OpenAPI Log Cat (hereinafter referred to as APIcat) is an open source tool for analyzing nginx/Aliyun logs based on the OpenAPI definition document. It is different from the original network log analysis tools in the underlying or common vulnerability matching scanning logic. Thanks to OpenAPI With the addition of definition documents, log analysis can go deep into the application logic level.

The APIcat report-protection-detection trilogy completes the second step.

Based on the original API log analysis report, APIcat developed the protection level this week.

In the reporting logic, APIcat mainly implements the function of reading log files in full text. In the protection logic, it mainly relies on real-time reading of logs for analysis. All access behaviors recorded in all logs are subdivided into the following levels :

Numberingprogram displayillustrate
9999UnknownErrorUnknown error (internal error, does not appear in daily life)
10000Legallegal access
10001Illegal_StaticViewStatic files not defined in the Openapi file
10002Illegal_UnknownUrlNon-static files that have not been defined in the Openapi file (the risk level is higher than static files)
10003Illegal_MethodThe url is defined in Openapi, but the access method is wrong
10004Illegal_EmptyArgsThe url and the corresponding access method are defined in Openapi, but no parameters are submitted
10005Illegal_UnexpectedArgsThe url and the corresponding method are defined in Openapi, but the parameters submitted for access do not conform to the parameter range specified in the definition
10006Illegal_DiffusedArgsThe url and the corresponding method are defined in Openapi, but the parameters submitted by accessing are judged as abuse

After APIcat obtains logs in real time for analysis, it has realized the automatic update of Nginx configuration, and intercepted malicious visitors by configuring deny/allow rules.

The nginx filtering method of APIcat will automatically maintain a file containing all ip deny lists. If it needs to be enabled, the following configuration needs to be added to the http section or server section of nginx configuration:


include       /etc/nginx/conf.d/iptables;

The path is the path of the nginx output log file configured by the watch subcommand. The above example is the default path, which can be modified according to your own situation

Configure restart Nginx command

After the configuration file is updated, by default it will callnginx -s reloadMake nginx re-initialize according to the configuration

In other cases such as docker, the restart command can be set through the following parameters

--nginx-workdir Specifies the execution directory of the restart command --nginx-cmd Command to specify restart command

For example, if it is the nginx command executed by docker-compose

--nginx-workdirPath to the docker-compose.yaml file --nginx-cmdset to “‘docker-compose exec nginx -s reload'”, whereReplace it with your nginx service name, please note that because this command is basically a complex command, please use quotation marks to enclose the incoming parameters

Minimum start interval

The detection and output of logs is the result of real-time detection, but under normal circumstances, configuration and reloading cannot be performed in real time according to errors. Therefore, it is designed to be performed at regular intervals, and the default is 5 minutes.

This parameter can be passed--nginx-intervalRevise

configuration settings level

Because nginx can only be configured to allow or deny, it is necessary to configure an error level that we need. Only if it is higher than this level, we will adopt the deny setting in a targeted manner.

This setting can be set through –nginx-level. The default configuration is 10002, which is Illegal_UnknownUrl. For the specific level list, see above

Config setting error minimum

We can also set the minimum number of errors. Only visitors who exceed this number will be considered malicious visitors. Add no-release rules. This judgment is based on users. For example, if a user visits two wrong addresses, the number of times for 2.

This setting can be set through –nginx-count, the default configuration is 2

To learn more about the use of OpenAPI, you can visit the Baijiafan OpenAPI site

#Apicat #updates #Nginx #automatic #malicious #blocking #function #News Fast Delivery

Leave a Comment

Your email address will not be published. Required fields are marked *