DoS Defense: IPs Not Unbanned After Specified Ban Time

[mister_x]

Hello OpenLiteSpeed Community,
I am encountering an issue with the DOS Defense feature in OpenLiteSpeed where IPs do not get unbanned after the specified ban time has elapsed. I have reproduced this problem on two different operating systems:

• CentOS 7.9
• Debian 11
  
  OLS Version: 1.7.19

Issue Details:

1. Configuration:
   • DoS Defense is configured with a 60-second hard limit ban time.
   • When an IP exceeds the threshold, it gets banned as expected.
2. Problem:
   • The IP remains banned even after the specified ban time (60 seconds) has passed.
   • The only way to unban the IP is to restart the LiteSpeed server (lsws service restart).
3. Observations:
   • I cannot find the banned IP in any configuration files.
   • It seems that the ban might be held in memory, as a server restart is required to clear the ban.
   • After the IP is unbanned by restarting the server, if it gets banned again, the same issue occurs.

Steps to Reproduce:

1. Configure DOS Defense with a 60-second hard limit ban time.
2. Trigger a ban by exceeding the threshold from a specific IP. (Apache Bench is good for this)
3. Wait for the ban time to elapse.
4. Observe that the IP is still banned.
5. Restart the LSWS service to unban the IP.

Additional Information:

• LiteSpeed version: 1.7.19
• Configuration screenshot attached (30 seconds ban time)

Request:

• Guidance on how to properly manage or clear the ban list without needing to restart the service.
• Confirmation if this is a known issue or if there are any patches/updates available to address this problem.
• Any additional troubleshooting steps or configuration adjustments that might resolve this issue.

Thank you for your assistance.
Best regards,

 

[mister_x]

@Cold-Egg Hello, could you please give any advice on this?

Thanks in advance.

 

[Cold-Egg]

Hi @mister_x
It works from my test. When OLS bans an IP, you can run the following command to check it.

grep BLOCKED_IP /tmp/lshttpd/.rtreport*

You felt the banned IP was not getting released, maybe it hit the limit again. Please check the error log, it should show something like "Reached per client hard connection limit" or "bot detected for vhost" when it hits the threshold.

 

[mister_x]

Thanks for your reply. I will check this.

 

[mister_x]

Hi again @Cold-Egg

I simulated it again, the blocking works fine but the unblock does not happen as it should after the time has elapsed.

For triggering the block I run from my local machine:

ab -n 2000 -c 200 -k -H "Accept-Encoding: gzip, deflate" https://website-sample.com/

Then no blocked IP is reported:

[root@web /]# grep BLOCKED_IP /tmp/lshttpd/.rtreport*
/tmp/lshttpd/.rtreport:BLOCKED_IP:
/tmp/lshttpd/.rtreport.2:BLOCKED_IP:

While my local IP remains in 403 Forbidden status until a LSWS restart. Can not access the web service from this local machine from the current IP until a LSWS restart.

PS. I can not identify where is the banned IP, I have checked the IPTABLES but nothing there too. This is why I suspect it should reside somewhere in LSWS service memory.

 

[Cold-Egg]

Please make sure you trigger the ban via 3rd server or device, otherwise, you may lose the connection and not be able to check the .rtreport and server error log. If you can still reproduce it, please submit the issue to support@litespeedtech.com with this forum post link appended.

 

[mister_x]

Please make sure you trigger the ban via 3rd server or device, otherwise, you may lose the connection and not be able to check the .rtreport and server error log. If you can still reproduce it, please submit the issue to support@litespeedtech.com with this forum post link appended.

Thanks for your reply.

The ban happens at the web service level, I still can access SSH and Admin Panel on 7080 from the same IP which gets 403 forbidden if I try to access the website at 80/443 ports.

I can reproduce the issue all the time. I strongly believe it is bug. I'll send the e-mail to the support.

Thanks.