Skip to content

Security Configuration

Block a Bot Attack

Your server may experience heavy hits from bots. Here are three different examples of bot attacks and how to block them using rewrite rules.

"BUbiNG" bot

The "BUbiNG" bot can cause a massive load spike in the server. To prevent further problems, you can deny the BUbiNG user agent globally.

Use a rewrite rule to detect the user agent, and set the environment with the action [E=blockbot]. This will drop the direct connection from that client IP.

Add the following to the .htaccess of your example.com domain:

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} "BUbiNG"
RewriteRule .* - [E=blockbot:1]

To verify that the rules are effectively blocking the user agent, you can run the following command:

curl -A "BUbiNG" example.com

If your rules need further debugging, you can enable the rewrite log for more details.

"xmlrpc.php" bot

In this example, cPanel Piped Logging was configured to push entries to /usr/local/apache/logs/error_log. The log shows many entries like this: 

404 File not found [/var/www/html/xmlrpc.php]

Because these requests look like they are being processed by the default virtual host, LiteSpeed's WordPress Protection feature is not triggered.

To block this bot, locate the virtual host serving the requests, and add a vhost-level rewrite rule to drop the connection using [E=blockbot]:

RewriteRule ^/xmlrpc.php - [E=blockbot:1]

Warning

Do not apply the above rewrite rule at the server level since it will block everyone accessing xmlrpc.php globally.

If the bots are cookie related, you can also try a rule like the following, and tailor it to what you need:

RewriteCond %{HTTP_COOKIE} yourcookiename
RewriteRule .* - [F]

Anti-DDoS for ConfigServer or iptables

Note

This feature is only available under a Web Host Elite license!

LiteSpeed Web Server's Anti-DDoS feature can be used to modify a firewall via ifconfig and ipset to block suspicious IPs. This guide explains how to integrate this feature with either ConfigServer Security & Firewall (CSF), or iptables.

LiteSpeed Web Server Configuration

Log into your WebAdmin Console at https://SERVER_IP:7080. Navigate to Configuration > Security.

Set Enable Anti-DDoS Protection and Enable Firewall Modifications to Yes to enable Anti-DDoS protection.

ConfigServer Security & Firewall Configuration

For csf, create the file /etc/csf/csfpost.sh, and add the following content: 

#!/bin/bash
ipset create ls-anti-ddos hash:ip hashsize 4096
ipset create ls-quic-ports bitmap:port range 0-65535 -exist
iptables -I INPUT -m set --match-set ls-anti-ddos src -j DROP
iptables -I FORWARD -m set --match-set ls-anti-ddos src -j DROP
iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT

Reload with the command csf -r.

iptables Configuration

For iptables, run the following commands to set up the list and rules: 

ipset create ls-anti-ddos hash:ip hashsize 4096
ipset create ls-quic-ports bitmap:port range 0-65535 -exist
iptables -I INPUT -m set --match-set ls-anti-ddos src -j DROP
iptables -I FORWARD -m set --match-set ls-anti-ddos src -j DROP
iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT

Verify the script works as intended by checking with the ipset list command. You should see two blocks: ls-anti-ddos and ls-quic-ports. 

[root@test]# ipset list
...
...
Name: ls-anti-ddos
Type: hash:ip
Revision: 1
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 65680
References: 2
Members:

Name: ls-quic-ports
Type: bitmap:port
Revision: 1
Header: range 0-65535
Size in memory: 524432
References: 1
Members:

Test

There are several cases where LiteSpeed will consider an incoming request suspicious. For example, a failed reCAPTCHA test, or a badly formatted request.

For demonstration purposes, we will use a reCAPTCHA failed verification to trigger the block. So, if a visitor fails to verify repeatedly in a short period of time, the firewall block will be triggered and a log generated, like this one: 

[root@test logs]# grep ipset error.log
2019-12-04 20:27:15.594490 [NOTICE] [24606] [T0] [FIREWALL] execute command: 'ipset add ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0

If you run ipset list again, you will see content like this: 

Name: ls-anti-ddos
Type: hash:ip
Revision: 1
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 65696
References: 1
Members:
111.222.333.444

The block on the IP will be removed in 10 minutes, if the suspicious behavior stops. At that point, you should see this in the log: 

2019-12-04 20:37:20.304327 [NOTICE] [24823] [T0] [FIREWALL] execute command: 'ipset del ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0

Last update: July 10, 2024