Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
|
litespeed_wiki:lslb:anti-ddos-firewall [2019/12/05 02:39] qtwrk |
litespeed_wiki:lslb:anti-ddos-firewall [2019/12/05 15:28] Lisa Clarke Copyediting |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ===== How to use ConfigServer Security Firewall or Iptables together with LiteSpeed ADC for Anti-DDoS. ===== | + | ====== ConfigServer Security & Firewall and Iptables ====== |
| - | LiteSpeed ADC Anti-DDoS feature can modify firewall via ''ifconfig'' and ''ipset'' to block suspicious IP(s), this is guide for how to integrate LiteSpeed ADC's Anti-DDoS feature with server firewall (iptables, csf and firewalld) | + | LiteSpeed ADC's Anti-DDoS feature can be used to modify a firewall via ''ifconfig'' and ''ipset'' to block suspicious IPs. This guide explains how to integrate the ADC's Anti-DDoS feature with either ConfigServer Security & Firewall (csf), or iptables. |
| - | ==== LiteSpeed ADC configuration ==== | + | ===== LiteSpeed ADC Configuration ===== |
| - | Login to ADC webadmin console by https://SERVER_IP:7090 , go to ''Configuration'' --> ''Security'': | + | Log into the ADC WebAdmin Console at ''<nowiki>https://SERVER_IP:7090</nowiki>''. navigate to **Configuration > Security**. |
| - | set ''Enable Anti-DDoS Protection'' and ''Enable Firewall Modifications'' to ''Yes'' to enable Anti-DDoS protection. | + | Set **Enable Anti-DDoS Protection** and **Enable Firewall Modifications** to ''Yes'' to enable Anti-DDoS protection. |
| {{ :litespeed_wiki:lslb:adc-anti-ddos1.jpg |}} | {{ :litespeed_wiki:lslb:adc-anti-ddos1.jpg |}} | ||
| - | ==== Iptables configuration ==== | + | ===== ConfigServer Security & Firewall Configuration ===== |
| - | <code> | + | For csf, create the file ''/etc/csf/csfpost.sh'', and add the following content: |
| + | |||
| + | <code>#!/bin/bash | ||
| ipset create ls-anti-ddos hash:ip hashsize 4096 | ipset create ls-anti-ddos hash:ip hashsize 4096 | ||
| ipset create ls-quic-ports bitmap:port range 0-65535 -exist | ipset create ls-quic-ports bitmap:port range 0-65535 -exist | ||
| Line 21: | Line 23: | ||
| iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT</code> | iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT</code> | ||
| + | Reload with the command ''csf -r''. | ||
| - | ==== ConfigServer Security & Firewall configuration ==== | + | ===== Iptables Configuration ===== |
| - | For csf, create file ''/etc/csf/csfpost.sh'' with content: | + | For iptables, run the following commands to set up the list and rules: |
| - | <code>#!/bin/bash | + | <code> |
| ipset create ls-anti-ddos hash:ip hashsize 4096 | ipset create ls-anti-ddos hash:ip hashsize 4096 | ||
| ipset create ls-quic-ports bitmap:port range 0-65535 -exist | ipset create ls-quic-ports bitmap:port range 0-65535 -exist | ||
| Line 33: | Line 36: | ||
| iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT</code> | iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT</code> | ||
| - | and then reload it by command ''csf -r'' | + | ===== Verify Ipset ===== |
| - | ==== Verify Ipset ==== | + | Verify the script works as intended by checking with the ''ipset list'' command. You should see two blocks: **ls-anti-ddos** and **ls-quic-ports**. |
| - | + | ||
| - | verify if the script works as intent by checking with ''ipset list'', now there should be 2 blocks **ls-anti-ddos** and **ls-quic-ports** | + | |
| <code>[root@test]# ipset list | <code>[root@test]# ipset list | ||
| Line 58: | Line 59: | ||
| Members:</code> | Members:</code> | ||
| + | ===== Test ===== | ||
| - | ==== Test ==== | + | There are several cases where LiteSpeed ADC will consider an incoming request suspicious. For example, a failed [[litespeed_wiki:lslb:recaptcha|reCAPTCHA]] test, or a badly formatted request. |
| - | There are several cases the LiteSpeed ADC will consider an incoming request is suspicious , for example failed [[litespeed_wiki:lslb:recaptcha|reCAPTCHA]] test or bad-formatted request. | + | For demonstration purposes, we will use a reCAPTCHA failed verification to trigger the block. So, if a visitor fails to verify repeatedly in a short period of time, the firewall block will be triggered and a log generated, like this one: |
| - | + | ||
| - | For demonstration purpose , we will use reCAPTCHA failed verification to trigger the block. | + | |
| - | + | ||
| - | So if visitor failed to verify many times in short time , it will trigger the firewall blocking , and there is also log like this | + | |
| <code>[root@test logs]# grep ipset error.log | <code>[root@test logs]# grep ipset error.log | ||
| 2019-12-04 20:27:15.594490 [NOTICE] [24606] [T0] [FIREWALL] execute command: 'ipset add ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0</code> | 2019-12-04 20:27:15.594490 [NOTICE] [24606] [T0] [FIREWALL] execute command: 'ipset add ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0</code> | ||
| - | and if run ''ipset list'' again , you will see content like this: | + | If you run ''ipset list'' again, you will see content like this: |
| <code>Name: ls-anti-ddos | <code>Name: ls-anti-ddos | ||
| Line 81: | Line 79: | ||
| 111.222.333.444</code> | 111.222.333.444</code> | ||
| - | The IP will be removed from block in 10 minutes if it doesn't behave suspiciously anymore. | + | The block on the IP will be removed in 10 minutes, if the suspicious behavior stops. At that point, you should see this in the log: |
| - | + | ||
| - | you should see log as this | + | |
| <code>2019-12-04 20:37:20.304327 [NOTICE] [24823] [T0] [FIREWALL] execute command: 'ipset del ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0 </code> | <code>2019-12-04 20:37:20.304327 [NOTICE] [24823] [T0] [FIREWALL] execute command: 'ipset del ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0 </code> | ||