Integration with DDoS-GUARD
About integration
This module integrates ISPmanager with DDoS-GUARD, the service that allows protecting one or a few domains against DDoS attacks.
Official website of DDoS-GUARD .
DDoS-GUARD integration page on ISPmanager website
Installation
In order to install this module, please go to Integration -> Modules under root.
Click on the button to start the installation. If the button doesn’t show up, refresh the web-page.
Usage
After the installation, the module will become available for the user. You can switch to the main page of the DDoS-GUARD module by clicking on:
- the Setup button on the module order page;
- menu Tools -> DDoS-GUARD;
- the DDoS-GUARD button in WWW-domain (if the license has already been ordered).
How it looks
The main module page
The main page of DDoS-GUARD module has two sections:
- Icon bar
- List of domains and aliases added
The icon bar contains the following buttons:
- "Add" to add a domain and/or alias for protection
- "Edit" to change IP-addresses
- "Delete" to turn off the domain/alias protection
- "Access lists" to manage whitelists and blacklists
- "Enable"
- "Disable"
- "Settings" button to set up the automatic solution and change firewall rules.
The list of domains added contains the following columns:
- Name — The name of the domain or alias
- Web domain — The name of the domain the alias belongs to
- Owner — Web domain owner
- Status — Current status
- IP-address — Web domain IP-address
- proxy-IP — Web domain IP-address in DDoS-GUARD
Description of status icons
Icon | Status | Description Table with a description of status icons |
---|---|---|
Protection enabled | Protection is on. If there is a domain name service, then domain A-records would be changed according to DDoS-GUARD IP-service. | |
Protection disabled | Protection is off. If there is a domain name service, then domain A-records would be changed to IPs specified on the web domain page. | |
No issues with the module | It checks the presence and actuality of:
| |
Issues found | It is shown if there are any issues from the list above. | |
License received | Web domain has a license. | |
Domain deleted | It is shown if there is a license for the web domain that has been deleted from the web domain list. | |
Waiting | This icon is shown if the module still awaits the license activation or deletion. | |
License deleted | It is shown if the license has been deleted from the billing system and there are settings for this domain. |
Ordering DDoS-GUARD license for the domain
In order to get the license, go to the main page of DDoS-GUARD module and click on "Add" or click on "DDoS-GUARD" on the web domain page (if the license hasn’t been ordered yet).
Domain ordering goes in three steps:
- Checking the domain name and its IP-addresses
- Checking aliases
- Finishing: license ordering in the billing system.
Domain aliases here are not subdomains. For example:
- test.ru — domain
- www.test.ru, wiki.test.ru, forum.test.ru — aliases that are subdomains. They will be protected if their A-records coincide with the main domain.
- alias.ru, www.alias.ru — aliases that are not subdomains. They will not be protected, and they will have to be added as separate services.
If it is the first order of DDoS protection, or there has been 1 hour since the last order in the billing system, you will be suggested to enter your account credentials to continue working in the billing system.
Please note.
Every domain or alias added needs to be paid. Subdomains are included in the domain price if they lead to the same IP-address. If there are aliases for the web domain, which are not connected to DDoS-GUARD, they will not be protected.
Change DDoS-GUARD license information
You can only change the IP-addresses. Please click on "Edit" on the main page of DDoS-GUARD module. Domain changing goes in three steps:
- Checking domain and its IP-addresses. IP-addresses that have been changed at this stage are sent to DDoS-GUARD servers and applied for this web domain
- Alias checking
- Finishing: changing licenses in the billing system and for web domains.
Delete
In order to delete web domain protection in DDoS-GUARD, click on "Delete". Login credentials to the billing system might be requested at this stage. Furthermore, owing to particular aspects of the system, you need to click on the "Delete" button once again to delete protection.
Enable/disable DDoS-GUARD protection
When you enable or disable protection, A-records of domain names are changed. It means that this feature will only work if you have the domain name service.
To activate protection, click on "Enable"
To deactivate protection, click on "Disable"
Settings
You can get to the settings form by clicking on the button "Settings".This form contains the following parameters:
- Use automatic protection
- Use protection with IP-address
Settings
The following parameters will be applied automatically if you enable automatic protection:
- Create settings for Nginx and Apache.
- Create file ddosguard_remoteip.conf in Apache directory configured for activation files, e.g. /etc/apache2/conf.d, with the following content:
RemoteIPHeader X-Real-IP
RemoteIPInternalProxy 127.0.0.1 186.2.160.0/24
- Create file ddosguard_remoteip.conf in Apache directory configured for activation files, e.g. /etc/apache2/conf.d, with the following content:
-
- Create file ddosguard_rpaf.conf in Apache directory configured for activation files, e.g. /etc/apache2/conf.d, with the following content:
RPAFenable On
RPAFsethostname On
RPAFprotected_ips 186.2.160.0/24
RPAFheader X-Real-Ip - Create file ddosguard_remote.conf in nginx directory configured for activation files, e.g. /etc/nginx/vhosts-includes, with the following content:
set_real_ip_from 186.2.160.0/24;
- Create file ddosguard_rpaf.conf in Apache directory configured for activation files, e.g. /etc/apache2/conf.d, with the following content:
- Automatic changing of A-records if name server is connected.
If IP-address protection is used, firewall rules will restrict any connections over ports 80 and 443, except for connections over DDoS-GUARD service.
Access lists
Blacklists and whitelists contain specific rules for DDoS-GUARD management and allow blocking or enabling access from certain IP-addresses or subnets.
Access list contains the following columns:
- IP-addresses — IP-address or subnet
- Date — Date and time of creation/changing of the address
- Rule type — Block or enable
- Reasons — Any text with not more than 255 symbols for the explanation. This field can be left empty.
Create a rule
Click on "Add" to add a new rule. You will be able to choose the type of the rule and add a comment to the rule. IP-addresses or subnets need to be separated with commas. The subnet mask is to be not less than 24. Examples of correct addresses or subnets:
- 8.8.8.8
- 8.8.8.8/32
- 4.4.4.4/24
- 10.0.0.1, 20.20.20.20/32, 3.30.30.30/24
Add/change rules
Change rule
Click on "Edit" to change the rule. You can change the type and the reason. The rule itself (IP/subnet) is not available for editing.
Delete rule
Click on "Delete" to delete the rule.
Possible issues
Click on the error icon in the web domain list or on the main page of DDoS-GUARD module in order to see the description of the problem. Errors are checked every 5 minutes. The action ddosguardcheck will launch cron. The action ddosguard.dig will be launched every 6 minutes through API – periodic in order to check A-records of the web domain on name servers.
Problem description page
Error type | Error | Description and possible solution Table with possible errors in DDoS-GUARD module |
---|---|---|
License | No license for the domain. The license is not updated or deleted via the billing system. | Delete the record, restore DNS settings, or order the license again. |
Domain name | No domain or alias on the server. If you click on “Resolve”, the DDoS-GUARD license will be deleted. | Domain or alias is deleted, but the license is still active. |
IP-address | IP-addresses in the license and in the list of web domains do not match. | If you click on "Resolve" IP-addresses will synchronize with the billing system and DDoS-GUARD service. Changes will be applied within 1 hour. |
DNS | No DNS record for the domain. Please add the record. | There is no record with the value specified for the license in DNS records. Please add A-record with the name of the WWW-domain specified in the license. |
DNS | IP-addresses in the license and in DNS records do not match. | It changes A-records of domain names automatically if you click on "Resolve" or if the parameter Use automatic protection is applied. |
DNS | IP-addresses in the license and on name servers do not match. | Checking with dig utility to see whether such record exists on the name servers. If this error hasn’t been resolved automatically within 1 hour, please change A-records on the name server. |
DNS | Domain not delegated. | Checking with dig utility; domain not delegated. |
DNS | No module for DNS record management. Add changes to DNS records. | You need to edit A-records on the name server manually, for there is no possibility to manage domain names automatically. |
Configuration | Missing license file for Apache Remote_IP module. | No rights to record in Apache directory. |
Configuration | Missing license file for Apache RPAF module. | No rights to record in Apache directory. |
Configuration | Missing license file for nignx remote_ip module. | No rights to record in nginx directory. |