CrowdSec with OpenLiteSpeed¶
CrowdSec is an open-sourced solution that protects websites and servers from attack. By analyzing user logs in real-time, CrowdSec identifies and blocks malicious behavior across the entire network.
In this tutorial, we are going to install CrowdSec on OpenLiteSpeed or LiteSpeed Enterprise, and enable some general protections.
Installation¶
Installing CrowdSec repositories¶
Installing CrowdSec repositories allows you to access the latest packages of the Security Engine and Remediation Components.
curl -s https://install.crowdsec.net | sudo sh
Install the Security Engine¶
apt install crowdsec
dnf install crowdsec
For other installation methods, please follow the official CrowdSec guide.
Install Bouncer¶
apt install crowdsec-firewall-bouncer-iptables
dnf install crowdsec-firewall-bouncer-iptables
Install LiteSpeed Collection¶
The LiteSpeed Collection includes:
litespeed-logs
parserbase-http-scenarios
collectionlitespeed-admin-bf
scenario
cscli collections install crowdsecurity/litespeed
Append the following lines to the /etc/crowdsec/acquis.yaml
file.
filenames:
- /usr/local/lsws/YOURVHOST/logs/*.log
- /usr/local/lsws/admin/logs/*.log
- /usr/local/lsws/logs/*.log
labels:
type: litespeed
Enable notifications¶
Enable the email option in /etc/crowdsec/profiles.yaml
by commenting out the following lines:
#notifications:
# - email_default
Edit the email plugin configuration file, /etc/crowdsec/notifications/email.yaml
, and update it with your own email address and SMTP server credentials.
Restart CrowdSec¶
Restart CrowdSec with the following command:
sudo systemctl restart crowdsec
Verification¶
LiteSpeed Web Admin¶
Run cscli metrics
to make sure the Acquisition includes LSWS logs:
Acquisition Metrics:
╭────────────────────────────────────────────────┬─────────────┬───────────────┬──────────────────┬──────────────────────────╮
│ Source │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │
├────────────────────────────────────────────────┼─────────────┼───────────────┼──────────────────┼──────────────────────────┤
│ file:/usr/local/lsws/admin/logs/access.log │ 106 │ 103 │ 3 │ 33 │
│ file:/usr/local/lsws/admin/logs/error.log │ 68 │ 68 │ - │ 68 │
│ file:/usr/local/lsws/logs/access.log │ 4 │ 4 │ - │ 8 │
│ file:/usr/local/lsws/logs/error.log │ 150 │ 7 │ 143 │ 7 │
│ file:/var/log/auth.log │ 231 │ 21 │ 210 │ 60 │
│ file:/var/log/kern.log │ 3.36k │ - │ 3.36k │ - │
│ file:/var/log/syslog │ 3.71k │ - │ 3.71k │ - │
╰────────────────────────────────────────────────┴─────────────┴───────────────┴──────────────────┴──────────────────────────╯
Open your WebAdmin Console and input an incorrect password a few times. Once you hit the threshold, your IP will be banned for 4 hours.
Check your decision list with the command cscli decisions list
,
╭─────────┬───────────┬───────────────────┬─────────────────────────────────────┬─────────┬──────────┬───────────────────────────────────────────┬─────────┬──────────────────────┬───────────╮
│ ID │ Source │ Scope:Value │ Reason │ Action │ Country │ AS │ Events │ expiration │ Alert ID │
├─────────┼───────────┼───────────────────┼─────────────────────────────────────┼─────────┼──────────┼───────────────────────────────────────────┼─────────┼──────────────────────┼───────────┤
│ 165007 │ crowdsec │ Ip:x.x.x.x │ crowdsecurity/litespeed-admin-bf │ ban │ US │ 3462 Data Communication Business Group │ 3 │ 3h59m23.273501311s │ 1 │
╰─────────┴───────────┴───────────────────┴─────────────────────────────────────┴─────────┴──────────┴───────────────────────────────────────────┴─────────┴──────────────────────┴───────────╯
Vulnerability Scanner¶
To verify if the plugin is functioning correctly, you can trigger scenarios using tools like Wapiti, Nikto etc. To perform a simple domain scan, use the Nikto tool to scan your site from another client.
nikto -h https://example.com
Then check your decision list with the command cscli decisions list
.
╭──────────┬───────────┬────────────────────┬────────────────────────────────────────┬────────┬──────────┬───────────────────────────┬─────────┬─────────────────────┬───────────╮
│ ID │ Source │ Scope:Value │ Reason │ Action │ Country │ AS │ Events │ expiration │ Alert ID │
├──────────┼───────────┼────────────────────┼────────────────────────────────────────┼────────┼──────────┼───────────────────────────┼─────────┼─────────────────────┼───────────┤
│ 1560343 │ crowdsec │ Ip:x.x.x.x │ crowdsecurity/http-sensitive-files │ ban │ US │ 31898 xxxxxx-BMC-31898 │ 5 │ 3h59m58.922003003s │ 447 │
╰──────────┴───────────┴────────────────────┴────────────────────────────────────────┴────────┴──────────┴───────────────────────────┴─────────┴─────────────────────┴───────────╯
FAQ¶
How do I customize the configuration?¶
The default collection and scenarios are stored in the /etc/crowdsec
directory. You can edit the configuration from there.
For more CrowdSec format information, please see the CrowdSec documentation.
How do I use CrowdSec with Cloudflare?¶
- To restore real visitor IPs, navigate to LiteSpeed WebAdmin Console > Configuration > General Settings and set Use Client IP in Header to
Trusted IP Only
. See our LiteSpeed Web Server docs if you need more information about this step. - Set up CrowdSec's Cloudflare bouncer, so it can sync the decisions made locally with Cloudflare's firewall.
Why didn't my test work?¶
- Verify that your log path is correct in the
acquis.yaml
file. - Verify that your log format is
default
.
The rules work with the default
log format. If you customize the log format or Log Headers, then you need to adjust the LiteSpeed log parser (/etc/crowdsec/parsers/s01-parse/litespeed-logs.yaml
) to match it.