OpenAPI Log Cat (hereinafter referred to as APIcat) is an open source tool for analyzing nginx/Aliyun logs based on the OpenAPI definition document. It is different from the original network log analysis tools in the underlying or common vulnerability matching scanning logic. Thanks to OpenAPI With the addition of definition documents, log analysis can go deep into the application logic level.
The APIcat report-protection-detection trilogy completes the second step.
Based on the original API log analysis report, APIcat developed the protection level this week.
In the reporting logic, APIcat mainly implements the function of reading log files in full text. In the protection logic, it mainly relies on real-time reading of logs for analysis. All access behaviors recorded in all logs are subdivided into the following levels :
Numbering | program display | illustrate |
---|---|---|
9999 | UnknownError | Unknown error (internal error, does not appear in daily life) |
10000 | Legal | legal access |
10001 | Illegal_StaticView | Static files not defined in the Openapi file |
10002 | Illegal_UnknownUrl | Non-static files that have not been defined in the Openapi file (the risk level is higher than static files) |
10003 | Illegal_Method | The url is defined in Openapi, but the access method is wrong |
10004 | Illegal_EmptyArgs | The url and the corresponding access method are defined in Openapi, but no parameters are submitted |
10005 | Illegal_UnexpectedArgs | The url and the corresponding method are defined in Openapi, but the parameters submitted for access do not conform to the parameter range specified in the definition |
10006 | Illegal_DiffusedArgs | The url and the corresponding method are defined in Openapi, but the parameters submitted by accessing are judged as abuse |
After APIcat obtains logs in real time for analysis, it has realized the automatic update of Nginx configuration, and intercepted malicious visitors by configuring deny/allow rules.
The nginx filtering method of APIcat will automatically maintain a file containing all ip deny lists. If it needs to be enabled, the following configuration needs to be added to the http section or server section of nginx configuration:
include /etc/nginx/conf.d/iptables;
The path is the path of the nginx output log file configured by the watch subcommand. The above example is the default path, which can be modified according to your own situation
Configure restart Nginx command
After the configuration file is updated, by default it will callnginx -s reload
Make nginx re-initialize according to the configuration
In other cases such as docker, the restart command can be set through the following parameters
--nginx-workdir
Specifies the execution directory of the restart command --nginx-cmd
Command to specify restart command
For example, if it is the nginx command executed by docker-compose
--nginx-workdir
Path to the docker-compose.yaml file --nginx-cmd
set to “‘docker-compose exec
Minimum start interval
The detection and output of logs is the result of real-time detection, but under normal circumstances, configuration and reloading cannot be performed in real time according to errors. Therefore, it is designed to be performed at regular intervals, and the default is 5 minutes.
This parameter can be passed--nginx-interval
Revise
configuration settings level
Because nginx can only be configured to allow or deny, it is necessary to configure an error level that we need. Only if it is higher than this level, we will adopt the deny setting in a targeted manner.
This setting can be set through –nginx-level. The default configuration is 10002, which is Illegal_UnknownUrl. For the specific level list, see above
Config setting error minimum
We can also set the minimum number of errors. Only visitors who exceed this number will be considered malicious visitors. Add no-release rules. This judgment is based on users. For example, if a user visits two wrong addresses, the number of times for 2.
This setting can be set through –nginx-count, the default configuration is 2
To learn more about the use of OpenAPI, you can visit the Baijiafan OpenAPI site
#Apicat #updates #Nginx #automatic #malicious #blocking #function #News Fast Delivery