Server Security
 
Table of Contents
File Access Control Follow Symbolic Link   Check Symbolic Link   Force Strict Ownership Checking   Required Permission Mask   Restricted Permission Mask   Script Restricted Permission Mask   Script Restricted Directory Permission Mask   
Per Client Throttling Control Static Requests/Second   Dynamic Requests/Second   Outbound Bandwidth   Inbound Bandwidth   Connection Soft Limit   Connection Hard Limit   Block Bad Request   Grace Period (sec)   Banned Period (sec)   
External Application Resource Control CGI Daemon Socket   Max CGI Instances   Minimum UID   Minimum GID   Force GID   CGI Priority   CPU Soft Limit   CPU Hard Limit   Memory Soft Limit   Memory Hard Limit   Process Soft Limit   Process Hard Limit   
Access Denied Directories Access Denied Directories   
Access Control Allowed List   Denied List   
 
Follow Symbolic LinkGo to top
Description: Specifies the server level default setting of following symbolic links when serving static files. Choices are Yes, If Owner Match and No. Yes will always follow a symbolic link; If Owner Match will follow a symbolic link only if the owner of the link and of the target are same. No will never follow a symbolic link. This setting can be overridden by each individual virtual host.
Syntax: Select from drop down list
Tips: [Performance & security] For best security select No or If Owner Match. For best performance, select Yes.
See Also: Check Symbolic Link.
Check Symbolic LinkGo to top
Description: Specifies whether to check symbolic links against Access Denied Directories when Follow Symbolic Link is turned on. If enabled, the canonical real path of the resource referred by a URL will be checked against the configurable access denied directories. Access will be denied if it falls inside an access denied directory.
Syntax: Select from radio box
Tips: [Performance & security] For best security, enable this option. For best performance, disable it.
Force Strict Ownership CheckingGo to top
Description: Specifies whether to enforce strict file ownership checking. If it is enabled, web server will check if the owner of the file being served is same as the owner of the virtual host. If it is different, 403 Access Denied Error will be returned. Default is turned off.
Syntax: Select from radio box
Tips: [security] For shared hosting, enable this check for better security.
Required Permission MaskGo to top
Description: Specifies the required permission mask for static files that the web server will serve. For example, if only files that are readable by everyone can be served, set the value to 0004. See man 2 stat for all values.
Syntax: octal numbers
See Also: Restricted Permission Mask.
Restricted Permission MaskGo to top
Description: Specifies the restricted permission mask for static files that the web server will not serve. For example, to prohibit serving files that are executable, set the mask to 0111. See man 2 stat for all values.
Syntax: octal numbers
See Also: Required Permission Mask.
Script Restricted Permission MaskGo to top
Description: Specifies the restricted permission mask for script files that the web server will not serve. For example, to prohibit serving PHP scripts that are group and world writable, set the mask to 022. Default value is 000. See man 2 stat for all values.
Syntax: octal numbers
See Also: Script Restricted Directory Permission Mask.
Script Restricted Directory Permission MaskGo to top
Description: Specifies the restricted permission mask of parent directory of a script files that the web server will not serve. For example, to prohibit serving PHP scripts in a directory that is gourp and world writable, set the mask to 022. Default value is 000. This option can be used to prevent serving scripts under a directory of uploaded files. See man 2 stat for all values.
Syntax: octal numbers
See Also: Script Restricted Permission Mask.
Per Client Throttling ControlGo to top
Description: These are connection control settings based on client IP. These settings help to mitigate DoS (Denied of Service) and DDoS (Distributed Denied of Service) attacks.
Static Requests/SecondGo to top
Description: Specifies the maximum number of requests to static content coming from a single IP address can be processed in each second regardless of number of connections established. When the limit is reached, all future requests are tar-pitted until the next second. Request limit for dynamically generated content is independent of this limit. Per client request limit can be set at server or virtual host level where virtual host level setting overrides server level setting.
Syntax: Integer number
Tips: [Security] Trusted IP or sub-network is not effected.
See Also: Dynamic Requests/Second
Dynamic Requests/SecondGo to top
Description: Specifies the maximum number of requests to dynamically generated content coming from a single IP address can be processed in each second regardless of number of connections established. When the limit is reached, all future requests to dynamic content are tar-pitted until next second. Request limit for static content is independent of this limit. Per client request limit can be set at server or virtual host level where virtual host level setting overrides server level setting.
Syntax: Integer number
Tips: [Security] Trusted IP or sub-network is not effected
See Also: Static Requests/Second
Outbound BandwidthGo to top
Description: Specifies the maximum allowed outgoing throughput to a single IP address regardless of number of connections established. The real bandwidth could be slightly higher than this setting for efficiency. Bandwidth is allocated in 4KB units. Set to 0 to disable throttling. Per client bandwidth limit (bytes/sec) can be set at server or virtual host level where virtual host level setting overrides server level setting.
Syntax: Integer number
Tips: [Performance] Set the bandwidth in 8KB units for better performance.
  [Security] Trusted IP or sub-network is not effected.
See Also: Inbound Bandwidth
Inbound BandwidthGo to top
Description: Specifies the maximum allowed incoming throughput from a single IP address regardless of number of connections established. The real bandwidth could be slightly higher than this setting for efficiency. Bandwidth is allocated in 1KB units. Set to 0 to disable throttling. Per client bandwidth limit (bytes/sec) can be set at server or virtual host level where virtual host level setting overrides server level setting.
Syntax: Integer number
Tips: [Security] Trusted IP or sub-network is not effected.
See Also: Outbound Bandwidth
Connection Soft LimitGo to top
Description: Specifies the soft limit of concurrent connections allowed from one IP. Soft Limit can be exceeded temporarily during Grace Period (sec) as long as the number is below the Connection Hard Limit but Keep-Alive connections will be closed as soon as possible until the number of connections is lower than the limit. If number of connections is still over the limit after the Grace Period (sec), that IP will be blocked for Banned Period (sec).
For example, if a page contains many small graphs, the browser may try to set up many connections at same time, especially for HTTP/1.0 clients. You would want to allow those connections for a short period.
Even HTTP/1.1 clients may setup multiple connections to speed up downloading and SSL requires separate connections from non-SSL connections. Make sure the limit is set properly, as not to adversely affect normal service. The recommended limit is between 5 and 10.
Syntax: Integer number
Tips: [Security] A lower number will enable serving more distinct clients.
  [Security] Trusted IP or sub-network is not effected.
  [Performance] Set to a high value when you are performing benchmark tests with large number of concurrent client machines.
Connection Hard LimitGo to top
Description: Specifies the maximum allowed concurrent connections from a single IP address. This limit is always enforced and a client will never be able to exceed this limit. HTTP/1.0 clients usually try to setup as many connections as it needs to download embedded content at the same time. This limit should be set higher enough for HTTP/1.0 client and use Connection Soft Limit to set the desired connection limit.
The recommended limit is between 20 and 50 depending on the content of your web page and traffic load.
Syntax: Integer number
Tips: [Security] A lower number will enable serving more distinct clients.
  [Security] Trusted IP or sub-network is not effected.
  [Performance] Set to a high value when you are performing benchmark tests with large number of concurrent client machines.
Block Bad RequestGo to top
Description: Block IP that keeps sending bad-formated HTTP request for Banned Period (sec). Defaul is Yes. This helps to block botnet attacks in the form of repetitively sending junk requests.
Syntax: Select from radio box
Grace Period (sec)Go to top
Description: Specifies for how long new connections can be accepted after number of connections established from one IP is over . Within this period, new connections will be accepted if the total connections still below Connection Hard Limit. After this period, if the number of connections still higher than , then that IP will be blocked for Banned Period (sec).
Syntax: Integer number
Tips: [Performance & Security] Set to a proper number big enough for downloading a complete page but low enough to prevent deliberate attacks.
Banned Period (sec)Go to top
Description: Specifies for how long new connections will be rejected from an IP at the end of Grace Period (sec) if the number of connections is still more than . If the IP continues to go over limit after a grace period, you should configured it that the IP be banned a even longer time value.
Syntax: Integer number
CGI Daemon SocketGo to top
Description: A unique socket address used to communicate with CGI daemon. LiteSpeed server uses a standalone CGI daemon to spawn CGI scripts for best performance and security. Default socket is "uds://$SERVER_ROOT/admin/conf/.cgid.sock". If you need to put in other location, specifies a Unix Domain Socket here.
Syntax: UDS://path
Example: UDS://tmp/lshttpd/cgid.sock.
Max CGI InstancesGo to top
Description: Specifies the maximum concurrent CGI processes the server can start. For each request to a CGI script, the server needs to start a standalone CGI process. On a Unix system the number of concurrent processes is limited. Excessive concurrent processes will degrade the performance of the whole system and will be target of a DoS attack. LiteSpeed server pipelines requests to CGI scripts and limits concurrent CGI processes to ensure the optimal performance and reliability. The hard limit is 2000.
Syntax: Integer number
Tips: [Security & Performance] Higher limit does not necessarily translate to faster performance. In most cases lower limit gives better performance and security. Higher limit will only help when I/O latency is excessive during CGI processing.
Minimum UIDGo to top
Description: Specifies the minimum user id of external applications. If LiteSpeed web server is started by "root" user, it can run external applications in "suEXEC" mode found in Apache (to change to another user/group id other than the server's). Execution of a external script with uid lower than the value specified here will be denied.
Syntax: Integer number
Tips: [Security] Set it high enough to exclude all system, priviledged, users.
Minimum GIDGo to top
Description: Specifies the minimum group id of external applications. If LiteSpeed server is started by "root" user, it can run external applications in "suEXEC" mode found in Apache (to change to another user/group id other than the web server's). Execution of an external with gid lower than the value specified here will be denied.
Syntax: Integer number
Tips: [Security] Set it high enough to exclude all groups used by system user.
Force GIDGo to top
Description: Specifies a group id to be used for all external applications started in suEXEC mode. When set to non-zero value, all suEXEC external applications (CGI/FastCGI/LSAPI) will use this gid. This can be used to prevent an external application from accessing files owned by other users. For example, in a shared hosting environment, LiteSpeed runs as user www-data, group www-data, each docroot is owned by a user account, group is www-data and permission mode is 0750. In this example, if 'Force GID' is set to 'nogroup' or any group other than 'www-data', all suEXEC external applications will run on behalf of the user who owns the document and group 'nogroup'. The external application process can only access files owned by that user while the server still can serve files under all user's docroot directory.
Syntax: Integer number
Tips: [Security] Set it high enough to exclude all groups used by system user.
CGI PriorityGo to top
Description: Specifies priority of the external application process. Value ranges from -20 to 20, lower number means higher priority. This priority cannot be set higher (lower number) than server's or else the server's priority will be used.
Syntax: int
See Also: Server Priority
CPU Soft LimitGo to top
Description: Specifies CPU consumption time limit in seconds for an external application process. When the process reaches the soft limit, it will be notified by a signal. Operating system's default will be used if the value is set to 0 or absent.
Syntax: Integer number
CPU Hard LimitGo to top
Description: Specifies maximum CPU consumption time limit in seconds for an external application process. If the process continues to consume CPU time and reach the hard limit, the process will be force killed. Operating system's default will be used if the value is set to 0 or absent.
Syntax: Integer number
Memory Soft LimitGo to top
Description: Specifies memory consumption limit in bytes for an external application process or an external application started by server. The main purpose of this limit is to prevent excessive memory usage because of software bug or intention attacks, not to impose a limit on normal usage, make sure to leave enough head room, otherwise your application will fail and 503 error may be returned. It can be set at server level or at individual external application level. Server level limit will be used if it is not set at individual application level. Operating system's default will be used if the value is set to 0 or absent at both levels.
Syntax: Integer number
Tips: [Attention] Do not over tune this limit, it may result in 503 errors if your application need more memory.
Memory Hard LimitGo to top
Description: same as Memory Soft Limit, "Soft Limit" can be raised up to the "Hard Limit" from within a user process. It can be set at server level or at individual external application level. Server level limit will be used if it is not set at individual application level. Operating system's default will be used if the value is set to 0 or absent at both levels.
Syntax: Integer number
Process Soft LimitGo to top
Description: Limits the total number of processes can be created on behalf of a user. This effectively limits the number of processes can be launched by web server on behalf of a user. All existing processes will be counted against this limit, not just new process to be started. If the limit is set to 10, and there are more than 10 processes running under one user, then no new process can be started by web server for that user (suEXEC).
The main purpose of this limit is to prevent "fork bomb" attacks or excessive usage, not to impose a limit on normal usage, make sure to leave enough head room. It can be set at server level or at individual external application level. Server level limit will be used if it is not set at individual application level. Operating system's default value will be used if this value is 0 or absent at both levels.
Syntax: Integer number
Process Hard LimitGo to top
Description: Same as Process Soft Limit, "Soft Limit" can be raised up to the "Hard Limit" from within a user process. It can be set at server level or at individual external application level. Server level limit will be used if it is not set at individual application level. Operating system's default value will be used if the value is set to 0 or absent at both levels.
Syntax: Integer number
Access Denied DirectoriesGo to top
Description: Specifies the directories that should be blocked from access. Add directories that contain sensitive data to this list to prevent accidentally exposing sensitive files to clients. Append a "*" to the path to include all sub-directories. If both Follow Symbolic Link and Check Symbolic Link are enabled, symbolic links will be checked against the denied directories.
Syntax: comma-delimited list of directories
Tips: [Security] Critical. It only prevents serving static files to clients and does not prevent error prone from external scripts such as PHP/Ruby/CGI.
Access ControlGo to top
Description: Specifies what sub network and/or IP address can access the server. This is a server level setting that affects all virtual hosts. You can also set up access control unique to each virtual host. Virtual host setting will NOT override the server setting.
Whether to block/allow an IP is determined by the combination of allowed list and denied list. If you want to block certain IP or sub-network, put * or ALL in Allowed List and list the blocked IP or sub-network in Denied List. If you want to only allow certain IP or sub-network, put * or ALL in Denied List and list the allowed IP or sub-network in Allowed List. The setting of the smallest scope that fits for an IP will be used to determine whether to block or allow.
Trusted IP or sub-network must be specified in the Allowed List by adding a trailing "T". Trusted IP or sub-network is not affected by connection/throttling limits. Only server level access control can set up trusted IP/sub-network.
Tips: [Security] Use this for general restrictions that apply to all virtual hosts.
Allowed ListGo to top
Description: Specifies the list of IPs or sub-networks allowed.
Syntax: Comma delimited list of IP addresses or sub-networks. * or ALL, sub-network can be like 192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1 or 192.168.1.*.
IPv6 address should be like ::1 or [::1], IPv6 subnet should be like 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64. A trailing "T" can be used to indicate a trusted IP or sub-network, like 192.168.1.*T.
Tips: [Security] Trusted IPs or sub-networks set at server level access control will be excluded from connection/throttling limits.
Denied ListGo to top
Description: Specifies the list of IPs or sub-networks disallowed.
Syntax: Comma delimited list of IP address or sub-network, * or ALL, sub-network can be like 192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1 or 192.168.1.*.
IPv6 address should be like ::1 or [::1], IPv6 subnet should be like 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64.