Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
litespeed_wiki:lslb:anti-ddos-firewall [2019/12/05 02:40]
qtwrk
litespeed_wiki:lslb:anti-ddos-firewall [2019/12/05 15:28] (current)
Lisa Clarke Copyediting
Line 1: Line 1:
-===== How to use ConfigServer Security Firewall ​or Iptables ​together with LiteSpeed ADC for Anti-DDoS. ​=====+=====ConfigServer Security ​Firewall ​and Iptables ​======
  
-LiteSpeed ADC Anti-DDoS feature can modify firewall via ''​ifconfig''​ and ''​ipset''​ to block suspicious ​IP(s), this is guide for how to integrate ​LiteSpeed ​ADC's Anti-DDoS feature with server firewall ​(iptables or csf)+LiteSpeed ADC'​s ​Anti-DDoS feature can be used to modify ​firewall via ''​ifconfig''​ and ''​ipset''​ to block suspicious ​IPs. This guide explains ​how to integrate ​the ADC's Anti-DDoS feature with either ConfigServer Security & Firewall ​(csf), or iptables.
  
  
-==== LiteSpeed ADC configuration ​====+===== LiteSpeed ADC Configuration =====
  
-Login to ADC webadmin console by https://​SERVER_IP:​7090 ​, go to ''​Configuration''​ --''​Security'':​+Log into the ADC WebAdmin Console at ''<​nowiki>​https://​SERVER_IP:​7090</​nowiki>​''​. navigate to **Configuration > Security**.
  
-set ''​Enable Anti-DDoS Protection'' ​and ''​Enable Firewall Modifications'' ​to ''​Yes''​ to enable Anti-DDoS protection.+Set **Enable Anti-DDoS Protection** and **Enable Firewall Modifications** to ''​Yes''​ to enable Anti-DDoS protection.
  
 {{ :​litespeed_wiki:​lslb:​adc-anti-ddos1.jpg |}} {{ :​litespeed_wiki:​lslb:​adc-anti-ddos1.jpg |}}
  
-==== Iptables configuration ​====+===== ConfigServer Security & Firewall Configuration =====
  
-For iptables ​run below commands to set up list and rules.+For csfcreate the file ''/​etc/​csf/​csfpost.sh'',​ and add the following content:
  
-<​code>​+<​code>​#!/bin/bash
 ipset create ls-anti-ddos hash:ip hashsize 4096 ipset create ls-anti-ddos hash:ip hashsize 4096
 ipset create ls-quic-ports bitmap:port range 0-65535 -exist ipset create ls-quic-ports bitmap:port range 0-65535 -exist
Line 23: Line 23:
 iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT</​code>​ iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT</​code>​
  
 +Reload with the command ''​csf -r''​.
  
-==== ConfigServer Security & Firewall configuration ​====+===== Iptables Configuration =====
  
-For csfcreate file ''/​etc/​csf/​csfpost.sh''​ with content:+For iptablesrun the following commands to set up the list and rules:
  
-<​code>​#!/bin/bash+<​code>​
 ipset create ls-anti-ddos hash:ip hashsize 4096 ipset create ls-anti-ddos hash:ip hashsize 4096
 ipset create ls-quic-ports bitmap:port range 0-65535 -exist ipset create ls-quic-ports bitmap:port range 0-65535 -exist
Line 35: Line 36:
 iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT</​code>​ iptables -I INPUT -p udp -m set --match-set ls-quic-ports dst -j ACCEPT</​code>​
  
-and then reload it by command ''​csf -r''​+===== Verify Ipset =====
  
-==== Verify ​Ipset ==== +Verify the script works as intended ​by checking with the ''​ipset list'' ​command. You should ​see two blocks**ls-anti-ddos** and **ls-quic-ports**.
- +
-verify if the script works as intent ​by checking with ''​ipset list''​, now there should ​be 2 blocks **ls-anti-ddos** and **ls-quic-ports**+
  
 <​code>​[root@test]#​ ipset list <​code>​[root@test]#​ ipset list
Line 60: Line 59:
 Members:</​code>​ Members:</​code>​
  
 +===== Test =====
  
-==== Test ====+There are several cases where LiteSpeed ADC will consider an incoming request suspicious. For example, a failed [[litespeed_wiki:​lslb:​recaptcha|reCAPTCHA]] test, or a badly formatted request.
  
-There are several cases the LiteSpeed ADC will consider an incoming request is suspicious , for example failed [[litespeed_wiki:​lslb:​recaptcha|reCAPTCHA]] test or bad-formatted request. +For demonstration ​purposes, we will use reCAPTCHA failed verification to trigger the block. Soif visitor ​fails to verify ​repeatedly ​in short period of time, the firewall ​block will be triggered ​and log generated, ​like this one:
- +
-For demonstration ​purpose ​, we will use reCAPTCHA failed verification to trigger the block. +
- +
-So if visitor ​failed ​to verify ​many times in short time , it will trigger ​the firewall ​blocking , and there is also log like this +
  
 <​code>​[root@test logs]# grep ipset error.log <​code>​[root@test logs]# grep ipset error.log
 2019-12-04 20:​27:​15.594490 [NOTICE] [24606] [T0] [FIREWALL] execute command: 'ipset add ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0</​code>​ 2019-12-04 20:​27:​15.594490 [NOTICE] [24606] [T0] [FIREWALL] execute command: 'ipset add ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0</​code>​
  
-and if run ''​ipset list''​ again , you will see content like this:+If you run ''​ipset list''​ again, you will see content like this:
  
 <​code>​Name:​ ls-anti-ddos <​code>​Name:​ ls-anti-ddos
Line 83: Line 79:
 111.222.333.444</​code>​ 111.222.333.444</​code>​
  
-The IP will be removed ​from block in 10 minutes if it doesn'​t behave suspiciously anymore. +The block on the IP will be removed in 10 minutesif the suspicious behavior stopsAt that point, ​you should see this in the log:
- +
-you should see log as this +
  
 <​code>​2019-12-04 20:​37:​20.304327 [NOTICE] [24823] [T0] [FIREWALL] execute command: 'ipset del ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0 </​code>​ <​code>​2019-12-04 20:​37:​20.304327 [NOTICE] [24823] [T0] [FIREWALL] execute command: 'ipset del ls-anti-ddos 111.222.333.444 ', ret: -1, status: 0 </​code>​
  • Admin
  • Last modified: 2019/12/05 15:28
  • by Lisa Clarke