[self-solved] Logs not showing connection limit reached

[TiME]

Hello,

is it just me, or is Litespeed not logging "[x.x.x.x] Reached per client connection hard limit" anymore? I noticed, that these lines are missing on several Litespeed setups, even if I increase the limit to 10 connections or less. Some of these setups are for websites under DDoS and fail2ban needs these logs to ban bots, as you know, and it doesn't ban any IP, no matter what limit I set.

 

[webizen]

Please provide the following info just for better understanding your situation:
1. Your OS version
2. Your LSWS version
3. What is your current Per Client Throttle settings? You can paste here a screenshot of that section from your webadmin console.
4. When did the logging stop?
5. Can you recollect anything happened around that time?
6. What is the current logging level? Is it always set to the current level?

Regards,

Webizen

 

[TiME]

1.) centos-5-i386-hostinabox576 (CentOS Kernel 2.6.18-164.11.1.el5.028stab068.5)

2.) 4.0.17

3.) i56.tinypic*DOT*com/2a5kx2t*DOT*png

4.) About 5 days ago. I've only noticed it as the VPS got DDoS'd and crashed the whole node, 'cos fail2ban wasn't banning any IP.

5.) No I can't, I experienced this problem on several VPS' and fail2ban was working all the time before with a regex to read the connection limit reached lines from Litespeed log. I thought of a silent LSWS update or something like this, it's a really strange and sudden problem.

6.) Of course I've already checked that, it's the default setting (Debug, None) and it always worked before like that.

fail2ban filter rules are:

failregex = \[<HOST>\] Reached per client connection hard limit: \d+, close connection!
            \[<HOST>\] is over per client soft connection limit: \d+ for

but none of these lines are logged by Litespeed anymore, even though the Webserver is under DDoS and the connection limits are very very low (see "3.)")

 

[webizen]

Upgrade will not happen unless you click upgrade link in version manager or run 'install.sh' again and choose 'Upgrade' option. The point is upgrade would not silently happen.

You can run tool like ab (Apache Benchmarking tool) to hit connection limit and see if LSWS logs the IP (also make sure new requests do get logged in LSWS).

 

[TiME]

It works again, seems like it just was a different type of DDoS attack. Thanks for your help though, topic can be closed.