DEV Community: Ayomide

Building Your First Server "Bouncer": A Beginner's Guide to Anomaly Detection

Ayomide — Wed, 29 Apr 2026 22:54:53 +0000

When I first started in DevSecOps, this felt overwhelming. How do you stop attacks when you are asleep?

The answer is Automated Anomaly Detection. I recently built a Python-based security engine that watches server traffic, learns what "normal" looks like, and automatically bans malicious bots.

If you have never worked on security tooling before, don't worry! I am going to break down exactly how this project works, piece by piece, without the dense jargon.

What This Project Does (And Why It Matters)

Imagine your web server is an exclusive nightclub, and the Nginx log file is the guest list. Every time someone visits your site, Nginx writes their IP address in the log.

This project acts as an invisible bouncer standing next to the list. It reads the logs in real-time. If someone is walking in and out a normal amount of times, the bouncer ignores them. But if one person tries to enter the club 500 times in ten seconds, the bouncer grabs them, throws them out, and locks the door.

This matters because manual security doesn't scale. You cannot sit at your computer 24/7 watching logs. By automating this, your server protects itself.

1. The Sliding Window: The Short-Term Memory

To know if someone is attacking us right now, the engine needs short-term memory. We use a concept called a Sliding Window.

Imagine a 60-second timer. Every time an IP address makes a request, we record the exact timestamp. As time ticks forward, we continuously "drop" any timestamps that are older than 60 seconds.

[  Time: 10:00:00  ] -> Request comes in. Add to window.
[  Time: 10:00:30  ] -> More requests come in.
[  Time: 10:01:05  ] -> The request from 10:00:00 is now too old. We drop it!

This ensures we are always looking at the current rate of traffic. In Python, we do this using a deque (a double-ended queue), which makes it incredibly fast to add new requests to the right side and pop old requests off the left side.

from collections import deque
import time

class RateTracker:
def init(self):
# Keeps memory of timestamps
self.requests = deque()

def add_request(self):
    self.requests.append(time.time())

def get_rate(self):
    current_time = time.time()
    # Remove anything older than 60 seconds
    while self.requests and self.requests[0] < current_time - 60:
        self.requests.popleft()

    # The remaining length is our current Requests-Per-Second!
    return len(self.requests) / 60.0

2. The Baseline: How the Engine "Learns"
A static rule like "Ban anyone who makes 50 requests" is actually a terrible idea. What if your site goes viral? Suddenly, your engine will ban all your real customers!

Instead, the engine needs to learn what "normal" is. We call this the Baseline.

Every minute, our engine takes a snapshot of the global traffic rate and saves it. Over time, it calculates two things:

The Mean (Average): The normal amount of traffic we expect to see.

The Standard Deviation: How much traffic naturally "wiggles" up and down on a normal day.

If normal traffic is 10 requests per second (the Mean), and it usually fluctuates by about 2 requests (the Standard Deviation), the engine learns that anything between 8 and 12 is perfectly safe.

3. The Detection Logic: The Judge
Now we have our short-term memory (Sliding Window) and our long-term learning (Baseline). How do we make a decision to ban someone?

We use a mathematical concept called a Z-Score. Don't let the math term scare you! A Z-Score simply answers the question: "How weird is this right now compared to what we normally see?"

Here is the logic:

We look at a specific IP address's current request rate.

We subtract the "normal" Baseline Mean.

We divide by the Standard Deviation.

If the Z-Score is 1, it means traffic is slightly elevated, but fine. If the Z-Score hits 5, it means that IP is behaving so aggressively that there is practically a 0% chance it is a normal user.

When the logic sees a high Z-Score, it pulls the alarm.

4. iptables: The Muscle
Once the engine decides an IP is an attacker, it needs to physically block them from the server. It does this using iptables.

iptables is the built-in firewall for Linux systems. Think of it as a brick wall surrounding your server. When our Python script catches a bad IP, it executes this exact terminal command:

sudo iptables -A INPUT -s 192.168.1.100 -j DROP



Let's break down what this command actually means:

sudo: Run this with absolute administrator power.

iptables: Wake up the firewall program.

-A INPUT: Append (add) a new rule to the INPUT door (incoming traffic).

-s 192.168.1.100: Look for this specific source IP address.

-j DROP: Jump to the DROP action. Do not send an error message, do not say hello, just silently drop their connection into a black hole.

Once this command runs, that attacker can no longer touch our Nginx server, view our website, or waste our CPU resources. They are completely locked out!

Wrapping Up
By combining Nginx logs, a sliding window, statistical math, and Linux firewalls, we built an engine that thinks, learns, and defends entirely on its own. DevSecOps isn't just about reading logs—it is about building automated systems that do the hard work for you.

Have you ever built a security tool or worked with iptables? Let me know in the comments below!

HNG STAGE 1 TASK: Linux User Creation Bash Script Task

Ayomide — Sat, 06 Jul 2024 11:19:24 +0000

Introduction

Managing user accounts and groups efficiently is a critical task for any SysOps engineer. It is essential to automate this process to ensure consistency, security, and ease of management. In this article, we will explore a bash script that automates the creation of users and groups based on a provided text file. This script sets up home directories, generates random passwords, and logs all actions performed.

Script Overview
Our bash script, create_users.sh, reads a text file where each line is formatted as username;groups, creates users, assigns them to groups, and logs the actions. The script also handles error scenarios for existing users and sets appropriate permissions for home directories and password files.

Initialization and Variable Declaration

#!/bin/bash

log_message_file="/var/log/user_management.log"
passwords_file="/var/secure/user_passwords.txt"

I defined the log and password files, ensuring they exist.

Fucntion to Verify User and Group

# Check if a user exists
user_exists() {
    local username=$1
    if getent passwd "$username" > /dev/null 2>&1; then
        return 0  # User exists
    else
        return 1  # User does not exist
    fi
}

# Check if a group exists
group_exists() {
    local group_name=$1
    if getent group "$group_name" > /dev/null 2>&1; then
        return 0  # Group exists
    else
        return 1  # Group does not exist
    fi
}

I declare functions to check if the users and groups exists. They will be called in later

Function for Password Generation and Logging

# Generate a random password
generate_password() {
    openssl rand -base64 12
}

# Log actions to /var/log/user_management.log
log() {
    local MESSAGE="$1"
    echo "$(date +'%Y-%m-%d %H:%M:%S') - $MESSAGE" | sudo tee -a $log_message_file > /dev/null
}

The first function generates a random password and the second function sends a log of all actions to the specified file

# Assign the file name from the command line argument
user_group=$1

Here, a variable is assigned to the command line argument as a stand in for the filename

Log and Password File Creation

# Check if the log file exist

if [ ! -f "$log_messsage_file" ]; then
    # Create the log file
    sudo touch "$log_message_file"
    log "$log_message_file has been created."
else
    log "$log_message_file exists already"
fi

# Check and create the passwords_file

if [ ! -f "$passwords_file" ]; then
    # Create the file and set permissions
    sudo mkdir -p /var/secure/
    sudo touch "$passwords_file"
    log "$passwords_file has been created."
    # Set ownership permissions for passwords_file
    sudo chmod 600 "$passwords_file"
    log "Updated passwords_file permission to file owner"
else
    log "$passwords_file exists already"
fi

Here, the log file and password file are checked for any sign of existence and created if none is found

Looping Through Users and Groups

while IFS=';' read -r username groups; do
    # Extract the user name
    username=$(echo "$username" | xargs)

Using IFS, I separate the value in our text file using the ";" as the delimiter and extract the username and groups

Checking for Users and Password Creation

    # Check if the user exists
    if user_exists "$username"; then
        log "$username exists already"
        continue
    else
        # Generate a random password for the user
        password=$(generate_password)

        # Create the user with home directory and set password
        sudo useradd -m -s /bin/bash "$username"
        echo "$username:$password" | sudo chpasswd

        log "Successfully Created User: $username"
    fi

This code checks if the user already exists; otherwise, it creates the user and gives it a randomized password.

Checking for User Group

    # check that the user has its own group
    if ! group_exists "$username"; then
        sudo groupadd "$username"
        log "Successfully created group: $username"
        sudo usermod -aG "$username" "$username"
        log "User: $username added to Group: $username"
    else
        log "User: $username added to Group: $username"
    fi

It checks if the user created has its own group and adds it to its group if it does not.

Extracting The Groups

    # Extract the groups and remove any spaces
    groups=$(echo "$groups" | tr -d ' ')

    # Split the groups by comma
    IFS=',' read -r -a group_count <<< "$groups"

From the text file, we extract the groups, spilt the values by the comma "," delimiter and append the values into the _group_count _array.

Creation of Groups and Attachment of Users

    # Create the groups and add the user to each group
    for group in "${group_count[@]}"; do
        # Check if the group already exists
        if ! group_exists "$group"; then
            # Create the group if it does not exist
            sudo groupadd "$group"
            log "Successfully created Group: $group"
        else
            log "Group: $group already exists"
        fi
        # Add the user to the group
        sudo usermod -aG "$group" "$username"
    done

By looping through the array, we check if the group exists, create it if it does not and add the users to their respective groups

Setting Appropriate Permission

    # Set permissions for home directory
    sudo chmod 700 "/home/$username"
    sudo chown "$username:$username" "/home/$username"
    log "Updated permissions for home directory: '/home/$username' of User: $username to '$username:$username'"

Here, we set the permission and ownership for the home directory of the created user(s)

Storing Username and Password in Password file

    # Store username and password in secure file
    echo "$username,$password" | sudo tee -a "$passwords_file" > /dev/null
    log "Stored username and password in $passwords_file"
done < "$user_group"

Here, we store the user and password in the specified file

To learn more about the HNG internship and what they do, check out HNG Internship. You can also visit HNG Hire to scout the best talents.

Thank You.