This is an old revision of the document!


LiteSpeed ADC Anti-DDoS feature can modify firewall via ifconfig and ipset to block suspicious IP(s), this is guide for how to integrate LiteSpeed ADC's Anti-DDoS feature with server firewall (iptables, csf and firewalld)

LiteSpeed ADC configuration

Login to ADC webadmin console by https://SERVER_IP:7090 , go to Configuration --> Security:

set Enable Anti-DDoS Protection and Enable Firewall Modifications to Yes to enable Anti-DDoS protection.

Iptables configuration

ipset create ls-anti-ddos hash:ip hashsize 4096
ipset create ls-quic-ports bitmap:port range 0-65535 -exist
iptables -I INPUT -m set --match-set ls-anti-ddos src -j DROP
iptables -I FORWARD -m set --match-set ls-anti-ddos src -j DROP
iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT

ConfigServer Security & Firewall configuration

For csf, create file /etc/csf/csfpost.sh with content:

#!/bin/bash
ipset create ls-anti-ddos hash:ip hashsize 4096
ipset create ls-quic-ports bitmap:port range 0-65535 -exist
iptables -I INPUT -m set --match-set ls-anti-ddos src -j DROP
iptables -I FORWARD -m set --match-set ls-anti-ddos src -j DROP
iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT

and then reload it by command csf -r

Verify Ipset

verify if the script works as intent by checking with ipset list, now there should be 2 blocks ls-anti-ddos and ls-quic-ports

[root@test]# ipset list
...
...
Name: ls-anti-ddos
Type: hash:ip
Revision: 1
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 65680
References: 2
Members:

Name: ls-quic-ports
Type: bitmap:port
Revision: 1
Header: range 0-65535
Size in memory: 524432
References: 1
Members:

Test

There are several cases the LiteSpeed ADC will consider an incoming request is suspicious , for example failed reCAPTCHA test or bad-formatted request.

For demonstration purpose , we will use reCAPTCHA failed verification to trigger the block.

So if visitor failed to verify many times in short time , it will trigger the firewall blocking , and there is also log like this

[root@test logs]# grep ipset error.log
2019-12-04 20:27:15.594490 [NOTICE] [24606] [T0] [FIREWALL] execute command: 'ipset add ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0

and if run ipset list again , you will see content like this:

Name: ls-anti-ddos
Type: hash:ip
Revision: 1
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 65696
References: 1
Members:
111.222.333.444

The IP will be removed from block in 10 minutes if it doesn't behave suspiciously anymore.

you should see log as this

2019-12-04 20:37:20.304327 [NOTICE] [24823] [T0] [FIREWALL] execute command: 'ipset del ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0 
  • Admin
  • Last modified: 2019/12/05 02:39
  • by qtwrk