In Progress CPANEL-41951 - LiteSpeed segmented chroot()ed spam on server that don't have LiteSpeed

[eugenevdm.host]

As of late I'm getting email warnings from WHM which appears to be spam as I'm not interesting in CloudLinux nor Litespeed.
These servers don't even have LiteSpeed on

Sample below:

Medium

Apache

LiteSpeed vhosts are not segmented or chroot()ed. Consider a more robust solution by using “CageFS on CloudLinux”.

What's pretty irritating is there warnings are almost daily and on all of many of my servers.

How do I turn these off without compromising the entire system of notifications of problems?

The links provided below is for global, not to switch of individual spammy messages about products I don't use or want to use.

What am I missing?

 

[cPRex]

Hey there! If you aren't running Litespeed, it doesn't make sense to me that you are receiving that message. Is it possible that any Litespeed packages are installed on the server? If not, could you create a ticket with our team so we can take a look?

 

[Web City Media]

Same situation. We are still seeing these messages. We have submitted a support request 94514265. Is this an upsell, bad notification programming or a real issue we need to learn to resolve.

 

[cPRex]

Thanks for posting that ticket number. I'm following along on my end now so we can get to the bottom of this.

 

[jcbfergie]

I've been having the same issue - no litespeed. Originally the message also suggested that I enable mod_ruid2, enable Jail Apache, and change users to jailshell. I did all those items but still get this message.

 

[rivermobster]

Same here. Litespeed not active/installed...

 

[Web City Media]

There is a case opened with the development team. They see it but do not have a fix yet. Will post any updates here.

 

[cPRex]

We're tracking this issue with case CPANEL-41951 and I'll be sure to post updates once I get them!

 

[rivermobster]

So tonight, I came across this (updated 17 hours ago)...

https://support.cpanel.net/hc/en-us/articles/360047967413-Why-does-Security-Advisor-report-Apache-vhosts-are-not-segmented-or-chroot-ed-#:~:text=Security-,Why%20does%20Security%20Advisor%20report%20%22Apache%20vhosts%20are,segmented%20or%20chroot()ed%22%3F&text=You%20are%20most%20likely%20to,sites%20in%20a%20jailed%20environment

.

I thought I would follow the instructions, to see what happens. When I went to enable mod_ruid2, this is the message I got:

___________________________________________________________________________________
mod_ruid2
0.9.8-19.23.2.cpanel

Run all httpd process under user's access right.

The following conflicts are installed on this machine. They will be removed as part of this package selection:

• mod_mpm_worker
• mod_cgid
• mod_http2
• mod_suphp
• mod_suexec

The following requirements are not installed on this machine. They will be added as part of this package selection:

• mod_mpm_prefork
• mod_cgi
• mod_ruid2

Do you want to proceed with this selection?
_________________________________________________________________________________

Do I want to proceed? Or wait for further instructions in this thread?

Thanks in advance,

-Joe

 

[Web City Media]

Joe the solution you are asking about is related to securing "Apache vhosts" which will give you a bill of clean health if you use the Security Advisor direction. (This will be seen if you continue. We are setup to use prefork since we relied on the Security Advisor to secure the WHM/CPanel installation. It will let you know if your Apache shell accounts are not jailed, aloong with other security recommendations. You will also see upsells for other products.

The current issue is related to a "Litespeed vhosts" system notification. LiteSpeed Web Server is an Apache alternative which requires a paid license, Note: There is a free version which is limited to one domain and 2gb of memory. The security advisor does not show this as a problem hence the big question: Why are we getting this particular message?

 

[rivermobster]

Joe the solution you are asking about is related to securing "Apache vhosts" which will give you a bill of clean health if you use the Security Advisor direction. (This will be seen if you continue. We are setup to use prefork since we relied on the Security Advisor to secure the WHM/CPanel installation. It will let you know if your Apache shell accounts are not jailed, aloong with other security recommendations. You will also see upsells for other products.

The current issue is related to a "Litespeed vhosts" system notification. LiteSpeed Web Server is an Apache alternative which requires a paid license, Note: There is a free version which is limited to one domain and 2gb of memory. The security advisor does not show this as a problem hence the big question: Why are we getting this particular message?

Interesting...

Your warning: LiteSpeed vhosts are not segmented or chroot()ed.
My warning: Apache vhosts are not segmented or chroot()ed.

I guess I'll go make a new thread? Thanks for the clarification.

 

[cPRex]

Nah, no need for a new thread. The Apache warning is expected. The LiteSpeed warning is not, especially if you don't have it installed.

 

[rivermobster]

Nah, no need for a new thread. The Apache warning is expected. The LiteSpeed warning is not, especially if you don't have it installed.

More confusion...

This is in the Security Advisor:

Apache vhosts are not segmented or chroot()ed.
Enable “mod_ruid2” in the “EasyApache 4” area, enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux”. Note that this may break the ability to access mailman via Apache.

This came in my email:

LiteSpeed vhosts are not segmented or chroot()ed. Consider a more robust solution by using “CageFS on CloudLinux”.



See why I'm confused?!?!?!? lol

 

[cPRex]

Right - the email notification is what this case is about. The Apache issue is something you should actually check and decide how to handle.

 

[Dosmage]

I've been going over these alerts and applying the recommendations. I rolled my eyes so hard about a security alert, if I don't make a purchase I'm insecure, that I think I blew out some ocular ligaments. I'm glad that this is a "bug" and that it's active and open! I do have, hopefully, a non vapid comment on the problem. I see that there is a php litespeed cpanel rpm installed. If we're not running a CloudLinux kernel, CloudLinux or LiteSpeed daemon, is it possible that the check might be triggering on this rpm?

 

[eugenevdm.host]

I've given up on this issue after logging a ticket. Reasons hereunder:

Ticket reply was (not a public article you have to log on):

- Security Advisor can reference Litespeed even when it is not installed.

Apparently cPanel has already admitted this is an issue over a month ago, with no fix in sight.

The workaround they present is also unacceptable, I have to vote to turn off specific security messages:

- Disable specific Security Advisor State Change notifications

How about I vote to turn off all broken and spammy messages?

Ticket 94515863

When you've been using software for years and you spot obvious issues voting is a frivolous activity because it's logical to you and the rest of the community.

So instead of enjoying my holidays every morning I log on to find lots of messages that I have to ignore.

The issue is my systems are carefully tuned across many mediums, Slack, PRTG, Email, WhatsApp, etc. Any kind of noise means I can't focus on the real problems.

EDIT:

After having typed this reply I see the title of this forum post now has a "In Progress" moniker attached to it. Not sure what that means but hopefully something is being done behind the scenes with regards to this.

 

[cPRex]

@eugenevdm.host - I was going to say, there is a case open, and CPANEL-41951 is titled "Security Advisor can reference Litespeed even when not installed." Once the case is resolved, that will fix that area of Security Advisor, and that support article will no longer be necessary.

That specific feature is five years old, but I'll bring that up with the team today to get some fresh eyes on it.

Is there another area of Security Advisor you'd like to see improved?

 

[robhooper]

+1 also effected by this issue.

We received a security alert for both Apache and LiteSpeed, we only have Apache installed.
I've actioned the recommended changes for Apache which resolved those alerts.

Even if I had LiteSpeed installed I'm not sure what a LS user could do? the email message says rebuild on a new operating system which isn't happening.
Seems like an abuse of this notification system IMO :/

 

[robhooper]

Potential lead, I just noticed that EasyApache has the PHP litespeed module installed (despite it not being needed).
EasyApache seems to ignore me marking this to be uninstalled. :/

Perhaps this superflous package is triggering the cPanel Security Advise Notification.

 

[WorkinOnIt]

@cPRex - thanks for clarification on this matter. I also have the same issue.

Meanwhile, the other question (perhaps needs a new thread?) is why is jail apache using mod_ruid2 experimental (after what, a decade or more?) Does cPanel not care about security? Instead of offering a robust jailed segmented vhosts option, we are still being sold another upgrade / spend more money and purchase CageFS ?