This is an old revision of the document!
How to use ConfigServer Security Firewall or Iptables together with LiteSpeed ADC for Anti-DDoS.
LiteSpeed ADC Anti-DDoS feature can modify firewall via ifconfig
and ipset
to block suspicious IP(s), this is guide for how to integrate LiteSpeed ADC's Anti-DDoS feature with server firewall (iptables, csf and firewalld)
LiteSpeed ADC configuration
Login to ADC webadmin console by https://SERVER_IP:7090 , go to Configuration
--> Security
:
set Enable Anti-DDoS Protection
and Enable Firewall Modifications
to Yes
to enable Anti-DDoS protection.
Iptables configuration
ipset create ls-anti-ddos hash:ip hashsize 4096 ipset create ls-quic-ports bitmap:port range 0-65535 -exist iptables -I INPUT -m set --match-set ls-anti-ddos src -j DROP iptables -I FORWARD -m set --match-set ls-anti-ddos src -j DROP iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT
ConfigServer Security & Firewall configuration
For csf, create file /etc/csf/csfpost.sh
with content:
#!/bin/bash ipset create ls-anti-ddos hash:ip hashsize 4096 ipset create ls-quic-ports bitmap:port range 0-65535 -exist iptables -I INPUT -m set --match-set ls-anti-ddos src -j DROP iptables -I FORWARD -m set --match-set ls-anti-ddos src -j DROP iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT
and then reload it by command csf -r
Verify Ipset
verify if the script works as intent by checking with ipset list
, now there should be 2 blocks ls-anti-ddos and ls-quic-ports
[root@test]# ipset list ... ... Name: ls-anti-ddos Type: hash:ip Revision: 1 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 65680 References: 2 Members: Name: ls-quic-ports Type: bitmap:port Revision: 1 Header: range 0-65535 Size in memory: 524432 References: 1 Members:
Test
There are several cases the LiteSpeed ADC will consider an incoming request is suspicious , for example failed reCAPTCHA test or bad-formatted request.
For demonstration purpose , we will use reCAPTCHA failed verification to trigger the block.
So if visitor failed to verify many times in short time , it will trigger the firewall blocking , and there is also log like this
[root@test logs]# grep ipset error.log 2019-12-04 20:27:15.594490 [NOTICE] [24606] [T0] [FIREWALL] execute command: 'ipset add ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0
and if run ipset list
again , you will see content like this:
Name: ls-anti-ddos Type: hash:ip Revision: 1 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 65696 References: 1 Members: 111.222.333.444
The IP will be removed from block in 10 minutes if it doesn't behave suspiciously anymore.
you should see log as this
2019-12-04 20:37:20.304327 [NOTICE] [24823] [T0] [FIREWALL] execute command: 'ipset del ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0