Node.js application webhook that parses logentries attack alarms logged by HAproxy and blocks on Cloudflare's threat control center.
####Features:
- Tolerance control;
- Cloudflare's Under Attack! automatic configuration under high load attacks;
- Attack counter decay;
- IP Attacker ban;
####Requirements:
- Functional Logentries (www.logentries.com) account;
- Most recent HAproxy snapshot with support to capture.req.hdr directive;
- Your site configured to use Cloudflare's CDN and a working API Key;
##Configuration
####Node.js
Edit ws-attack-receiver.js and add your personal information.
var cf_tkn = '< API Token from CloudFlare> ';
var cf_email= '< mail registered at CloudFlare >'
var cf_zone = '< Domain registerd at Cloudflare >'
var le_tkn = '< Logentries log facility token >'
You will need only two packages:
"dependencies": {
"express": "3.x",
"node-logentries": "~0.1.2"
}
Write down your public IP and Port (default:8080), run your application :-)
####Logentries.com You will need 2 log facilities, one as 'Node.js' type to receive events the application and another one, type 'Plain TCP, UDP', to receive logs from HAProxy;
- Create a new log for Node.js, follow steps and write down the log token to use it on the ws-attack-receiver.js;
- Create a manual configuration log of type 'Plain TCP, UDP'. As soon as the log is created you will have a few minutes to configure HAProxy to send log events so Logentries.com can lock the port to your application. Write down the port.
- On the HAproxy log created, set up a new Tag/Alarm with the following options:
- Name: Bad Request
- Pattern: NOSRV
- Label: Fatal (or create a new one named Bad Request)
- Log to apply: Select the HAproxy Log
- Trigger: Once
- Report: 100x / Hour
- Check Webhook: http://YOUR_SERVER_IP:PORT/attack
####HAproxy Point HAproxy to logentries.com facility, use the port given when you created the HAproxy log.
global
log 54.247.179.233:<port> local0 info
You will need a custom log format, ex:
log-format [%f|%b|%s]\ %ci:%cp\ %r\ %ST\ %B\ %ms\ %[capture.req.hdr(0)]\ CFCIP:{%[capture.req.hdr(1)]}
Only required field is CFCIP:{%[capture.req.hdr(1)]}. Check documentation and set up the log as you wish.
Setup the the frontend of your site with the following options:
frontend my-http-in
capture request header User-Agent len 200 # optional
capture request header CF-Connecting-IP len 50
# Optionally (you better), block all traffic not comming from Cloudflare's servers:
acl cloudflare_ranges src -f /opt/cloudflare/ips-v4
# To get the ips-v4 file, crontab -e this job:
# * 0 * * * wget -qO /opt/cloudflare/ips-v4 https://www.cloudflare.com/ips-v4
# Block all request not coming from cloudflare
http-request deny if !cloudflare_ranges
# Misbehaving Protection based on CF-Connecting-IP from Cloudflare
# This does not protect againsts attacks bellow layer 7, but cloudflare will block it all!
stick-table type ip size 100k expire 30s store conn_rate(3s)
stick-table type ip size 1m expire 10s store gpc0,http_req_rate(10s)
stick-table type ip size 100k expire 30s store conn_cur
tcp-request inspect-delay 10s
tcp-request content track-sc0 hdr_ip(CF-Connecting-IP,-1) if HTTP
http-request deny if { src_get_gpc0(http-in) gt 2 }
http-request deny if { sc0_conn_cur ge 10 }
http-request deny if { sc0_conn_rate ge 10 }
use_backend my_pool ... etc etc etc
Use http://loadimpact.com/ free test, if everything is working ok you will see logentries receiveing the regular requests on you haproxy log and the attack being blocked on the node.js log.
Notes:
- The default tolerance is set to 3000, tune as you wish but never above the file descriptors your system can handle :-)
- Decay is set to 1m, so the attacker counter will decrement by 1 each minute. If you got your site on Under Attack! sec lvl it will only cooldown after the counter is zeroized. Tune as you wish.