Skip to content

CrowdSec with OpenLiteSpeed

CrowdSec is an open-sourced solution that protects websites and servers from attack. By analyzing user logs in real-time, CrowdSec identifies and blocks malicious behavior across the entire network.

In this tutorial, we are going to install CrowdSec on OpenLiteSpeed or LiteSpeed Enterprise, and enable some general protections.

Installation

Installing CrowdSec repositories

Installing CrowdSec repositories allows you to access the latest packages of the Security Engine and Remediation Components.

curl -s https://install.crowdsec.net | sudo sh

Install the Security Engine

apt install crowdsec
dnf install crowdsec

For other installation methods, please follow the official CrowdSec guide.

Install Bouncer

apt install crowdsec-firewall-bouncer-iptables
dnf install crowdsec-firewall-bouncer-iptables

Install LiteSpeed Collection

The LiteSpeed Collection includes:

  • litespeed-logs parser
  • base-http-scenarios collection
  • litespeed-admin-bf scenario
cscli collections install crowdsecurity/litespeed

Append the following lines to the /etc/crowdsec/acquis.yaml file.

filenames:
  - /usr/local/lsws/YOURVHOST/logs/*.log
  - /usr/local/lsws/admin/logs/*.log
  - /usr/local/lsws/logs/*.log
labels:
  type: litespeed

Enable notifications

Enable the email option in /etc/crowdsec/profiles.yaml by commenting out the following lines:

#notifications:  
# - email_default

Edit the email plugin configuration file, /etc/crowdsec/notifications/email.yaml, and update it with your own email address and SMTP server credentials.

Restart CrowdSec

Restart CrowdSec with the following command:

sudo systemctl restart crowdsec

Verification

LiteSpeed Web Admin

Run cscli metrics to make sure the Acquisition includes LSWS logs:

 Acquisition Metrics:
╭────────────────────────────────────────────────┬─────────────┬───────────────┬──────────────────┬──────────────────────────╮
│                   Source                   │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │
├────────────────────────────────────────────────┼─────────────┼───────────────┼──────────────────┼──────────────────────────┤
│ file:/usr/local/lsws/admin/logs/access.log │ 106        │ 103          │ 3              │ 33                     │
│ file:/usr/local/lsws/admin/logs/error.log  │ 68         │ 68           │ -              │ 68                     │
│ file:/usr/local/lsws/logs/access.log       │ 4          │ 4            │ -              │ 8                      │
│ file:/usr/local/lsws/logs/error.log        │ 150        │ 7            │ 143            │ 7                      │
│ file:/var/log/auth.log                     │ 231        │ 21           │ 210            │ 60                     │
│ file:/var/log/kern.log                     │ 3.36k      │ -            │ 3.36k          │ -                      │
│ file:/var/log/syslog                       │ 3.71k      │ -            │ 3.71k          │ -                      │
╰────────────────────────────────────────────────┴─────────────┴───────────────┴──────────────────┴──────────────────────────╯

Open your WebAdmin Console and input an incorrect password a few times. Once you hit the threshold, your IP will be banned for 4 hours.

Check your decision list with the command cscli decisions list,

╭─────────┬───────────┬───────────────────┬─────────────────────────────────────┬─────────┬──────────┬───────────────────────────────────────────┬─────────┬──────────────────────┬───────────╮
│   ID   │  Source  │   Scope:Value    │              Reason              │ Action │ Country │                   AS                   │ Events │     expiration     │ Alert ID │
├─────────┼───────────┼───────────────────┼─────────────────────────────────────┼─────────┼──────────┼───────────────────────────────────────────┼─────────┼──────────────────────┼───────────┤
│ 165007 │ crowdsec │ Ip:x.x.x.x       │ crowdsecurity/litespeed-admin-bf │ ban    │ US      │ 3462 Data Communication Business Group │ 3      │ 3h59m23.273501311s │ 1        │
╰─────────┴───────────┴───────────────────┴─────────────────────────────────────┴─────────┴──────────┴───────────────────────────────────────────┴─────────┴──────────────────────┴───────────╯

Vulnerability Scanner

To verify if the plugin is functioning correctly, you can trigger scenarios using tools like Wapiti, Nikto etc. To perform a simple domain scan, use the Nikto tool to scan your site from another client.

nikto -h https://example.com

Then check your decision list with the command cscli decisions list.

╭──────────┬───────────┬────────────────────┬────────────────────────────────────────┬────────┬──────────┬───────────────────────────┬─────────┬─────────────────────┬───────────╮
│   ID    │  Source  │    Scope:Value    │               Reason               │ Action │ Country │           AS           │ Events │     expiration     │ Alert ID │
├──────────┼───────────┼────────────────────┼────────────────────────────────────────┼────────┼──────────┼───────────────────────────┼─────────┼─────────────────────┼───────────┤
│ 1560343 │ crowdsec │ Ip:x.x.x.x        │ crowdsecurity/http-sensitive-files │ ban    │ US      │ 31898 xxxxxx-BMC-31898 │ 5      │ 3h59m58.922003003s │ 447      │
╰──────────┴───────────┴────────────────────┴────────────────────────────────────────┴────────┴──────────┴───────────────────────────┴─────────┴─────────────────────┴───────────╯

FAQ

How do I customize the configuration?

The default collection and scenarios are stored in the /etc/crowdsec directory. You can edit the configuration from there.

For more CrowdSec format information, please see the CrowdSec documentation.

How do I use CrowdSec with Cloudflare?

  • To restore real visitor IPs, navigate to LiteSpeed WebAdmin Console > Configuration > General Settings and set Use Client IP in Header to Trusted IP Only. See our LiteSpeed Web Server docs if you need more information about this step.
  • Set up CrowdSec's Cloudflare bouncer, so it can sync the decisions made locally with Cloudflare's firewall.

Why didn't my test work?

  • Verify that your log path is correct in the acquis.yaml file.
  • Verify that your log format is default.

The rules work with the default log format. If you customize the log format or Log Headers, then you need to adjust the LiteSpeed log parser (/etc/crowdsec/parsers/s01-parse/litespeed-logs.yaml) to match it.