ISPmanager Lite Documentation

Integration with DDoS-GUARD

About integration

This module integrates ISPmanager with DDoS-GUARD, the service that allows protecting one or a few domains against DDoS attacks.

Official website of DDoS-GUARD .

DDoS-GUARD integration page on ISPsystem's website 

Installation

In order to install this module, please go to Integration -> Modules under root.

Click on the button to start the installation. If the button doesn’t show up, refresh the web-page.

Usage

After the installation, the module will become available for the user. You can switch to the main page of the DDoS-GUARD module by clicking on:

  • the Setup button on the module order page;
  • menu Tools -> DDoS-GUARD;
  • the DDoS-GUARD button in WWW-domain (if the license has already been ordered).

How it looks

The main module page

The main page of DDoS-GUARD module has two sections:

  • Icon bar
  • List of domains and aliases added

The icon bar contains the following buttons:

  • "Add" to add a domain and/or alias for protection
  • "Edit" to change IP-addresses
  • "Delete" to turn off the domain/alias protection
  • "Access lists" to manage whitelists and blacklists
  • "Enable"
  • "Disable"
  • "Settings" button to set up the automatic solution and change firewall rules.

The list of domains added contains the following columns:

  • Name — The name of the domain or alias
  • Web domain — The name of the domain the alias belongs to
  • Owner — Web domain owner
  • Status — Current status
  • IP-address — Web domain IP-address
  • proxy-IP — Web domain IP-address in DDoS-GUARD

Description of status icons

Icon

Status

Description
Table with a description of status icons

Protection enabled

Protection is on. If there is a domain name service, then domain A-records would be changed according to DDoS-GUARD IP-service.

Protection disabled

Protection is off. If there is a domain name service, then domain A-records would be changed to IPs specified on the web domain page.

No issues with the module

It checks the presence and actuality of:

  • Apache setting files for RPAF and Remote_IP modules
  • nginx setting file
  • domain name service
  • correspondent records in name servers
  • web domain
  • DDoS-GUARD license for specific web domain

Issues found

It is shown if there are any issues from the list above.

License received

Web domain has a license.

Domain deleted

It is shown if there is a license for the web domain that has been deleted from the web domain list.

Waiting

This icon is shown if the module still awaits the license activation or deletion.

License deleted

It is shown if the license has been deleted from the billing system and there are settings for this domain.

Ordering DDoS-GUARD license for the domain

In order to get the license, go to the main page of DDoS-GUARD module and click on "Add" or click on "DDoS-GUARD" on the web domain page (if the license hasn’t been ordered yet).
Domain ordering goes in three steps:

  • Checking the domain name and its IP-addresses

  • Checking aliases

  • Finishing: license ordering in the billing system.

Domain aliases here are not subdomains. For example:

  • test.ru — domain
  • www.test.ru, wiki.test.ru, forum.test.ru — aliases that are subdomains. They will be protected if their A-records coincide with the main domain.
  • alias.ru, www.alias.ru — aliases that are not subdomains. They will not be protected, and they will have to be added as separate services.

If it is the first order of DDoS protection, or there has been 1 hour since the last order in the billing system, you will be suggested to enter your account credentials to continue working in the billing system.

Please note.
Every domain or alias added needs to be paid. Subdomains are included in the domain price if they lead to the same IP-address. If there are aliases for the web domain, which are not connected to DDoS-GUARD, they will not be protected.

Change DDoS-GUARD license information

You can only change the IP-addresses. Please click on "Edit" on the main page of DDoS-GUARD module. Domain changing goes in three steps:

  • Checking domain and its IP-addresses. IP-addresses that have been changed at this stage are sent to DDoS-GUARD servers and applied for this web domain

  • Alias checking

  • Finishing: changing licenses in the billing system and for web domains.

Delete

In order to delete web domain protection in DDoS-GUARD, click on "Delete". Login credentials to the billing system might be requested at this stage. Furthermore, owing to particular aspects of the system, you need to click on the "Delete" button once again to delete protection.

Enable/disable DDoS-GUARD protection

When you enable or disable protection, A-records of domain names are changed. It means that this feature will only work if you have the domain name service.
To activate protection, click on "Enable"
To deactivate protection, click on "Disable"

Settings

You can get to the settings form by clicking on the button "Settings".This form contains the following parameters:

  • Use automatic protection
  • Use protection with IP-address

Settings

The following parameters will be applied automatically if you enable automatic protection:

  • Create settings for Nginx and Apache.
    • Create file ddosguard_remoteip.conf in Apache directory configured for activation files, e.g. /etc/apache2/conf.d, with the following content:
      <IfModule remoteip>
      RemoteIPHeader X-Real-IP
      RemoteIPInternalProxy 127.0.0.1 186.2.160.0/24
      </IfModule>
    • Create file ddosguard_rpaf.conf in Apache directory configured for activation files, e.g. /etc/apache2/conf.d, with the following content:
      <IfModule rpaf>
      RPAFenable On
      RPAFsethostname On
      RPAFprotected_ips 186.2.160.0/24
      RPAFheader X-Real-Ip
      </IfModule>
    • Create file ddosguard_remote.conf in nginx directory configured for activation files, e.g. /etc/nginx/vhosts-includes, with the following content:
      set_real_ip_from 186.2.160.0/24;
  • Automatic changing of A-records if name server is connected.

If IP-address protection is used, firewall rules will restrict any connections over ports 80 and 443, except for connections over DDoS-GUARD service.

Access lists

Blacklists and whitelists contain specific rules for DDoS-GUARD management and allow blocking or enabling access from certain IP-addresses or subnets.

Access list

Access list contains the following columns:

  • IP-addresses — IP-address or subnet
  • Date — Date and time of creation/changing of the address
  • Rule type — Block or enable
  • Reasons — Any text with not more than 255 symbols for the explanation. This field can be left empty.

Create a rule

Click on "Add"  to add a new rule. You will be able to choose the type of the rule and add a comment to the rule. IP-addresses or subnets need to be separated with commas. The subnet mask is to be not less than 24. Examples of correct addresses or subnets:

  • 8.8.8.8
  • 8.8.8.8/32
  • 4.4.4.4/24
  • 10.0.0.1, 20.20.20.20/32, 3.30.30.30/24

Add/change rules

Change rule

Click on "Edit" to change the rule. You can change the type and the reason. The rule itself (IP/subnet) is not available for editing.

Delete rule

Click on "Delete"  to delete the rule.

Possible issues

Click on the error icon in the web domain list or on the main page of DDoS-GUARD module in order to see the description of the problem. Errors are checked every 5 minutes. The action ddosguardcheck will launch cron. The action ddosguard.dig will be launched every 6 minutes through API – periodic in order to check A-records of the web domain on name servers.

Problem description page

Error type

Error

Description and possible solution
Table with possible errors in DDoS-GUARD module

License

No license for the domain. The license is not updated or deleted via the billing system.

Delete the record, restore DNS settings, or order the license again.

Domain name

No domain or alias on the server. If you click on “Resolve”, the DDoS-GUARD license will be deleted.

Domain or alias is deleted, but the license is still active.

IP-address

IP-addresses in the license and in the list of web domains do not match.

If you click on "Resolve" IP-addresses will synchronize with the billing system and DDoS-GUARD service. Changes will be applied within 1 hour.

DNS

No DNS record for the domain. Please add the record.

There is no record with the value specified for the license in DNS records. Please add A-record with the name of the WWW-domain specified in the license.

DNS

IP-addresses in the license and in DNS records do not match.

It changes A-records of domain names automatically if you click on "Resolve" or if the parameter Use automatic protection is applied.

DNS

IP-addresses in the license and on name servers do not match.

Checking with dig utility to see whether such record exists on the name servers. If this error hasn’t been resolved automatically within 1 hour, please change A-records on the name server.

DNS

Domain not delegated.

Checking with dig utility; domain not delegated.

DNS

No module for DNS record management. Add changes to DNS records.

You need to edit A-records on the name server manually, for there is no possibility to manage domain names automatically.

Configuration

Missing license file for Apache Remote_IP module.

No rights to record in Apache directory.

Configuration

Missing license file for Apache RPAF module.

No rights to record in Apache directory.

Configuration

Missing license file for nignx remote_ip module.

No rights to record in nginx directory.