The latest articles on DEV Community by Ajibola Anjorin (@ajibola_anjorin_32089a588). https://dev.to/ajibola_anjorin_32089a588 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3901423%2F640aa266-8b24-4959-b6ed-e62048b433cb.png https://dev.to/ajibola_anjorin_32089a588 en Ajibola Anjorin Tue, 28 Apr 2026 02:20:17 +0000 https://dev.to/ajibola_anjorin_32089a588/catching-hackers-with-math-how-i-built-a-self-healing-server-2kk2 https://dev.to/ajibola_anjorin_32089a588/catching-hackers-with-math-how-i-built-a-self-healing-server-2kk2 <p>If you’ve never worked in cybersecurity before, the word "DevSecOps" sounds intimidating. It sounds like you need to be in a dark room wearing a hoodie, typing furiously to stop hackers.</p> <p>But in reality? Good security isn't about typing fast. It’s about building smart alarms.</p> <p>For my latest engineering project, I built an Anomaly Detection Engine from scratch. Here is a beginner-friendly breakdown of how I used simple math to teach a server to defend itself.</p> <p>The Problem: Hard-Coded Rules Fail<br> Imagine you run a popular online store. You tell your bouncer (your firewall): "If anyone tries to enter the store more than 10 times a second, kick them out! They must be a hacker doing a brute-force attack."</p> <p>That works great on a normal Tuesday. But what happens on Black Friday? Suddenly, hundreds of real customers are rushing the doors. Your bouncer kicks them all out, and your business crashes. Hard-coded limits don't adapt to reality.</p> <p>The Solution: The "Resting Heartbeat"<br> Instead of a strict rule, my security engine calculates a Rolling Baseline. Think of this as the server's resting heartbeat.</p> <p>Every single minute, a background script looks at the traffic and says, "Okay, right now, we are averaging about 1 request per second." If traffic slowly builds up over the afternoon (like a Black Friday sale), the baseline adjusts to accept it as the new normal.</p> <p>The Trigger: The Z-Score (The Conveyor Belt)<br> To catch actual attacks, the engine uses a 60-second "Sliding Window"—like a conveyor belt of incoming traffic.</p> <p>It tracks every IP address on that belt and compares them to our baseline heartbeat using a mathematical formula called a Z-Score. A Z-Score tells us exactly how "weird" a spike in traffic is.</p> <p>In my engine, the alarm triggers if an IP hits a Z-Score of 3.0. In the world of statistics, anything past a 3.0 means there is a 99.7% chance that this spike is a massive anomaly, not just an enthusiastic user.</p> <p>(During testing, I accidentally triggered a Z-Score of 40.17! The engine didn't hesitate.)</p> <p>The Trapdoor: Auto-Banning and Slack Alerts<br> When the math catches an attacker, the engine doesn't wait for a human to respond. It takes immediate action:</p> <p>The Block: It talks directly to the server's core firewall (iptables) and drops all network traffic from that specific IP address instantly.</p> <p>The Alert: It sends a formatted alert directly to my phone via Slack, showing me the attacker's IP and how hard they tried to hit the server.</p> <p>The Recovery: It starts a 10-minute timer. When the timer expires, it automatically unbans the IP. This ensures that if a real user's device just glitched out, they aren't permanently banned forever.</p> <p>Conclusion<br> Building this taught me that modern security isn't just about building taller walls; it’s about building smarter sensors. By combining simple statistics with automated firewalls, you can build a server that heals itself while you sleep!</p> beginners cybersecurity security showdev