an IP remains blocked after Banned Period (60 sec) passed

[GrAlex]

Hello,

Got an IP permanently blocked at LiteSpeed after Banned Period (60 sec) passed and several temporary blocks:

[root@server2 ~]# curl -I https://site-in-litespeed.com/
curl: (35) TCP connection reset by peer
[root@server2 ~]#

From logs:

2025-06-30 09:25:36.470576 [WARN] [4733] [T0] [95.xx.xx.235] bot detected for vhost [N/A], reason: OverConnHardLimit, block
2025-06-30 09:27:37.933102 [WARN] [4733] [T0] [95.xx.xx.235] bot detected for vhost [N/A], reason: OverConnHardLimit, block
2025-06-30 09:28:38.011827 [WARN] [4732] [T0] [95.xx.xx.235] bot detected for vhost [N/A], reason: OverConnHardLimit, block
2025-06-30 09:30:17.817095 [WARN] [1020639] [T0] [95.xx.xx.235] bot detected for vhost [N/A], reason: OverConnHardLimit, block
2025-06-30 12:08:44.646504 [WARN] [1255468] [T0] [95.xx.xx.235] bot detected for vhost [N/A], reason: OverConnHardLimit, block
2025-06-30 12:10:02.619421 [WARN] [1255468] [T0] [95.xx.xx.235] bot detected for vhost [N/A], reason: OverConnHardLimit, block

The IP got permanently blocked after 6 temporary blocks in my particular case.

And:

[root@server logs]# grep 95.xx.xx.235 /tmp/lshttpd/.rtreport*
/tmp/lshttpd/.rtreport:BLOCKED_IP: 95.xx.xx.235;C,
/tmp/lshttpd/.rtreport.2:BLOCKED_IP: 95.xx.xx.235;C,
[root@server logs]#

The both /tmp/lshttpd/.rtreport and /tmp/lshttpd/.rtreport.2 give empty string BLOCKED_IP: randomly, but the IP still remains blocked. The IP gets displayed again if I trigger a GET request to the server. It can be seen with watch:

[root@server logs]# watch grep BLOCKED_IP /tmp/lshttpd/.rtreport*

When reading https://docs.litespeedtech.com/lsws/cp/cpanel/antiddos/#layer-4-attacks-use-per-client-throttling I don't find any information about permanent blocks. As well as Denied List in the Access Control section is empty.

Running:

- Litespeed Web Server - Enterprise Edition - Version 6.3.3
- Kernel: 4.18.0-553.56.1.el8_10.x86_64
- OS: AlmaLinux 8.10 (Cerulean Leopard)

Per Client Throttling :

- Static Requests/second: 100
- Dynamic Requests/second: 32
- Outbound Bandwidth (bytes/sec): 0
- Inbound Bandwidth (bytes/sec): 0
- Connection Soft Limit: 32
- Connection Hard Limit: 64
- Block Bad Request: Yes
- Grace Period (sec): 15
- Banned Period (sec): 60


Kindly advice.

 

[GrAlex]

Managed to get the IP unblocked only after it was added as trusted into an allowed list of LiteSpeed.

The second test completed and I got the IP blocked permanently after 4 temporary blocks:

2025-06-30 15:02:52.516314 [WARN] [1436681] [T0] [95.xx.xx.235] bot detected for vhost [N/A], reason: OverConnHardLimit, block
2025-06-30 15:05:52.020066 [WARN] [1436682] [T0] [95.xx.xx.235] bot detected for vhost [APVH_www.secret-domain.com:443], reason: OverConnSoftLimit, block
2025-06-30 15:10:08.419040 [WARN] [1436681] [T0] [95.xx.xx.235] bot detected for vhost [N/A], reason: OverConnHardLimit, block
2025-06-30 15:11:09.087255 [WARN] [1436681] [T0] [95.xx.xx.235] bot detected for vhost [N/A], reason: OverConnHardLimit, block

kindly advice