Using CyberPanel OpenliteSpeed and Crowdsec

1

Hi!

Is my first touch with crowdsec and openlitespeed. I always use apache and fail2ban.
I´m trying to understand crowdsec, but I need some help.

First of all crowdsec “http” scenarios can work with openlitespeed?

If Yes! :slight_smile:

where I can add my log files
I some files in

/etc/crowdsec/acquis.yml
journalctl_filter:

  • _SYSTEMD_UNIT=apache2.service
    labels:
    type: apache2

#Generated acquisition file - wizard.sh (service: sshd) / files : /var/log/auth.log
filenames:

  • /var/log/auth.log
    labels:
    type: syslog

#Generated acquisition file - wizard.sh (service: mysql) / files : /var/log/mysql/error.log
filenames:

  • /var/log/mysql/error.log
    labels:
    type: mysql

#Generated acquisition file - wizard.sh (service: linux) / files : /var/log/syslog /var/log/kern.log
filenames:

  • /var/log/syslog
  • /var/log/kern.log
    labels:
    type: syslog

I want add this files to log XSS attacks DDOS and all available scenarios

/home/ * /logs/ *.access_log

2

NOBODY CAN HELP ME?
waiting for some help.

3

Hello @Rhandyx !

Sorry for the delay, missed your message :slight_smile:

Yes it should as long as the log format is understood.

Can you provide some log samples of your openlitespeed server ? We’re looking for access and error logs here.

4

Hi

OpenLiteSpeed Error log is empty…

For I get my real IP I have config OLS like this:

https://openlitespeed.org/kb/show-real-visitor-ip-instead-of-cloudflare-ips/

Access log for one test site

"66.249.93.189 - - [27/Dec/2022:01:04:50 +0000] "GET /wp-content/uploads/2019/07/product-01-1-422x440.jpg.webp HTTP/2" 200 5764 "https://s02.lojadeportugal.pt/" "Mozilla/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4590.2 Mobile Safari/537.36 Chrome-Lighthouse""
"66.249.93.174 - - [27/Dec/2022:01:04:50 +0000] "GET /wp-content/uploads/2018/08/product-28-13-407x440.jpg.webp HTTP/2" 200 3856 "https://s02.lojadeportugal.pt/" "Mozilla/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4590.2 Mobile Safari/537.36 Chrome-Lighthouse""
"66.249.93.185 - - [27/Dec/2022:01:04:50 +0000] "GET /wp-content/uploads/2022/10/loja-de-portugal-1.png HTTP/2" 200 13525 "https://s02.lojadeportugal.pt/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4590.2 Safari/537.36 Chrome-Lighthouse""
"66.249.93.187 - - [27/Dec/2022:01:04:50 +0000] "GET /wp-content/uploads/2018/08/product-28-13-407x440.jpg HTTP/2" 200 7557 "https://s02.lojadeportugal.pt/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4590.2 Safari/537.36 Chrome-Lighthouse""
"66.249.93.189 - - [27/Dec/2022:01:04:50 +0000] "GET /wp-content/uploads/2022/12/uvas.jpg HTTP/2" 200 17811 "https://s02.lojadeportugal.pt/" "Mozilla/5.0 (Macintosh; Int

Logs From CROWDSEC PLUGIN /wp-content/plugins/crowdsec/logs

2022-12-28T21:24:35.702419+00:00|200|{"type":"CLEAN_VALUE","scope":"Ip","value":"3.238.255.1","cache":"hit"}
2022-12-28T21:24:35.702566+00:00|200|{"type":"FINAL_REMEDIATION","ip":"3.238.255.1","remediation":"bypass"}
2022-12-28T21:24:35.727285+00:00|300|{"type":"NON_AUTHORIZED_X_FORWARDED_FOR_USAGE","original_ip":"3.227.240.24","x_forwarded_for_ip":"3.227.240.24"}
2022-12-28T21:24:35.759419+00:00|200|{"type":"CLEAN_VALUE","scope":"Ip","value":"3.227.240.24","cache":"miss"}
2022-12-28T21:24:35.759669+00:00|200|{"type":"FINAL_REMEDIATION","ip":"3.227.240.24","remediation":"bypass"}
2022-12-28T21:24:35.848880+00:00|300|{"type":"NON_AUTHORIZED_X_FORWARDED_FOR_USAGE","original_ip":"54.89.190.46","x_forwarded_for_ip":"54.89.190.46"}
2022-12-28T21:24:35.849156+00:00|200|{"type":"CLEAN_VALUE","scope":"Ip","value":"54.89.190.46","cache":"hit"}
2022-12-28T21:24:35.860509+00:00|200|{"type":"FINAL_REMEDIATION","ip":"54.89.190.46","remediation":"bypass"}
2022-12-28T21:24:35.929565+00:00|300|{"type":"NON_AUTHORIZED_X_FORWARDED_FOR_USAGE","original_ip":"3.235.15.10","x_forwarded_for_ip":"3.235.15.10"}
2022-12-28T21:24:35.929842+00:00|200|{"type":"CLEAN_VALUE","scope":"Ip","value":"3.235.15.10","cache":"hit"}
2022-12-28T21:24:35.930012+00:00|200|{"type":"FINAL_REMEDIATION","ip":"3.235.15.10","remediation":"bypass"}
2022-12-28T21:24:36.024869+00:00|300|{"type":"NON_AUTHORIZED_X_FORWARDED_FOR_USAGE","original_ip":"3.89.116.106","x_forwarded_for_ip":"3.89.116.106"}
2022-12-28T21:24:36.025210+00:00|200|{"type":"CLEAN_VALUE","scope":"Ip","value":"3.89.116.106","cache":"hit"}

IMPORTANT !!
I´m using cyberpanel and OPENLITESPEED logs are saved in
/home/domain.tld/logs
I´m thinking I should add to crowdsec logs this path

/home/*/logs/*.access_log
/home/*/logs/*.erro_log
5

Did you make any progress on this? I’m also looking for information on setup with OLS…