Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
litespeed_wiki:lslb:anti-ddos-firewall [2019/12/05 01:41] qtwrk created |
litespeed_wiki:lslb:anti-ddos-firewall [2020/11/18 15:44] (current) Lisa Clarke Redirect to new Documentation Site |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ===== How to use ConfigServer Security & Firewall (csf) together with LiteSpeed ADC for Anti-DDoS. ===== | + | ~~REDIRECT>https://docs.litespeedtech.com/products/lsadc/security/~~ |
- | + | ||
- | LiteSpeed ADC Anti-DDoS feature can modify firewall via ''ifconfig'' and ''ipset'' to block suspicious IP(s), and csf is commonly used firewall on many servers, this is guide for how to integrate LiteSpeed ADC's Anti-DDoS feature with csf. | + | |
- | + | ||
- | + | ||
- | ==== LiteSpeed ADC configuration ==== | + | |
- | + | ||
- | Login to ADC webadmin console by https://SERVER_IP:7090 , go to ''Configuration'' --> ''Security'': | + | |
- | + | ||
- | set ''Enable Anti-DDoS Protection'' and ''Enable Firewall Modifications'' to ''Yes'' to enable Anti-DDoS protection. | + | |
- | + | ||
- | {{ :litespeed_wiki:lslb:adc-anti-ddos1.jpg |}} | + | |
- | + | ||
- | + | ||
- | + | ||
- | ==== ConfigServer Security & Firewall configuration ==== | + | |
- | + | ||
- | create file /etc/csf/csfpost.sh with content: | + | |
- | + | ||
- | <code>#!/bin/bash | + | |
- | ipset create ls-anti-ddos hash:ip hashsize 4096 | + | |
- | ipset create ls-quic-ports bitmap:port range 0-65535 -exist | + | |
- | iptables -I INPUT -m set --match-set ls-anti-ddos src -j DROP | + | |
- | iptables -I FORWARD -m set --match-set ls-anti-ddos src -j DROP | + | |
- | iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT</code> | + | |
- | + | ||
- | and then reload it by command ''csf -r'' | + | |
- | + | ||
- | verify if the script works as intent by checking with ''ipset list'', now there should be 2 blocks **ls-anti-ddos** and **ls-quic-ports** | + | |
- | + | ||
- | <code>[root@test csf]# ipset list | + | |
- | Name: chain_DENY | + | |
- | Type: hash:net | + | |
- | Revision: 3 | + | |
- | Header: family inet hashsize 1024 maxelem 65536 | + | |
- | Size in memory: 16784 | + | |
- | References: 2 | + | |
- | Members: | + | |
- | + | ||
- | Name: chain_ALLOW | + | |
- | Type: hash:net | + | |
- | Revision: 3 | + | |
- | Header: family inet hashsize 1024 maxelem 65536 | + | |
- | Size in memory: 16784 | + | |
- | References: 2 | + | |
- | Members: | + | |
- | + | ||
- | Name: ls-anti-ddos | + | |
- | Type: hash:ip | + | |
- | Revision: 1 | + | |
- | Header: family inet hashsize 4096 maxelem 65536 | + | |
- | Size in memory: 65680 | + | |
- | References: 2 | + | |
- | Members: | + | |
- | + | ||
- | Name: ls-quic-ports | + | |
- | Type: bitmap:port | + | |
- | Revision: 1 | + | |
- | Header: range 0-65535 | + | |
- | Size in memory: 524432 | + | |
- | References: 1 | + | |
- | Members:</code> | + | |
- | + | ||
- | + | ||
- | ==== Test ==== | + | |
- | + | ||
- | There are several cases the LiteSpeed ADC will consider an incoming request is suspicious , for example failed [[litespeed_wiki:lslb:recaptcha|reCAPTCHA]] test or bad-formatted request. | + | |
- | + | ||
- | For demonstration purpose , we will use reCAPTCHA failed verification to trigger the block. | + | |
- | + | ||
- | So if visitor failed to verify many times in short time , it will trigger the firewall blocking , and there is also log like this | + | |
- | + | ||
- | <code>[root@test logs]# grep ipset error.log | + | |
- | 2019-12-04 20:27:15.594490 [NOTICE] [24606] [T0] [FIREWALL] execute command: 'ipset add ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0</code> | + | |
- | + | ||
- | and if run ''ipset list'' again , you will see content like this: | + | |
- | + | ||
- | <code>Name: ls-anti-ddos | + | |
- | Type: hash:ip | + | |
- | Revision: 1 | + | |
- | Header: family inet hashsize 4096 maxelem 65536 | + | |
- | Size in memory: 65696 | + | |
- | References: 1 | + | |
- | Members: | + | |
- | 111.222.333.444</code> | + | |
- | + | ||
- | The IP will be removed from block in 10 minutes if it doesn't behave suspiciously anymore. | + | |
- | + | ||
- | you should see log as this | + | |
- | + | ||
- | <code>2019-12-04 20:37:20.304327 [NOTICE] [24823] [T0] [FIREWALL] execute command: 'ipset del ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0 </code> | + |