Linux : How to restrict access to LiteSpeed Web Server WebUI

By | April 8, 2023

LiteSpeed Web server come with a WebUI admin interface that is by default, accessible from port 7080 from any addresses (IP).

For security reasons, it should be restricted to the IP address(es) or subnet(s) you usually manage your servers from and also to prevent the now very popular brute-force login attempts, which will flood you with email notifications, assumong (and  hopefully) you had these configured!

The most low level way of doing so would be by creating a firewall rule for this exception, but in some cases (for example : if you are using Imunify360 that use a different concept/approach), the only way would be leveraging the built-in LiteSpeed security access control mechanism as followed :

1. Open the LiteSpeed Admin configuration file with a text editor :

/usr/local/lsws/admin/conf/admin_config.xml

2. Locate the <security> and <accessControl> section (default example below) :

  <security>
    <accessControl>
      <allow>ALL</allow>
    </accessControl>
  </security>

Remove the “ALL” between <allow> </allow> and append the IP(s) and/or subnet(s) you’d like to allow, separated by a coma and a space between each enumerations – example :

<allow>1.2.3.4, 10.20.30.0/28</allow>

And append a deny ALL statement underneath as followed :

<deny>ALL</deny>

The full block should now look like this :

  <security>
    <accessControl>
      <allow>1.2.3.4, 10.20.30.0/28</allow>
      <deny>ALL</deny>
    </accessControl>
  </security>

3. Gracefully restart LiteSpeed service to make it effective :

systemctl restart lsws

(Or “service lsws restart” on older systems)