Security Configuration¶
Block a Bot Attack¶
Your server may experience heavy hits from bots. Here are three different examples of bot attacks and how to block them using rewrite rules.
"BUbiNG" bot¶
The "BUbiNG" bot can cause a massive load spike in the server. To prevent further problems, you can deny the BUbiNG
user agent globally.
Use a rewrite rule to detect the user agent, and set the environment with the action [E=blockbot]
. This will drop the direct connection from that client IP.
Add the following to the .htaccess
of your example.com
domain:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} "BUbiNG"
RewriteRule .* - [E=blockbot:1]
To verify that the rules are effectively blocking the user agent, you can run the following command:
curl -A "BUbiNG" example.com
If your rules need further debugging, you can enable the rewrite log for more details.
"xmlrpc.php" bot¶
In this example, cPanel Piped Logging was configured to push entries to /usr/local/apache/logs/error_log
. The log shows many entries like this:
404 File not found [/var/www/html/xmlrpc.php]
Because these requests look like they are being processed by the default virtual host, LiteSpeed's WordPress Protection feature is not triggered.
To block this bot, locate the virtual host serving the requests, and add a vhost-level rewrite rule to drop the connection using [E=blockbot]
:
RewriteRule ^/xmlrpc.php - [E=blockbot:1]
Warning
Do not apply the above rewrite rule at the server level since it will block everyone accessing xmlrpc.php
globally.
Cookie Bots¶
If the bots are cookie related, you can also try a rule like the following, and tailor it to what you need:
RewriteCond %{HTTP_COOKIE} yourcookiename
RewriteRule .* - [F]
Anti-DDoS for ConfigServer or iptables¶
Note
This feature is only available under a Web Host Elite license!
LiteSpeed Web Server's Anti-DDoS feature can be used to modify a firewall via ifconfig
and ipset
to block suspicious IPs. This guide explains how to integrate this feature with either ConfigServer Security & Firewall (CSF), or iptables.
LiteSpeed Web Server Configuration¶
Log into your WebAdmin Console at https://SERVER_IP:7080
. Navigate to Configuration > Security.
Set Enable Anti-DDoS Protection and Enable Firewall Modifications to Yes
to enable Anti-DDoS protection.
ConfigServer Security & Firewall Configuration¶
For csf, create the file /etc/csf/csfpost.sh
, and add the following content:
#!/bin/bash
ipset create ls-anti-ddos hash:ip hashsize 4096
ipset create ls-quic-ports bitmap:port range 0-65535 -exist
iptables -I INPUT -m set --match-set ls-anti-ddos src -j DROP
iptables -I FORWARD -m set --match-set ls-anti-ddos src -j DROP
iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT
Reload with the command csf -r
.
iptables Configuration¶
For iptables, run the following commands to set up the list and rules:
ipset create ls-anti-ddos hash:ip hashsize 4096
ipset create ls-quic-ports bitmap:port range 0-65535 -exist
iptables -I INPUT -m set --match-set ls-anti-ddos src -j DROP
iptables -I FORWARD -m set --match-set ls-anti-ddos src -j DROP
iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT
Verify the script works as intended by checking with the ipset list
command. You should see two blocks: ls-anti-ddos and ls-quic-ports.
[root@test]# ipset list
...
...
Name: ls-anti-ddos
Type: hash:ip
Revision: 1
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 65680
References: 2
Members:
Name: ls-quic-ports
Type: bitmap:port
Revision: 1
Header: range 0-65535
Size in memory: 524432
References: 1
Members:
Test¶
There are several cases where LiteSpeed will consider an incoming request suspicious. For example, a failed reCAPTCHA test, or a badly formatted request.
For demonstration purposes, we will use a reCAPTCHA failed verification to trigger the block. So, if a visitor fails to verify repeatedly in a short period of time, the firewall block will be triggered and a log generated, like this one:
[root@test logs]# grep ipset error.log
2019-12-04 20:27:15.594490 [NOTICE] [24606] [T0] [FIREWALL] execute command: 'ipset add ls-anti-ddos 192.0.2.0 ', ret: -1, status: 0
If you run ipset list
again, you will see content like this:
Name: ls-anti-ddos
Type: hash:ip
Revision: 1
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 65696
References: 1
Members:
192.0.2.0
The block on the IP will be removed in 10 minutes, if the suspicious behavior stops. At that point, you should see this in the log:
2019-12-04 20:37:20.304327 [NOTICE] [24823] [T0] [FIREWALL] execute command: 'ipset del ls-anti-ddos 192.0.2.0 ', ret: -1, status: 0