Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
litespeed_wiki:lslb:anti-ddos-firewall [2019/12/05 02:40] qtwrk |
litespeed_wiki:lslb:anti-ddos-firewall [2020/11/18 15:44] (current) Lisa Clarke Redirect to new Documentation Site |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ===== How to use ConfigServer Security Firewall or Iptables together with LiteSpeed ADC for Anti-DDoS. ===== | + | ~~REDIRECT>https://docs.litespeedtech.com/products/lsadc/security/~~ |
- | + | ||
- | LiteSpeed ADC Anti-DDoS feature can modify firewall via ''ifconfig'' and ''ipset'' to block suspicious IP(s), this is guide for how to integrate LiteSpeed ADC's Anti-DDoS feature with server firewall (iptables or csf) | + | |
- | + | ||
- | + | ||
- | ==== LiteSpeed ADC configuration ==== | + | |
- | + | ||
- | Login to ADC webadmin console by https://SERVER_IP:7090 , go to ''Configuration'' --> ''Security'': | + | |
- | + | ||
- | set ''Enable Anti-DDoS Protection'' and ''Enable Firewall Modifications'' to ''Yes'' to enable Anti-DDoS protection. | + | |
- | + | ||
- | {{ :litespeed_wiki:lslb:adc-anti-ddos1.jpg |}} | + | |
- | + | ||
- | ==== Iptables configuration ==== | + | |
- | + | ||
- | For iptables , run below commands to set up list and rules. | + | |
- | + | ||
- | <code> | + | |
- | ipset create ls-anti-ddos hash:ip hashsize 4096 | + | |
- | ipset create ls-quic-ports bitmap:port range 0-65535 -exist | + | |
- | iptables -I INPUT -m set --match-set ls-anti-ddos src -j DROP | + | |
- | iptables -I FORWARD -m set --match-set ls-anti-ddos src -j DROP | + | |
- | iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT</code> | + | |
- | + | ||
- | + | ||
- | ==== ConfigServer Security & Firewall configuration ==== | + | |
- | + | ||
- | For csf, create file ''/etc/csf/csfpost.sh'' with content: | + | |
- | + | ||
- | <code>#!/bin/bash | + | |
- | ipset create ls-anti-ddos hash:ip hashsize 4096 | + | |
- | ipset create ls-quic-ports bitmap:port range 0-65535 -exist | + | |
- | iptables -I INPUT -m set --match-set ls-anti-ddos src -j DROP | + | |
- | iptables -I FORWARD -m set --match-set ls-anti-ddos src -j DROP | + | |
- | iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT</code> | + | |
- | + | ||
- | and then reload it by command ''csf -r'' | + | |
- | + | ||
- | ==== Verify Ipset ==== | + | |
- | + | ||
- | verify if the script works as intent by checking with ''ipset list'', now there should be 2 blocks **ls-anti-ddos** and **ls-quic-ports** | + | |
- | + | ||
- | <code>[root@test]# ipset list | + | |
- | ... | + | |
- | ... | + | |
- | Name: ls-anti-ddos | + | |
- | Type: hash:ip | + | |
- | Revision: 1 | + | |
- | Header: family inet hashsize 4096 maxelem 65536 | + | |
- | Size in memory: 65680 | + | |
- | References: 2 | + | |
- | Members: | + | |
- | + | ||
- | Name: ls-quic-ports | + | |
- | Type: bitmap:port | + | |
- | Revision: 1 | + | |
- | Header: range 0-65535 | + | |
- | Size in memory: 524432 | + | |
- | References: 1 | + | |
- | Members:</code> | + | |
- | + | ||
- | + | ||
- | ==== Test ==== | + | |
- | + | ||
- | There are several cases the LiteSpeed ADC will consider an incoming request is suspicious , for example failed [[litespeed_wiki:lslb:recaptcha|reCAPTCHA]] test or bad-formatted request. | + | |
- | + | ||
- | For demonstration purpose , we will use reCAPTCHA failed verification to trigger the block. | + | |
- | + | ||
- | So if visitor failed to verify many times in short time , it will trigger the firewall blocking , and there is also log like this | + | |
- | + | ||
- | <code>[root@test logs]# grep ipset error.log | + | |
- | 2019-12-04 20:27:15.594490 [NOTICE] [24606] [T0] [FIREWALL] execute command: 'ipset add ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0</code> | + | |
- | + | ||
- | and if run ''ipset list'' again , you will see content like this: | + | |
- | + | ||
- | <code>Name: ls-anti-ddos | + | |
- | Type: hash:ip | + | |
- | Revision: 1 | + | |
- | Header: family inet hashsize 4096 maxelem 65536 | + | |
- | Size in memory: 65696 | + | |
- | References: 1 | + | |
- | Members: | + | |
- | 111.222.333.444</code> | + | |
- | + | ||
- | The IP will be removed from block in 10 minutes if it doesn't behave suspiciously anymore. | + | |
- | + | ||
- | you should see log as this | + | |
- | + | ||
- | <code>2019-12-04 20:37:20.304327 [NOTICE] [24823] [T0] [FIREWALL] execute command: 'ipset del ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0 </code> | + |