0

I have nginx running behind ELB which points to application Uwsgi.
I want to ban IP's based on there request frequencies.
After digging on the topic I found out that I need to use WAF for this.
I can block IP's manually.
Now I want to automate this.
I want to read IP's from the nginx logs or maybe use fail2ban and then somehow update the WAF IP list to block those IP's.

My problem is I dont know how to do this Somehow update the WAF IP list part. I cant find boto implementations tutorial or any other way to do this.
I am sure their must be a way.
can anyone guide me.

neuro
  • 14,948
  • 3
  • 36
  • 59
Nagri
  • 3,008
  • 5
  • 34
  • 63

1 Answers1

0

I realize this response is a bit late, so I just hope it helps someone else along the way.

The best way to manage this situation is by using Lambda to update the rules in your WAF. To do this you create a Lambda function that reads from your webserver logs, and tries to identify patterns that would indicate malicious intent. The two big ones are of course excessive HTTP 4xx responses and excessive calls from the same IP address. You can set paramaters that will allow you to determine your definition of "excessive".

Below is a link to a blog entry that shows a good diagram of how this would work.

http://www.cloudaxis.com/2016/09/21/use-aws-waf-to-block-malicious-requests/

Hope this helps you or someone else.

mwelsh75
  • 1