Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
litespeed_wiki:lslb:anti-ddos-firewall [2019/12/05 02:39]
qtwrk [How to use ConfigServer Security Firewall or Iptables together with LiteSpeed ADC for Anti-DDoS.]
litespeed_wiki:lslb:anti-ddos-firewall [2020/11/18 15:44] (current)
Lisa Clarke Redirect to new Documentation Site
Line 1: Line 1:
-===== How to use ConfigServer Security Firewall or Iptables together with LiteSpeed ADC for Anti-DDoS. ===== +~~REDIRECT>​https://docs.litespeedtech.com/products/lsadc/security/~~
- +
-LiteSpeed ADC Anti-DDoS feature can modify firewall via ''​ifconfig''​ and ''​ipset''​ to block suspicious IP(s), this is guide for how to integrate LiteSpeed ADC's Anti-DDoS feature with server firewall (iptables or csf) +
- +
- +
-==== LiteSpeed ADC configuration ==== +
- +
-Login to ADC webadmin console by https://SERVER_IP:​7090 , go to ''​Configuration''​ --> ''​Security'':​ +
- +
-set ''​Enable Anti-DDoS Protection''​ and ''​Enable Firewall Modifications''​ to ''​Yes''​ to enable Anti-DDoS protection. +
- +
-{{ :​litespeed_wiki:​lslb:​adc-anti-ddos1.jpg |}} +
- +
-==== Iptables configuration ==== +
- +
-<​code>​ +
-ipset create ls-anti-ddos hash:ip hashsize 4096 +
-ipset create ls-quic-ports bitmap:port range 0-65535 -exist +
-iptables -I INPUT -m set --match-set ls-anti-ddos src -j DROP +
-iptables -I FORWARD -m set --match-set ls-anti-ddos src -j DROP +
-iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT</code> +
- +
- +
-==== ConfigServer Security & Firewall configuration ==== +
- +
-For csf, create file ''​/etc/csf/csfpost.sh''​ with content: +
- +
-<​code>#​!/​bin/​bash +
-ipset create ls-anti-ddos hash:ip hashsize 4096 +
-ipset create ls-quic-ports bitmap:port range 0-65535 -exist +
-iptables -I INPUT -m set --match-set ls-anti-ddos src -j DROP +
-iptables -I FORWARD -m set --match-set ls-anti-ddos src -j DROP +
-iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT</​code>​ +
- +
-and then reload it by command ''​csf -r''​ +
- +
-==== Verify Ipset ==== +
- +
-verify if the script works as intent by checking with ''​ipset list'',​ now there should be 2 blocks **ls-anti-ddos** and **ls-quic-ports** +
- +
-<​code>​[root@test]#​ ipset list +
-... +
-... +
-Name: ls-anti-ddos +
-Type: hash:ip +
-Revision: 1 +
-Header: family inet hashsize 4096 maxelem 65536 +
-Size in memory: 65680 +
-References: 2 +
-Members: +
- +
-Name: ls-quic-ports +
-Type: bitmap:​port +
-Revision: 1 +
-Header: range 0-65535 +
-Size in memory: 524432 +
-References: 1 +
-Members:</​code>​ +
- +
- +
-==== Test ==== +
- +
-There are several cases the LiteSpeed ADC will consider an incoming request is suspicious , for example failed [[litespeed_wiki:​lslb:​recaptcha|reCAPTCHA]] test or bad-formatted request. +
- +
-For demonstration purpose , we will use reCAPTCHA failed verification to trigger the block. +
- +
-So if visitor failed to verify many times in short time , it will trigger the firewall blocking , and there is also log like this  +
- +
-<​code>​[root@test logs]# grep ipset error.log +
-2019-12-04 20:​27:​15.594490 [NOTICE] [24606] [T0] [FIREWALL] execute command: 'ipset add ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0</​code>​ +
- +
-and if run ''​ipset list''​ again , you will see content like this: +
- +
-<​code>​Name:​ ls-anti-ddos +
-Type: hash:ip +
-Revision: 1 +
-Header: family inet hashsize 4096 maxelem 65536 +
-Size in memory: 65696 +
-References: 1 +
-Members: +
-111.222.333.444</​code>​ +
- +
-The IP will be removed from block in 10 minutes if it doesn'​t behave suspiciously anymore. +
- +
-you should see log as this  +
- +
-<​code>​2019-12-04 20:​37:​20.304327 [NOTICE] [24823] [T0] [FIREWALL] execute command: 'ipset del ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0 </​code>​+
  • Admin
  • Last modified: 2019/12/05 02:39
  • by qtwrk