding a trailing “T”. Trusted IP or sub-network is not affected by connection/throttling limits. Only server level access control can set up trusted IP/sub-network.
This is another way of security. In this we have to enable SuEXEC in LiteSpeed server with applications including CGI, FastCGI, LSAPI, PHP, Python, RubyOnRails.
d) File system protection
LiteSpeed web server will serve a static file only if the following conditions are satisfied:
# “.ht*” and “.svn*” are not allowed in a decoded URL, this will deny accessing some important hidden files and directories.
# The file permission must configured with the required permissions.
# The file will not be in the Access Denied Directory list
# It does not contain symbolic links, if symbolic linking is not allowed.
e) Chroot Jail
“chroot” can change the root directory for a process. A changed root process and its children process cannot access any file beyond the new root directory. It is like putting a process in a jail, so this mechanism is called “chroot jail”. The litespeed webserver run inside the chroot jail.
The above is a very rough outline of the Litespeed web server, and if you have any questions, we would be happy to talk to you! 🙂
About the Author :
Manu George E works as a Software Engineer in Bobcares. He joined Bobcares back in March 2011. He loves reading books, watching movies and listening to music in his free time.