Differences

This shows you the differences between two versions of the page.

--- litespeed_wiki:lslb:anti-ddos-firewall [2019/12/05 15:28]
Lisa Clarke Copyediting
+++ litespeed_wiki:lslb:anti-ddos-firewall [2020/11/18 15:44] (current)
Lisa Clarke Redirect to new Documentation Site
@@ Line 1: / Line 1: @@
-====== ConfigServer Security & Firewall and Iptables ======
+~~REDIRECT>https://docs.litespeedtech.com/products/lsadc/security/~~
-LiteSpeed ADC's Anti-DDoS feature can be used to modify a firewall via ''ifconfig'' and ''ipset'' to block suspicious IPs. This guide explains how to integrate the ADC's Anti-DDoS feature with either ConfigServer Security & Firewall (csf), or iptables.
-===== LiteSpeed ADC Configuration =====
-Log into the ADC WebAdmin Console at ''<nowiki>https://SERVER_IP:7090</nowiki>''. navigate to **Configuration > Security**.
-Set **Enable Anti-DDoS Protection** and **Enable Firewall Modifications** to ''Yes'' to enable Anti-DDoS protection.
-{{ :litespeed_wiki:lslb:adc-anti-ddos1.jpg |}}
-===== ConfigServer Security & Firewall Configuration =====
-For csf, create the file ''/etc/csf/csfpost.sh'', and add the following content:
-<code>#!/bin/bash
-ipset create ls-anti-ddos hash:ip hashsize 4096
-ipset create ls-quic-ports bitmap:port range 0-65535 -exist
-iptables -I INPUT -m set --match-set ls-anti-ddos src -j DROP
-iptables -I FORWARD -m set --match-set ls-anti-ddos src -j DROP
-iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT</code>
-Reload with the command ''csf -r''.
-===== Iptables Configuration =====
-For iptables, run the following commands to set up the list and rules:
-<code>
-ipset create ls-anti-ddos hash:ip hashsize 4096
-ipset create ls-quic-ports bitmap:port range 0-65535 -exist
-iptables -I INPUT -m set --match-set ls-anti-ddos src -j DROP
-iptables -I FORWARD -m set --match-set ls-anti-ddos src -j DROP
-iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT</code>
-===== Verify Ipset =====
-Verify the script works as intended by checking with the ''ipset list'' command. You should see two blocks: **ls-anti-ddos** and **ls-quic-ports**.
-<code>[root@test]# ipset list
-...
-...
-Name: ls-anti-ddos
-Type: hash:ip
-Revision: 1
-Header: family inet hashsize 4096 maxelem 65536
-Size in memory: 65680
-References: 2
-Members:
-Name: ls-quic-ports
-Type: bitmap:port
-Revision: 1
-Header: range 0-65535
-Size in memory: 524432
-References: 1
-Members:</code>
-===== Test =====
-There are several cases where LiteSpeed ADC will consider an incoming request suspicious. For example, a failed [[litespeed_wiki:lslb:recaptcha|reCAPTCHA]] test, or a badly formatted request.
-For demonstration purposes, we will use a reCAPTCHA failed verification to trigger the block. So, if a visitor fails to verify repeatedly in a short period of time, the firewall block will be triggered and a log generated, like this one:
-<code>[root@test logs]# grep ipset error.log
--12-04 20:27:15.594490 [NOTICE] [24606] [T0] [FIREWALL] execute command: 'ipset add ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0</code>
-If you run ''ipset list'' again, you will see content like this:
-<code>Name: ls-anti-ddos
-Type: hash:ip
-Revision: 1
-Header: family inet hashsize 4096 maxelem 65536
-Size in memory: 65696
-References: 1
-Members:
-.222.333.444</code>
-The block on the IP will be removed in 10 minutes, if the suspicious behavior stops. At that point, you should see this in the log:
-<code>2019-12-04 20:37:20.304327 [NOTICE] [24823] [T0] [FIREWALL] execute command: 'ipset del ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0 </code>