Server Security
 
Table of Contents
File Access Control Follow Symbolic Link   Check Symbolic Link   Required Permission Mask   Restricted Permission Mask   
Per Client Connection Control Throttle Limit   Connection Soft Limit   Connection Hard Limit   Grace Period (sec)   Banned Period (sec)   
CGI Resource Control Max Concurrent CGI Instances   Minimum UID   Minimum GID   CGI Priority   CPU Soft Limit   CPU Hard Limit   Memory Soft Limit   Memory Hard Limit   Process Soft Limit   Process Hard Limit   
Access Denied Directories Access Denied Directories   
Access Control Allowed List   Denied List   
 
Follow Symbolic LinkGo to top
Description: Specifies the server level default setting of following symbolic links when serving static files. Choices are Yes, If Owner Match and No. Yes will always follow a symbolic link; If Owner Match will follow a symbolic link only if the owner of the link and of the target are same. No will never follow a symbolic link. This setting can be overridden by each individual virtual host.
Syntax: Select from drop down list
Apply: On the fly with reload.
Tips: [Performance & security] For better security select No or If Owner Match; for better performance, select Yes.
Check Symbolic LinkGo to top
Description: Specifies whether to check symbolic links against Access Denied Directories when Follow Symbolic Link is turned on. If enabled, the canonical real path of the resource referred by a URL will be checked against the configurable access denied directories. Access will be denied if it falls inside an access denied directory.
Syntax: Select from radio box
Apply: On the fly with reload.
Tips: [Performance & security] For better security, enable it; for better performance, disable it.
Required Permission MaskGo to top
Description: Specifies the required permission mask for static files that the web server will serve. For e.g., to only serve files that are readable by everyone, set the value to 0004. See man 2 stat for all values.
Syntax: octal numbers
Apply: On the fly with reload.
Restricted Permission MaskGo to top
Description: Specifies the restricted permission mask for static files that the web server will not serve. For e.g., to prohibit files that are executable, set the mask to 0111. See man 2 stat for all values.
Syntax: octal numbers
Apply: On the fly with reload.
Per Client Connection ControlGo to top
Description: These settings are connection control per IP address. They help against DoS (Denied of Service) and DDoS (Distributed Denied of Service) attacks.
Throttle LimitGo to top
Description: Specifies the maximum allowed throughput (input/output each way) from a single IP address. Throttle limit is at IP level regardless of how many connections are established. The real bandwidth could be slightly higher than this setting for efficiency. Bandwidth is allocated in 4KB units. Set to 0 to disable throttling.
Syntax: Integer number
Apply: On the fly with reload.
Tips: [Performance] Set the bandwidth in 8KB units for better performance.
[Security] Trusted IP or sub-network is not limited.
Connection Soft LimitGo to top
Description: Specifies the soft limit of concurrent connections allowed from one IP. Soft Limit can be exceeded temporarily during Grace Period (sec) as long as the number is below the Connection Hard Limit, but Keep-Alive connections will be closed as soon as possible until the number of connections is lower than the limit. If number of connections is still over the limit after the Grace Period (sec), that IP will be blocked for Banned Period (sec).
For example, if a page contains many small graphs, the browser may try to set up many connections at same time, especially for HTTP/1.0 clients. You would want to allow those connections for a short period.
Even HTTP/1.1 clients may setup multiple connections to speed up downloading and SSL requires separate connections from non-SSL connections. Make sure the limit is set properly, not to affect normal web service. The recommended limit is between 5 and 10.
Syntax: Integer number
Apply: On the fly with reload.
Tips: [Security] A lower number will enable serving more distinct clients.
[Security] Trusted IP or sub-network is not limited.
[Performance] Set a higher value when you perform a benchmark test with limited number of client machines.
Connection Hard LimitGo to top
Description: Specifies the maximum allowed concurrent connections from a single IP address. This limit is always enforced and a client will never be able to exceed this limit. HTTP/1.0 clients usually try to setup as many connections as it needs to download embedded content at the same time. This limit should be set higher enough for HTTP/1.0 client and use Connection Soft Limit to set the desired connection limit.
The recommended limit is between 20 and 50, depends on the content of your web page.
Syntax: Integer number
Apply: On the fly with reload.
Tips: [Security] A lower number will enable serving more distinct clients.
[Security] Trusted IP or sub-network is not limited.
[Performance] Set a higher value when you perform a benchmark test with limited number of client machines.
Grace Period (sec)Go to top
Description: Specifies for how long new connections can be accepted after number of connections established from one IP is over . Within this period, new connections will be accepted if the total connections still below Connection Hard Limit. After this period, if the number of connections still higher than , then that IP will be blocked for Banned Period (sec).
Syntax: Integer number
Apply: On the fly with reload.
Tips: [Performance & Security] Set to a proper number big enough for downloading a complete page, and short enough to prevent attacks.
Banned Period (sec)Go to top
Description: Specifies for how long new connections will be rejected from one IP at the end of Grace Period (sec), if the number of connections is still more than . That IP is considered as an unfriendly user, maybe an attacker. During this period, no connections request will be accepted from that IP.
Syntax: Integer number
Apply: On the fly with reload.
Max Concurrent CGI InstancesGo to top
Description: Specifies the maximum concurrent CGI processes that the web server can start. For each request to a CGI script, the web server needs to start a standalone CGI process to handle it. On a Unix system number of concurrent processes is limited, excessive concurrent processes will degrade the performance of the whole system and it could become a target of DoS attack. LiteSpeed Web Server pipelines requests to CGI script and limits concurrent CGI processes to ensure the maximum performance and reliability. The hard limit is 2000.
Syntax: Integer number
Apply: On the fly with reload.
Tips: [Security & Performance] Higher limit does not necessarily mean higher performance, in most cases lower limit gives better performance and security. Higher limit only helps when I/O latency is high during CGI processing.
Minimum UIDGo to top
Description: Specifies the minimum user id of a CGI script. If LiteSpeed web server is started by "root" user, it can run CGI script in "suEXEC" mode found in Apache (to change to another user/group id other than the web server's). Execution of CGI with user id lower than value specified here will be denied.
Syntax: Integer number
Apply: On the fly with reload.
Tips: [Security] Set it high enough to exclude all system user.
Minimum GIDGo to top
Description: Specifies the minimum group id of a CGI script. If LiteSpeed web server is started by "root" user, it can run CGI script in "suEXEC" mode found in Apache (to change to another user/groupd id other than the web server's). Execution of CGI with group id lower than value specified here will be denied.
Syntax: Integer number
Apply: On the fly with reload.
Tips: [Security] Set it high enough to exclude all groups used by system user.
CGI PriorityGo to top
Description: Specifies priority of the server process. Value range from [-20] to [20], lower number means higher priority.
Syntax: int
Apply: Restart required.
Tips: Usually should be above 0.
CPU Soft LimitGo to top
Description: Specifies CPU consumption time limit in seconds for CGI process. When the process reaches the soft limit, it will be notified by a signal. Operating system's default will be used if the value is set to 0 or absent.
Syntax: Integer number
Apply: On the fly with reload.
CPU Hard LimitGo to top
Description: Specifies maximum CPU consumption time limit in seconds for CGI process. If the process continues to consume CPU time and reach the hard limit, the process will be force killed. Operating system's default will be used if the value is set to 0 or absent.
Syntax: Integer number
Apply: On the fly with reload.
Memory Soft LimitGo to top
Description: Specifies memory consumption limit in bytes for CGI process. Operating system's default will be used if the value is set to 0 or absent.
Syntax: Integer number
Apply: On the fly with reload.
Memory Hard LimitGo to top
Description: Specifies maximum memory consumption limit in bytes for CGI process. Operating system's default will be used if the value is set to 0 or absent.
Syntax: Integer number
Apply: On the fly with reload.
Process Soft LimitGo to top
Description: Limits the number of children processes can be created for the real userID of the server process. This effectively limits the number of children processes the CGI process can launch. Operating system's default value will be used if the value is set to 0 or absent.
Syntax: Integer number
Apply: On the fly with reload.
Process Hard LimitGo to top
Description: Limits the maximum number of processes that can be created for the real userID of the server process. No more process can be forked upon reaching this limit. Operating system's default value will be used if the value is set to 0 or absent.
Syntax: Integer number
Apply: On the fly with reload.
Access Denied DirectoriesGo to top
Description: Specifies the directories that should be blocked from access. Add directories that contain sensitive data to this list to prevent accidentally sending a file to clients. Append a "*" to the path to include all sub-directories. If both Follow Symbolic Link and Check Symbolic Link are enabled, symbolic links will be checked against the denied directories.
Syntax: comma-separated list of directories
Apply: On the fly with reload.
Tips: [Security] Important! It only prevents serving static files to clients, does not prevent error prone CGI scripts.
Access ControlGo to top
Description: Specifies what sub network and/or IP address can access the server. This is a server level setting that affects all virtual hosts. You can also set up access control for each virtual host in addition to this. Virtual host setting will NOT override the server setting.
Whether to block/allow an IP is determined by the combination of allowed list and denied list. If you want to block certain IP or sub-network, put * or ALL in Allowed List and list the blocked IP or sub-network in Denied List. If you want to only allow certain IP or sub-network, put * or ALL in Denied List and list the allowed IP or sub-network in Allowed List. The setting of the smallest scope that fits for an IP will be used to determine whether to block or allow.
Trusted IP or sub-network must be specified in the Allowed List by adding a trailing "T". Trusted IP or sub-network is not limited by connection/throttling limits. Only server level access control can set up trusted IP/sub-network.
Tips: [Security] Only put here restrictions that apply to all virtual hosts.
Allowed ListGo to top
Description: Specifies the list of IP or sub-net allowed.
Syntax: comma-separated list of IP address or sub-network. * or ALL, sub-network can be like 192.168.1.0/255.255.255.0, 192.168.1 or 192.168.1.*.
A trailing "T" can be used to indicate a trusted IP or sub-network, like 192.168.1.*T.
Apply: On the fly with reload.
Tips: [Security] Trusted IP or sub-network can be set in server level access control and they are not limited by connection/throttling limits.
Denied ListGo to top
Description: Specifies the list of IP or sub-net disallowed.
Syntax: comma-separated list of IP address or sub-network, * or ALL, sub-network can be like 192.168.1.0/255.255.255.0 or 192.168.1.*
Apply: On the fly with reload.