Integration with DDoS-GUARD

From ISPWiki
Jump to: navigation, search

About integration

This module integrates ISPmanager with DDoS-GUARD, the service that allows protecting one or a few domains against DDoS attacks.

Official website of DDoS-GUARD.

DDoS-GUARD integration page on ISPsystem's website.

Installation

In order to install this module, please go to Integration -> Modules under root.

Click on the button KernelCare install button detail en.png to start the installation. If the button doesn’t show up, refresh the webpage.

Usage

After the installation, the module will become available for the user. You can switch to the main page of the DDoS-GUARD module by clicking on:

  • the Setup button on the module order page;
  • menu Tools -> DDoS-GUARD;
  • the DDoS-GUARD button in WWW-domain (if the license has already been ordered).


How it looks

The main module page

The main page of DDoS-GUARD module has two sections:

  • Icon bar
  • List of domains and aliases added


The icon bar contains the following buttons:

  • T-new.png "Add" to add a domain and/or alias for protection
  • T-edit.png "Edit" to change IP-addresses
  • T-delete.png "Delete" to turn off the domain/alias protection
  • T-editlist.png "Access lists" to manage whitelists and blacklists
  • T-on.png "Enable"
  • T-off.png "Disable"
  • T-attr.png The "Settings" button to set up automatic solution and change firewall rules.


The list of domains added contains the following columns:

  • Name - The name of the domain or alias
  • Web domain - The name of the domain the alias belongs to
  • Owner - Web domain owner
  • Status - Current status
  • IP-address - Web domain IP-address
  • proxy-IP - Web domain IP-address in DDoS-GUARD


Description of status icons

Icon Status Description
Table with description of status icons
P-on.png Protection enabled Protection is on. If there is a domain name service, then domain A-records would be changed according to DDoS-GUARD IP-service.
P-off.png Protection disabled Protection is off. If there is a domain name service, then domain A-records would be changed to IPs specified on the web domain page.
P-ddosguard-ok.png No issues with the module It checks the presence and actuality of:
  • Apache setting files for RPAF and Remote_IP modules
  • nginx setting file
  • domain name service
  • correspondent records in name servers
  • web domain
  • DDoS-GUARD license for specific web domain
P-ddosguard-err.png Issues found It is shown if there are any issues from the list above.
P-ddosguard.png License received Web domain has the license.
P-ddosguard-transparent.png Domain deleted It is shown if there is a license for the web domain that has been deleted from the web domain list.
P-ddosguard-set.png Waiting This icon is shown if the module still awaits the license activation or deletion.
P-ddosguard-gray.png License deleted It is shown if the license has been deleted from the billing system and there are settings for this domain.

Ordering DDoS-GUARD license for domain

In order to get the license, go to the main page of DDoS-GUARD module and click on "Add" T-new.png or click on "DDoS-GUARD" T-ddosguard.png on the web domain page (if the license hasn’t been ordered yet).
Domain ordering goes in three steps:

  • Checking the domain name and its IP-addresses
    Step 1
  • Checking aliases
    Step 2
  • Finishing: license ordering in the billing system.
    Step 3

Domain aliases here are not subdomains. For example:

  • test.ru - domain
  • www.test.ru, wiki.test.ru, forum.test.ru - aliases that are subdomains. They will be protected if their A-records coincide with the main domain.
  • alias.ru, www.alias.ru - aliases that are not subdomains. They will not be protected, and they will have to be added as separate services.

If it is the first order of DDoS protection, or there has been 1 hour since the last order in the billing system, you will be suggested to enter your account credentials to continue working in the billing system.

Password form if there is a user for the license
Password form if there is no user for the license

Please note.
Every domain or alias added needs to be paid. Subdomains are included in the domain price if they lead to the same IP-address. If there are aliases for the web domain, which are not connected to DDoS-GUARD, they will not be protected.

Change DDoS-GUARD license information

You can only change the IP-addresses. Please click on "Edit" T-edit.png on the main page of DDoS-GUARD module. Domain changing goes in three steps:

  • Checking domain and its IP-addresses. IP-addresses that have been changed at this stage are sent to DDoS-GUARD servers and applied for this web domain
    Step 1
  • Alias checking
    Step 2
  • Finishing: changing licenses in the billing system and for web domains.
    Step 3

Delete

In order to delete web domain protection in DDoS-GUARD, click on "Delete" T-delete.png. Login credentials to the billing system might be requested at this stage. Furthermore, owing to particular aspects of the system, you need to click on the "Delete" button once again to delete protection.

Enable/disable DDoS-GUARD protection

When you enable or disable protection, A-records of domain names are changed. It means that this feature will only work if you have the domain name service.
To activate protection, click on "Enable" T-on.png
To deactivate protection, click on "Disable" T-off.png

Settings

You can get to the settings form by clicking on the button "Settings" T-attr.png. This form contains the following parameters:

  • Use automatic protection
  • Use protection with IP-address


Settings

The following parameters will be applied automatically if you enable automatic protection:

  • Create settings for nginx and Apache.
    • Create file ddosguard_remoteip.conf in Apache directory configured for activation files, e.g. /etc/apache2/conf.d, with the following content:
      <IfModule remoteip>
          RemoteIPHeader X-Real-IP
          RemoteIPInternalProxy 127.0.0.1 186.2.160.0/24
      </IfModule>
    • Create file ddosguard_rpaf.conf in Apache directory configured for activation files, e.g. /etc/apache2/conf.d, with the following content:
      <IfModule rpaf>
          RPAFenable On
          RPAFsethostname On
          RPAFprotected_ips 186.2.160.0/24
          RPAFheader X-Real-Ip
      </IfModule>
    • Create file ddosguard_remote.conf in nginx directory configured for activation files, e.g. /etc/nginx/vhosts-includes, with the following content:
      set_real_ip_from 186.2.160.0/24;
  • Automatic changing of A-records if name server is connected.

If IP-address protection is used, firewall rules will restrict any connections over ports 80 and 443, except for connections over DDoS-GUARD service.

Access lists

Blacklists and whitelists contain specific rules for DDoS-GUARD management and allow blocking or enabling access from certain IP-addresses or subnets.

Access list


Access list contains the following columns:

  • IP-addresses - IP-address or subnet
  • Date - Date and time of creation/changing of the address
  • Rule type - Block or enable
  • Reasons - Any text with not more than 255 symbols for explanation. This field can be left empty.

Create rule

Click on "Add" T-new.png to add a new rule. You will be able to choose the type of the rule and add a comment to the rule. IP-addresses or subnets need to be separated with commas. Subnet mask is to be not less than 24. Examples of correct addresses or subnets:

  • 8.8.8.8
  • 8.8.8.8/32
  • 4.4.4.4/24
  • 10.0.0.1, 20.20.20.20/32, 3.30.30.30/24
Add/change rules

Change rule

Click on "Edit" T-edit.png to change the rule. You can change the type and the reason. The rule itself (IP/subnet) is not available for editing.

Delete rule

Click on "Delete" T-delete.png to delete the rule.

Possible issues

Click on the error icon P-ddosguard-err.png in the web domain list or on the main page of DDoS-GUARD module in order to see description of the problem. Errors are checked every 5 minutes. The action ddosguardcheck will launch cron. The action ddosguard.dig will be launched every 6 minutes through API – periodic in order to check A-records of the web domain on name servers.

Problem description page
Error type Error Description and possible solution
Table with possible errors in DDoS-GUARD module
License No license for the domain. License is not updated or deleted via the billing system. Delete the record, restore DNS settings, or order the license again.
Domain name No domain or alias on the server. If you click on “Resolve”, the DDoS-GUARD license will be deleted. Domain or alias is deleted, but the license is still active.
IP-address IP-addresses in the license and in the list of web domains do not match. If you click on "Resolve" T-aid.png, IP-addresses will synchronize with the billing system and DDoS-GUARD service. Changes will be applied within 1 hour.
DNS No DNS record for the domain. Please add the record. There is no record with the value specified for the license in DNS records. Please add A-record with the name of the WWW-domain specified in the license.
DNS IP-addresses in the license and in DNS records do not match. It changes A-records of domain names automatically if you click on "Resolve" T-aid.png or if the parameter Use automatic protection is applied.
DNS IP-addresses in the license and on name servers do not match. Checking with dig utility to see whether such record exists on the name servers. If this error hasn’t been resolved automatically within 1 hour, please change A-records on the name server.
DNS Domain not delegated. Checking with dig utility; domain not delegated.
DNS No module for DNS record management. Add changes to DNS records. You need to edit A-records on the name server manually, for there is no possibility to manage domain names automatically.
Configuration Missing license file for Apache Remote_IP module. No rights to record in Apache directory.
Configuration Missing license file for Apache RPAF module. No rights to record in Apache directory.
Configuration Missing license file for nignx remote_ip module. No rights to record in nginx directory.