autowaf
A service which updates the WAF IP blocklist
Development
Project is currently in development phase.
Build
Build and run locally
go build -o autowaf && ./autowaf -ldb
The -ldb
argument will change the database port to 54300
and change the update-rate
to 1 minute. It will also prevent the app from trying to get database credentials from cloudfoundry environmental variables.
Environmental vars
BLOCKLIST_NAME
BLOCKLIST_NAME
is the name of the blocklist to update on the WAF. Defaults to: autoblocklist-DEV
AWS_REGION
AWS_REGION
is a comma separated list with the AWS region(s) of the blocklist(s). It defaults to us-east-1
. Currently 1+ regions are supported.
SHORT_PERIOD
SHORT_PERIOD
is the duration used for a short term ban query. It defaults to 6
(hours) and must be an integer.
LONG_PERIOD
LONG_PERIOD
is the duration used for a long term ban query. It defaults to 720
(hours) and must be an integer.
SHORT_LIMIT
SHORT_LIMIT
is the limiting number of requests over SHORT_PERIOD
that results in a short term ban. It defaults to 10
and must be an integer.
LONG_LIMIT
LONG_LIMIT
is the limiting number of requests over LONG_PERIOD
that results in a long term ban. It defaults to 15
and must be an integer.
UPDATE_RATE
UPDATE_RATE
is the number of minutes before the background thread updates the WAF. It defaults to 5
.
RETENTION_PERIOD
RETENTION_PERIOD
is the number of days to keep records in the logon_audit table. It defaults to 90
and must be an integer.
DB_USER
DB_USER
is the username used for connecting to a postgres database. It is ignored unless -ldb
is passed. It defaults to postgres
.
DB_NAME
DB_NAME
is the database named used for connecting to a postgres database. It is ignored unless -ldb
is passed. It defaults to postgres
.
DB_PASSWORD
DB_PASSWORD
is the database password used when connecting to a postgres database. It is ignored unless -ldb
is passed. It defaults to mysecretpassword
.
DB_HOSTNAME
DB_HOSTNAME
is the database hostname used when connecting to a postgres database. It is ignored unless -ldb
is passed. It defaults to localhost
.
API
/loginfailure
This API takes in a JSON object with the following fields:
-
ts: a timestamp in RFC3339 format
-
ip: the IP address that’s the source of the failed login attempt. Can be IPv4, IPv6 or IPv4 vis IPv6
-
username: the username of the failed login attempt
-
pwhash: [optional] the password hash
-
reason: the reason for the failure (e.g. PASSWORD_FAILURE)
The service will return the following status code:
-
200: Success
-
422: Unprocessable Entity - there was a problem with the JSON object passed to the API
-
500: Other internal error occurred in the service
/unblockIP
This API takes in a JSON object with the following fields:
- ip: the IP address to be unbanned
The service will return the following status code:
-
200: Success - Whether or not IP was found in database or blocklist
-
422: Unprocessable Entity - there was a problem with the JSON object passed to the API
-
500: Other internal error occurred in the service
/healthcheck
The healthcheck API takes in no values and returns a 200 if the service is healthy.