✅ Project Status: Actively Maintained
OpenLiteSpeed is actively maintained by LiteSpeed Technologies with regular security updates.
| Aspect | Status | Notes |
|---|---|---|
| Project Maintenance | ✅ Active | Regular releases |
| Security Response | ✅ Responsive | Security patches issued promptly |
| Recent Releases | ✅ 1.8.5 (Jan 2025) | Security fixes included |
| Known CVEs | ⚠️ Few | Recent QUIC vulnerabilities patched |
| Package Availability | ✅ Available | Official repository |
sudo /usr/local/lsws/admin/misc/admpass.sh
# UFW - Allow only from trusted IP
sudo ufw allow from 192.168.1.0/24 to any port 7080 proto tcp
# firewalld
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="7080" protocol="tcp" accept'
Use Let’s Encrypt via admin console:
# Enable OWASP mod_security rules
bash bin/webadmin.sh -M enable # Docker
# Or via admin console: Module → mod_security → Enable
# UFW
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 443/udp # HTTP/3 QUIC
sudo ufw allow 7080/tcp # Admin (restrict to trusted IPs)
sudo ufw allow 8088/tcp # Test page (optional)
# firewalld
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-port=443/udp
sudo firewall-cmd --permanent --add-port=7080/tcp
sudo firewall-cmd --reload
# Configuration files
sudo chown root:root /usr/local/lsws/conf/*.conf
sudo chmod 644 /usr/local/lsws/conf/*.conf
# Admin directory
sudo chown root:root /usr/local/lsws/admin
sudo chmod 755 /usr/local/lsws/admin
# Log directory
sudo chown nobody:nogroup /usr/local/lsws/logs
sudo chmod 755 /usr/local/lsws/logs
# Virtual host directories
sudo chown -R nobody:nogroup /var/www
sudo chmod 755 /var/www
# /etc/systemd/system/lsws.service.d/hardening.conf
[Service]
# Filesystem protection
ProtectSystem=strict
ProtectHome=read-only
PrivateTmp=true
ReadWritePaths=/usr/local/lsws/logs /var/www
# Network restrictions
RestrictAddressFamilies=AF_INET AF_INET6
# Capability restrictions
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=
# System call filtering
SystemCallArchitectures=native
SystemCallFilter=@system-service
# Memory protection
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
# Restrict privileges
NoNewPrivileges=true
RestrictSUIDSGID=true
# Resource limits
LimitNOFILE=65535
Configure via admin console:
# Via admin console or config
maxRequestBody: 50M
maxRequestTime: 300
# Enable in admin console: Log → Access Log
logFormat: "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
| Risk | Mitigation |
|---|---|
| 0-RTT Replay | Disable 0-RTT for sensitive apps |
| UDP Amplification | Rate limit UDP connections |
| Connection Migration | Validate migration tokens |
# Debian/Ubuntu
sudo apt update && sudo apt list --upgradable | grep litespeed
# RHEL/CentOS
sudo dnf check-update | grep litespeed
# Check error logs
sudo tail -f /usr/local/lsws/logs/error.log
# Check access logs
sudo tail -f /usr/local/lsws/logs/access.log
# Check for failed login attempts
sudo grep "failed" /usr/local/lsws/logs/error.log
See OpenLiteSpeed Hardening for server-specific hardening details.