Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | |||
litespeed_wiki:lslb:anti-ddos-firewall [2019/12/05 15:28] Lisa Clarke Copyediting |
litespeed_wiki:lslb:anti-ddos-firewall [2020/11/18 15:44] (current) Lisa Clarke Redirect to new Documentation Site |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== ConfigServer Security & Firewall and Iptables ====== | + | ~~REDIRECT>https://docs.litespeedtech.com/products/lsadc/security/~~ |
- | + | ||
- | LiteSpeed ADC's Anti-DDoS feature can be used to modify a firewall via ''ifconfig'' and ''ipset'' to block suspicious IPs. This guide explains how to integrate the ADC's Anti-DDoS feature with either ConfigServer Security & Firewall (csf), or iptables. | + | |
- | + | ||
- | + | ||
- | ===== LiteSpeed ADC Configuration ===== | + | |
- | + | ||
- | Log into the ADC WebAdmin Console at ''<nowiki>https://SERVER_IP:7090</nowiki>''. navigate to **Configuration > Security**. | + | |
- | + | ||
- | Set **Enable Anti-DDoS Protection** and **Enable Firewall Modifications** to ''Yes'' to enable Anti-DDoS protection. | + | |
- | + | ||
- | {{ :litespeed_wiki:lslb:adc-anti-ddos1.jpg |}} | + | |
- | + | ||
- | ===== ConfigServer Security & Firewall Configuration ===== | + | |
- | + | ||
- | For csf, create the file ''/etc/csf/csfpost.sh'', and add the following content: | + | |
- | + | ||
- | <code>#!/bin/bash | + | |
- | ipset create ls-anti-ddos hash:ip hashsize 4096 | + | |
- | ipset create ls-quic-ports bitmap:port range 0-65535 -exist | + | |
- | iptables -I INPUT -m set --match-set ls-anti-ddos src -j DROP | + | |
- | iptables -I FORWARD -m set --match-set ls-anti-ddos src -j DROP | + | |
- | iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT</code> | + | |
- | + | ||
- | Reload with the command ''csf -r''. | + | |
- | + | ||
- | ===== Iptables Configuration ===== | + | |
- | + | ||
- | For iptables, run the following commands to set up the list and rules: | + | |
- | + | ||
- | <code> | + | |
- | ipset create ls-anti-ddos hash:ip hashsize 4096 | + | |
- | ipset create ls-quic-ports bitmap:port range 0-65535 -exist | + | |
- | iptables -I INPUT -m set --match-set ls-anti-ddos src -j DROP | + | |
- | iptables -I FORWARD -m set --match-set ls-anti-ddos src -j DROP | + | |
- | iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT</code> | + | |
- | + | ||
- | ===== Verify Ipset ===== | + | |
- | + | ||
- | Verify the script works as intended by checking with the ''ipset list'' command. You should see two blocks: **ls-anti-ddos** and **ls-quic-ports**. | + | |
- | + | ||
- | <code>[root@test]# ipset list | + | |
- | ... | + | |
- | ... | + | |
- | Name: ls-anti-ddos | + | |
- | Type: hash:ip | + | |
- | Revision: 1 | + | |
- | Header: family inet hashsize 4096 maxelem 65536 | + | |
- | Size in memory: 65680 | + | |
- | References: 2 | + | |
- | Members: | + | |
- | + | ||
- | Name: ls-quic-ports | + | |
- | Type: bitmap:port | + | |
- | Revision: 1 | + | |
- | Header: range 0-65535 | + | |
- | Size in memory: 524432 | + | |
- | References: 1 | + | |
- | Members:</code> | + | |
- | + | ||
- | ===== Test ===== | + | |
- | + | ||
- | There are several cases where LiteSpeed ADC will consider an incoming request suspicious. For example, a failed [[litespeed_wiki:lslb:recaptcha|reCAPTCHA]] test, or a badly formatted request. | + | |
- | + | ||
- | For demonstration purposes, we will use a reCAPTCHA failed verification to trigger the block. So, if a visitor fails to verify repeatedly in a short period of time, the firewall block will be triggered and a log generated, like this one: | + | |
- | + | ||
- | <code>[root@test logs]# grep ipset error.log | + | |
- | 2019-12-04 20:27:15.594490 [NOTICE] [24606] [T0] [FIREWALL] execute command: 'ipset add ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0</code> | + | |
- | + | ||
- | If you run ''ipset list'' again, you will see content like this: | + | |
- | + | ||
- | <code>Name: ls-anti-ddos | + | |
- | Type: hash:ip | + | |
- | Revision: 1 | + | |
- | Header: family inet hashsize 4096 maxelem 65536 | + | |
- | Size in memory: 65696 | + | |
- | References: 1 | + | |
- | Members: | + | |
- | 111.222.333.444</code> | + | |
- | + | ||
- | The block on the IP will be removed in 10 minutes, if the suspicious behavior stops. At that point, you should see this in the log: | + | |
- | + | ||
- | <code>2019-12-04 20:37:20.304327 [NOTICE] [24823] [T0] [FIREWALL] execute command: 'ipset del ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0 </code> | + |