autowaf

A service which updates the WAF IP blocklist

Development

Project is currently in development phase.

Build

Build and run locally

go build -o autowaf && ./autowaf -ldb

The -ldb argument will change the database port to 54300 and change the update-rate to 1 minute. It will also prevent the app from trying to get database credentials from cloudfoundry environmental variables.

Environmental vars

BLOCKLIST_NAME

BLOCKLIST_NAME is the name of the blocklist to update on the WAF. Defaults to: autoblocklist-DEV

AWS_REGION

AWS_REGION is a comma separated list with the AWS region(s) of the blocklist(s). It defaults to us-east-1. Currently 1+ regions are supported.

SHORT_PERIOD

SHORT_PERIOD is the duration used for a short term ban query. It defaults to 6 (hours) and must be an integer.

LONG_PERIOD

LONG_PERIOD is the duration used for a long term ban query. It defaults to 720 (hours) and must be an integer.

SHORT_LIMIT

SHORT_LIMIT is the limiting number of requests over SHORT_PERIOD that results in a short term ban. It defaults to 10 and must be an integer.

LONG_LIMIT

LONG_LIMIT is the limiting number of requests over LONG_PERIOD that results in a long term ban. It defaults to 15 and must be an integer.

UPDATE_RATE

UPDATE_RATE is the number of minutes before the background thread updates the WAF. It defaults to 5.

RETENTION_PERIOD

RETENTION_PERIOD is the number of days to keep records in the logon_audit table. It defaults to 90 and must be an integer.

DB_USER

DB_USER is the username used for connecting to a postgres database. It is ignored unless -ldb is passed. It defaults to postgres.

DB_NAME

DB_NAME is the database named used for connecting to a postgres database. It is ignored unless -ldb is passed. It defaults to postgres.

DB_PASSWORD

DB_PASSWORD is the database password used when connecting to a postgres database. It is ignored unless -ldb is passed. It defaults to mysecretpassword.

DB_HOSTNAME

DB_HOSTNAME is the database hostname used when connecting to a postgres database. It is ignored unless -ldb is passed. It defaults to localhost.

API

/loginfailure

This API takes in a JSON object with the following fields:

  • ts: a timestamp in RFC3339 format

  • ip: the IP address that’s the source of the failed login attempt. Can be IPv4, IPv6 or IPv4 vis IPv6

  • username: the username of the failed login attempt

  • pwhash: [optional] the password hash

  • reason: the reason for the failure (e.g. PASSWORD_FAILURE)

The service will return the following status code:

  • 200: Success

  • 422: Unprocessable Entity – there was a problem with the JSON object passed to the API

  • 500: Other internal error occurred in the service

/unblockIP

This API takes in a JSON object with the following fields:

  • ip: the IP address to be unbanned

The service will return the following status code:

  • 200: Success – Whether or not IP was found in database or blocklist

  • 422: Unprocessable Entity – there was a problem with the JSON object passed to the API

  • 500: Other internal error occurred in the service

/healthcheck

The healthcheck API takes in no values and returns a 200 if the service is healthy.

GitHub

View Github