Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
litespeed_wiki:lslb:anti-ddos-firewall [2019/12/05 02:19] qtwrk |
litespeed_wiki:lslb:anti-ddos-firewall [2019/12/05 15:28] Lisa Clarke Copyediting |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ===== How to use firewall together with LiteSpeed ADC for Anti-DDoS. ===== | + | ====== ConfigServer Security & Firewall and Iptables ====== |
- | LiteSpeed ADC Anti-DDoS feature can modify firewall via ''ifconfig'' and ''ipset'' to block suspicious IP(s), this is guide for how to integrate LiteSpeed ADC's Anti-DDoS feature with server firewall (iptables, csf and firewalld) | + | LiteSpeed ADC's Anti-DDoS feature can be used to modify a firewall via ''ifconfig'' and ''ipset'' to block suspicious IPs. This guide explains how to integrate the ADC's Anti-DDoS feature with either ConfigServer Security & Firewall (csf), or iptables. |
- | ==== LiteSpeed ADC configuration ==== | + | ===== LiteSpeed ADC Configuration ===== |
- | Login to ADC webadmin console by https://SERVER_IP:7090 , go to ''Configuration'' --> ''Security'': | + | Log into the ADC WebAdmin Console at ''<nowiki>https://SERVER_IP:7090</nowiki>''. navigate to **Configuration > Security**. |
- | set ''Enable Anti-DDoS Protection'' and ''Enable Firewall Modifications'' to ''Yes'' to enable Anti-DDoS protection. | + | Set **Enable Anti-DDoS Protection** and **Enable Firewall Modifications** to ''Yes'' to enable Anti-DDoS protection. |
{{ :litespeed_wiki:lslb:adc-anti-ddos1.jpg |}} | {{ :litespeed_wiki:lslb:adc-anti-ddos1.jpg |}} | ||
- | ==== Firewalld configuration ==== | + | ===== ConfigServer Security & Firewall Configuration ===== |
- | <code>ipset create ls-anti-ddos hash:ip hashsize 4096 | + | For csf, create the file ''/etc/csf/csfpost.sh'', and add the following content: |
- | ipset create ls-quic-ports bitmap:port range 0-65535 -exist</code> | + | |
- | + | ||
- | + | ||
- | ==== ConfigServer Security & Firewall and Iptables configuration ==== | + | |
- | + | ||
- | For csf, create file ''/etc/csf/csfpost.sh'' with content: | + | |
<code>#!/bin/bash | <code>#!/bin/bash | ||
Line 29: | Line 23: | ||
iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT</code> | iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT</code> | ||
- | and then reload it by command ''csf -r'' | + | Reload with the command ''csf -r''. |
- | for iptables , run above two ''ipset'' commands and three ''iptablets'' commands to create the list and block rule. | + | ===== Iptables Configuration ===== |
+ | For iptables, run the following commands to set up the list and rules: | ||
+ | <code> | ||
+ | ipset create ls-anti-ddos hash:ip hashsize 4096 | ||
+ | ipset create ls-quic-ports bitmap:port range 0-65535 -exist | ||
+ | iptables -I INPUT -m set --match-set ls-anti-ddos src -j DROP | ||
+ | iptables -I FORWARD -m set --match-set ls-anti-ddos src -j DROP | ||
+ | iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT</code> | ||
- | ==== Verify Ipset ==== | + | ===== Verify Ipset ===== |
- | verify if the script works as intent by checking with ''ipset list'', now there should be 2 blocks **ls-anti-ddos** and **ls-quic-ports** | + | Verify the script works as intended by checking with the ''ipset list'' command. You should see two blocks: **ls-anti-ddos** and **ls-quic-ports**. |
<code>[root@test]# ipset list | <code>[root@test]# ipset list | ||
Line 58: | Line 59: | ||
Members:</code> | Members:</code> | ||
+ | ===== Test ===== | ||
- | ==== Test ==== | + | There are several cases where LiteSpeed ADC will consider an incoming request suspicious. For example, a failed [[litespeed_wiki:lslb:recaptcha|reCAPTCHA]] test, or a badly formatted request. |
- | There are several cases the LiteSpeed ADC will consider an incoming request is suspicious , for example failed [[litespeed_wiki:lslb:recaptcha|reCAPTCHA]] test or bad-formatted request. | + | For demonstration purposes, we will use a reCAPTCHA failed verification to trigger the block. So, if a visitor fails to verify repeatedly in a short period of time, the firewall block will be triggered and a log generated, like this one: |
- | + | ||
- | For demonstration purpose , we will use reCAPTCHA failed verification to trigger the block. | + | |
- | + | ||
- | So if visitor failed to verify many times in short time , it will trigger the firewall blocking , and there is also log like this | + | |
<code>[root@test logs]# grep ipset error.log | <code>[root@test logs]# grep ipset error.log | ||
2019-12-04 20:27:15.594490 [NOTICE] [24606] [T0] [FIREWALL] execute command: 'ipset add ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0</code> | 2019-12-04 20:27:15.594490 [NOTICE] [24606] [T0] [FIREWALL] execute command: 'ipset add ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0</code> | ||
- | and if run ''ipset list'' again , you will see content like this: | + | If you run ''ipset list'' again, you will see content like this: |
<code>Name: ls-anti-ddos | <code>Name: ls-anti-ddos | ||
Line 81: | Line 79: | ||
111.222.333.444</code> | 111.222.333.444</code> | ||
- | The IP will be removed from block in 10 minutes if it doesn't behave suspiciously anymore. | + | The block on the IP will be removed in 10 minutes, if the suspicious behavior stops. At that point, you should see this in the log: |
- | + | ||
- | you should see log as this | + | |
<code>2019-12-04 20:37:20.304327 [NOTICE] [24823] [T0] [FIREWALL] execute command: 'ipset del ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0 </code> | <code>2019-12-04 20:37:20.304327 [NOTICE] [24823] [T0] [FIREWALL] execute command: 'ipset del ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0 </code> |