Linux ls -la output showing /bin, /boot, /etc, /home, /lib, /sbin and other root directories — typical first view after SSHing into a server (photo: Pixabay / Pexels)

Hide the OpenLiteSpeed admin panel: bind 7080 to 127.0.0.1 + reach it via SSH tunnel

by

OpenLiteSpeed’s admin panel runs on port 7080 by default and binds to *. That means anyone with your server’s IP can hit https://your-ip:7080/ and reach the admin login form. The form has authentication, sure — but having a login surface exposed to the entire internet is the same shape of problem as having SSH on port 22 with password auth: the auth might hold, but the brute-force noise is constant and any future authentication-bypass CVE in OLS becomes immediately exploitable.

Bind it to 127.0.0.1 instead, and reach it through SSH when you actually need it. That’s a single config edit plus a one-liner SSH tunnel from your laptop. After this, port 7080 is gone from your public attack surface entirely.

Confirm what you’re starting from

ss -tlnp | grep ":7080"
# Expected (BAD):
# LISTEN  0  4096  0.0.0.0:7080  0.0.0.0:*  users:(("litespeed",pid=...,fd=36))

The 0.0.0.0 on the left tells you it’s reachable from any interface — including the public one. From outside the box:

curl -sk -o /dev/null -w "%{http_code}\n" https://your-server-ip:7080/
# 302 — redirect to the login page. Bad. Anyone in the world gets that.

Edit the admin listener

OLS keeps the admin listener config in a separate file from the main vhost config:

sudo grep -A4 "^listener" /usr/local/lsws/admin/conf/admin_config.conf
# listener adminListener {
#   address                 *:7080      ← change this
#   secure                  1
#   keyFile                 /etc/letsencrypt/live/.../privkey.pem
#   certFile                /etc/letsencrypt/live/.../fullchain.pem
# }

Change address *:7080 to address 127.0.0.1:7080:

sudo sed -i.bak \
  's|^address                 \*:7080|address                 127.0.0.1:7080|' \
  /usr/local/lsws/admin/conf/admin_config.conf

sudo grep "^[[:space:]]*address" /usr/local/lsws/admin/conf/admin_config.conf
# Should now show: address                 127.0.0.1:7080

Restart — fully, not gracefully

OpenLiteSpeed’s graceful reload (lswsctrl restart) does not rebind listeners — it just spawns new workers with the new config and the new master takes over while the old one fades. The old master is still bound to the original socket, so port 7080 stays on 0.0.0.0 for several minutes after the reload. To rebind, all listening processes have to die first.

# Targeted kill — finds master, lscgid, and worker processes
for pid in $(ps -e -o pid,comm | awk '$2 ~ /^openlitespeed|^lsphp/ {print $1}'); do
  sudo kill -9 "$pid" 2>/dev/null
done
sleep 2
# Verify nothing's left holding 7080
ss -tlnp | grep ":7080"

# Cold start
sudo systemctl start lshttpd
sleep 3
ss -tlnp | grep ":7080"
# Now you should see: 127.0.0.1:7080

Confirm from outside the box that the port is no longer reachable:

curl -sk --connect-timeout 5 https://your-server-ip:7080/
# curl: (7) Failed to connect to your-server-ip port 7080:
# Connection refused — perfect.

Reach it via SSH tunnel

From your laptop, when you actually need to use the admin panel:

ssh -L 7080:127.0.0.1:7080 your-user@your-server

Then in your browser: https://localhost:7080/. The certificate will be a mismatch (the OLS admin cert is for your real domain, not localhost) so you’ll get a one-click warning. Click through, log in, do what you need, close the SSH session.

If you want it nicer, add an alias to your local ~/.ssh/config:

Host lsws-admin
    HostName your-server
    User your-user
    LocalForward 7080 127.0.0.1:7080
    ExitOnForwardFailure yes

Now ssh lsws-admin opens both the shell and the tunnel. ExitOnForwardFailure yes aborts if the forward can’t be set up (e.g. another process is already on local port 7080), which prevents the silent “I thought I was tunneling” mistake.

If you already use a tunnel daemon

If you’re running something like chisel, frp, or tailscale for general access, just add a forward for 7080 to its config — same idea, different tool. The principle is identical: the OLS admin panel only listens on the loopback interface; reaching it requires you to already be authenticated to the box one way or another.

Side benefit: log-noise reduction

An exposed admin panel attracts a steady stream of brute-force probes. journalctl -u lshttpd on a public-facing OLS will show login attempts every few minutes. After binding to 127.0.0.1, those entries stop appearing entirely — failed logins now require the attacker to first compromise the SSH layer, which is a much harder ask if SSH is keys-only.

One sed command, one config restart, one SSH alias on your laptop. Port 7080 is no longer in your threat model.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.