Thursday, 1 June 2017

AWS lamda function to create / delete entries into WAF

I am trying to write a basic logic for creating WAF entries (that would block a ip address or set of ip addresses to enter) and later delete them.

i am currently doing this

const aws = require('aws-sdk');

const s3 = new aws.S3({ apiVersion: '2006-03-01' });
const waf = new aws.WAF({ apiVersion: '2015-08-24' });

class Police {
  constructor(maxHit=100, timeGap=(6*60*60*1000)) {
    this.maxHit = maxHit;
    this.timeGap = timeGap;
    this.lastBailCheck = Date.now();
    this.hitMap = {};
  }
  static bail(ip){
    // TODO bail this ip by removing entry into waf
  }
  static jail(ip){
    // TODO jail this ip by adding entry from waf
  }
  checkBail(){
    var nowDate = Date.now();
    if((nowDate - this.lastBailCheck) > this.timeGap){
      this.lastBailCheck = nowDate;
      this.prevMap = this.hitMap;
      this.hitMap = {};
      this.scanAndBail();
    }
  }
  scanAndBail(){
    Object.keys(this.prevMap).forEach(Police.bail);
    delete this.prevMap;
  }
  watch(ip){
    this.hitMap[ip] = (this.hitMap[ip] || 0) + 1;
    if(this.maxHit < this.hitMap[ip]){
      Police.jail(ip);
    }
    this.checkBail();
  }
}

const police = new Police();

function forOneLogLine(line){
  if(typeof line === 'string') {
    police.watch(line.split(' ')[3]);
  }
}

So here i want to fill code for jail and bail (to block / free a ip address or a set of addresses)

I went through this AWS nodejs docs . But it was so confusing how to implement it. And more specifically how to optimally implement it. I was looking for just two APIs, one that i would pass ip address and that would block that, and another to free that.

I have a few basic question from above docs

  1. How do i pass ip address? and in which API?
  2. Does aws.WAF automatically groups a set of ip addresses into IPSets?
  3. Does aws.WAF also keeps the hit counts, something similar i am doing in class Police ?
  4. Do i need to fetch ChangeToken for every IPaddress that i am going to add/remove into block list? Or can i have it once and use that forever?

I would be glad to have a sample code (preferably in javascript) for this exact requirement. I would be delighted if i get my jail and bail code filled.



via codeofnode
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)