DEV Community: babaolu The latest articles on DEV Community by babaolu (@babaolu). https://dev.to/babaolu https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3903364%2F656ad2a8-e185-4995-9fea-d86e53187920.png DEV Community: babaolu https://dev.to/babaolu en How I Built a Real-Time Anomaly Detection Engine for a Cloud Storage Platform babaolu Wed, 29 Apr 2026 02:00:48 +0000 https://dev.to/babaolu/-how-i-built-a-real-time-anomaly-detection-engine-for-a-cloud-storage-platform-4cb9 https://dev.to/babaolu/-how-i-built-a-real-time-anomaly-detection-engine-for-a-cloud-storage-platform-4cb9 <h2> Introduction </h2> <p>Imagine you're running a cloud storage platform — thousands of users uploading files, downloading documents, sharing links — all day, every day. Now imagine a hacker decides to hammer your server with thousands of fake requests per second. Without protection, your server slows to a crawl, real users get locked out, and your business takes a hit.</p> <p>That's exactly the problem I was asked to solve. My task: build a tool that watches all incoming web traffic in real time, learns what "normal" looks like, and automatically blocks attackers — without any human intervention.</p> <p>In this post I'll walk you through exactly how I built it, piece by piece, in beginner-friendly terms. No security background required.</p> <h2> What We're Building (The Big Picture) </h2> <p>Here's the system at a glance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Internet → Nginx (reverse proxy) → Nextcloud (the app) ↓ JSON access logs ↓ Detection Daemon (our tool) ├── Reads logs line by line ├── Tracks request rates ├── Learns what's normal ├── Detects anomalies ├── Blocks bad IPs via iptables ├── Sends Slack alerts └── Shows a live dashboard </code></pre> </div> <p>The whole thing runs as Docker containers sitting alongside Nextcloud (our cloud storage app). Our tool never touches Nextcloud directly — it only watches the logs that Nginx writes.</p> <h2> The Tech Stack </h2> <ul> <li> <strong>Python 3.11</strong> — for the detection daemon (readable, great standard library)</li> <li> <strong>Nginx</strong> — the web server that sits in front of Nextcloud and writes JSON logs</li> <li> <strong>Docker + Docker Compose</strong> — to run everything together</li> <li> <strong>iptables</strong> — the Linux firewall, used to drop traffic from bad IPs</li> <li> <strong>Flask</strong> — a tiny Python web framework for the live dashboard</li> <li> <strong>Slack webhooks</strong> — to send ban/unban notifications</li> </ul> <h2> Part 1: Getting Nginx to Write JSON Logs </h2> <p>The first thing our detector needs is data — specifically, a log of every HTTP request that hits the server. Nginx can write logs in any format, and we chose JSON because it's easy to parse in Python.</p> <p>Here's the key part of our Nginx config:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">log_format</span> <span class="s">hng_json</span> <span class="s">escape=json</span> <span class="s">'</span><span class="p">{</span><span class="kn">'</span> <span class="s">'"source_ip":"</span><span class="nv">$remote_addr</span><span class="s">",'</span> <span class="s">'"timestamp":"</span><span class="nv">$time_iso8601</span><span class="s">",'</span> <span class="s">'"method":"</span><span class="nv">$request_method</span><span class="s">",'</span> <span class="s">'"path":"</span><span class="nv">$request_uri</span><span class="s">",'</span> <span class="s">'"status":</span><span class="nv">$status</span><span class="s">,'</span> <span class="s">'"response_size":</span><span class="nv">$body_bytes_sent</span><span class="s">'</span> <span class="s">'</span><span class="err">}</span><span class="s">'</span><span class="p">;</span> <span class="kn">access_log</span> <span class="n">/var/log/nginx/hng-access.log</span> <span class="s">hng_json</span><span class="p">;</span> </code></pre> </div> <p>Every time someone visits the site, Nginx writes one line like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="nl">"source_ip"</span><span class="p">:</span><span class="s2">"203.0.113.42"</span><span class="p">,</span><span class="nl">"timestamp"</span><span class="p">:</span><span class="s2">"2026-04-28T22:15:01+00:00"</span><span class="p">,</span><span class="nl">"method"</span><span class="p">:</span><span class="s2">"GET"</span><span class="p">,</span><span class="nl">"path"</span><span class="p">:</span><span class="s2">"/login"</span><span class="p">,</span><span class="nl">"status"</span><span class="p">:</span><span class="mi">200</span><span class="p">,</span><span class="nl">"response_size"</span><span class="p">:</span><span class="mi">4823</span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>We also configured Nginx to trust the <code>X-Forwarded-For</code> header, which gives us the real client IP even when traffic passes through a load balancer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">set_real_ip_from</span> <span class="mf">172.16</span><span class="s">.0.0/12</span><span class="p">;</span> <span class="k">real_ip_header</span> <span class="s">X-Forwarded-For</span><span class="p">;</span> </code></pre> </div> <p>The log file lives in a shared Docker volume called <code>HNG-nginx-logs</code>. Nginx writes to it; our detector reads from it. They never need to talk directly.</p> <h2> Part 2: Tailing the Log (monitor.py) </h2> <p>Our <code>monitor.py</code> module continuously reads the log file, one line at a time, as new lines appear. This is called "tailing" — just like the Linux <code>tail -f</code> command.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">log_path</span><span class="p">,</span> <span class="sh">"</span><span class="s">r</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">seek</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="c1"># Jump to end of file — don't replay old logs </span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">line</span> <span class="o">=</span> <span class="n">f</span><span class="p">.</span><span class="nf">readline</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">line</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mf">0.05</span><span class="p">)</span> <span class="c1"># Brief pause when no new data </span> <span class="k">continue</span> <span class="n">entry</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">line</span><span class="p">)</span> <span class="c1"># Process entry... </span></code></pre> </div> <p><code>f.seek(0, 2)</code> jumps to the end of the file on startup so we don't process logs from before the daemon started. Then we loop forever, reading one line at a time as Nginx writes them.</p> <h2> Part 3: The Sliding Window — Tracking Request Rates </h2> <p>This is the heart of the detection system. We need to answer the question: <strong>"How many requests has this IP sent in the last 60 seconds?"</strong></p> <p>The naive approach would be to count requests per minute in a simple counter. But that has a problem — it resets every minute, so a burst of 1000 requests in seconds 58-62 gets split across two windows and looks less severe than it is.</p> <p>Instead, we use a <strong>sliding window</strong> built on Python's <code>collections.deque</code>.</p> <h3> What is a deque? </h3> <p>A deque (pronounced "deck") is a list that you can efficiently add to or remove from on either end. Think of it like a conveyor belt — new items go on the right, old items fall off the left.</p> <h3> How our sliding window works </h3> <p>For every IP address, we maintain a deque of timestamps — one entry per request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">ip_windows</span><span class="p">[</span><span class="sh">"</span><span class="s">203.0.113.42</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="nf">deque</span><span class="p">([</span> <span class="mf">1714341240.1</span><span class="p">,</span> <span class="err">←</span> <span class="n">oldest</span> <span class="nf">request </span><span class="p">(</span><span class="mi">61</span> <span class="n">seconds</span> <span class="n">ago</span> <span class="err">→</span> <span class="n">will</span> <span class="n">be</span> <span class="n">evicted</span><span class="p">)</span> <span class="mf">1714341245.8</span><span class="p">,</span> <span class="mf">1714341250.2</span><span class="p">,</span> <span class="mf">1714341298.7</span><span class="p">,</span> <span class="err">←</span> <span class="n">newest</span> <span class="nf">request </span><span class="p">(</span><span class="n">just</span> <span class="n">now</span><span class="p">)</span> <span class="p">])</span> </code></pre> </div> <p>On every new request from that IP, we:</p> <ol> <li>Append the current timestamp to the right</li> <li>Evict any timestamps older than 60 seconds from the left</li> <li>The length of the deque is the request count in the last 60 seconds </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_append_and_evict</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">dq</span><span class="p">:</span> <span class="n">deque</span><span class="p">,</span> <span class="n">ts</span><span class="p">:</span> <span class="nb">float</span><span class="p">,</span> <span class="n">now</span><span class="p">:</span> <span class="nb">float</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="n">dq</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">ts</span><span class="p">)</span> <span class="c1"># Add new request </span> <span class="n">cutoff</span> <span class="o">=</span> <span class="n">now</span> <span class="o">-</span> <span class="n">self</span><span class="p">.</span><span class="n">window_sec</span> <span class="c1"># 60 seconds ago </span> <span class="k">while</span> <span class="n">dq</span> <span class="ow">and</span> <span class="n">dq</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">cutoff</span><span class="p">:</span> <span class="n">dq</span><span class="p">.</span><span class="nf">popleft</span><span class="p">()</span> <span class="c1"># Evict stale entries </span></code></pre> </div> <p>Then the rate is simply:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">ip_rate</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">ip_windows</span><span class="p">[</span><span class="n">ip</span><span class="p">])</span> <span class="o">/</span> <span class="mf">60.0</span> <span class="c1"># requests per second </span></code></pre> </div> <p>We maintain two windows simultaneously:</p> <ul> <li> <strong>Per-IP window</strong>: one deque per source IP address</li> <li> <strong>Global window</strong>: one deque for all traffic combined</li> </ul> <p>This lets us detect both a single aggressive IP <em>and</em> a distributed attack from many IPs at once.</p> <h2> Part 4: The Rolling Baseline — Learning What's Normal </h2> <p>Z-scores and rate multipliers are meaningless without a reference point. We need to know: what does <em>normal</em> traffic look like on this server?</p> <p>The trick is to never hardcode this. Traffic at 2am is different from traffic at noon. Monday is different from Friday. Our baseline must adapt.</p> <h3> How the baseline works </h3> <p>Every second, we record how many requests arrived in that second:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>second 1: 3 requests second 2: 5 requests second 3: 2 requests ... </code></pre> </div> <p>We keep 30 minutes (1800 seconds) of these counts in a rolling deque. Old entries fall off the left automatically.</p> <p>Every 60 seconds, we compute the <strong>mean</strong> (average) and <strong>standard deviation</strong> (how much traffic varies) from those counts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@staticmethod</span> <span class="k">def</span> <span class="nf">_mean_stddev</span><span class="p">(</span><span class="n">values</span><span class="p">):</span> <span class="n">n</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">values</span><span class="p">)</span> <span class="n">mean</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">(</span><span class="n">values</span><span class="p">)</span> <span class="o">/</span> <span class="n">n</span> <span class="n">variance</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">((</span><span class="n">x</span> <span class="o">-</span> <span class="n">mean</span><span class="p">)</span> <span class="o">**</span> <span class="mi">2</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">values</span><span class="p">)</span> <span class="o">/</span> <span class="n">n</span> <span class="k">return</span> <span class="n">mean</span><span class="p">,</span> <span class="n">math</span><span class="p">.</span><span class="nf">sqrt</span><span class="p">(</span><span class="n">variance</span><span class="p">)</span> </code></pre> </div> <h3> Per-hour slots </h3> <p>We also keep separate "buckets" for each hour of the day (24 buckets total). If the current hour has at least 2 minutes of data, we prefer that hour's baseline over the full 30-minute average. This makes the baseline more accurate — 3am traffic patterns shouldn't pollute the 3pm baseline.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">current_hour_slot</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">now</span> <span class="o">//</span> <span class="mi">3600</span><span class="p">)</span> <span class="o">%</span> <span class="mi">24</span> <span class="n">slot</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">_hour_slots</span><span class="p">[</span><span class="n">current_hour_slot</span><span class="p">]</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">slot</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="mi">120</span><span class="p">:</span> <span class="c1"># 2 minutes of per-second data </span> <span class="n">counts</span> <span class="o">=</span> <span class="p">[</span><span class="n">c</span> <span class="nf">for </span><span class="p">(</span><span class="n">_</span><span class="p">,</span> <span class="n">c</span><span class="p">)</span> <span class="ow">in</span> <span class="n">slot</span><span class="p">]</span> <span class="k">else</span><span class="p">:</span> <span class="n">counts</span> <span class="o">=</span> <span class="p">[</span><span class="n">c</span> <span class="nf">for </span><span class="p">(</span><span class="n">_</span><span class="p">,</span> <span class="n">c</span><span class="p">)</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">_rolling</span><span class="p">]</span> <span class="c1"># fall back to 30-min window </span></code></pre> </div> <h3> Floor values </h3> <p>What if traffic is so low that stddev approaches zero? Division by zero would break our z-score formula. So we apply floors:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">self</span><span class="p">.</span><span class="n">effective_mean</span> <span class="o">=</span> <span class="nf">max</span><span class="p">(</span><span class="n">computed_mean</span><span class="p">,</span> <span class="mf">0.1</span><span class="p">)</span> <span class="c1"># at least 0.1 req/s </span><span class="n">self</span><span class="p">.</span><span class="n">effective_stddev</span> <span class="o">=</span> <span class="nf">max</span><span class="p">(</span><span class="n">computed_stddev</span><span class="p">,</span> <span class="mf">0.05</span><span class="p">)</span> <span class="c1"># at least 0.05 </span></code></pre> </div> <h2> Part 5: Anomaly Detection — Spotting the Attack </h2> <p>With a sliding window for current rates and a rolling baseline for normal rates, we can now make decisions. Our <code>detector.py</code> uses two independent checks on every single log line:</p> <h3> Check 1: Z-Score </h3> <p>The z-score tells us how many standard deviations above normal the current rate is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">z_score</span> <span class="o">=</span> <span class="p">(</span><span class="n">current_rate</span> <span class="o">-</span> <span class="n">mean</span><span class="p">)</span> <span class="o">/</span> <span class="n">stddev</span> </code></pre> </div> <p>If the mean is 2 req/s and stddev is 0.5, and we see 8 req/s:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">z_score</span> <span class="o">=</span> <span class="p">(</span><span class="mi">8</span> <span class="o">-</span> <span class="mi">2</span><span class="p">)</span> <span class="o">/</span> <span class="mf">0.5</span> <span class="o">=</span> <span class="mf">12.0</span> </code></pre> </div> <p>That's 12 standard deviations above normal — definitely an attack. We flag anything above <strong>3.0</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_z_score</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">rate</span><span class="p">:</span> <span class="nb">float</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">float</span><span class="p">:</span> <span class="n">mean</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">baseline</span><span class="p">.</span><span class="n">effective_mean</span> <span class="n">stddev</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">baseline</span><span class="p">.</span><span class="n">effective_stddev</span> <span class="nf">return </span><span class="p">(</span><span class="n">rate</span> <span class="o">-</span> <span class="n">mean</span><span class="p">)</span> <span class="o">/</span> <span class="n">stddev</span> </code></pre> </div> <h3> Check 2: Rate Multiplier </h3> <p>The z-score works well for stable traffic. But what if traffic is genuinely variable? As a second safety net, we also flag any rate that is more than <strong>5× the baseline mean</strong> — regardless of stddev.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">ip_rate_check</span> <span class="o">=</span> <span class="p">(</span><span class="n">mean</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="ow">and</span> <span class="n">ip_rate</span> <span class="o">&gt;=</span> <span class="mf">5.0</span> <span class="o">*</span> <span class="n">mean</span><span class="p">)</span> </code></pre> </div> <p>Whichever check fires first triggers the response. This makes the system robust against both smooth and spiky normal traffic patterns.</p> <h3> Error Surge: Detecting Credential Stuffing </h3> <p>Some attacks are slow and low-volume but hammer error codes — like brute-forcing a login page. These might not hit rate thresholds, but they'll produce floods of 401 or 403 responses.</p> <p>We track each IP's error rate separately. If it's 3× the baseline error rate, we automatically tighten the detection thresholds (halving the z-score threshold and rate multiplier) for that IP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="n">ip_error_rate</span> <span class="o">&gt;=</span> <span class="mf">3.0</span> <span class="o">*</span> <span class="n">baseline_error_mean</span><span class="p">:</span> <span class="n">effective_zscore_thresh</span> <span class="o">=</span> <span class="mf">3.0</span> <span class="o">/</span> <span class="mf">2.0</span> <span class="c1"># 1.5 instead of 3.0 </span> <span class="n">effective_rate_mult</span> <span class="o">=</span> <span class="mf">5.0</span> <span class="o">/</span> <span class="mf">2.0</span> <span class="c1"># 2.5x instead of 5x </span></code></pre> </div> <h2> Part 6: Blocking with iptables </h2> <p>When an anomaly is detected for a specific IP, we need to drop their traffic at the network level — before it even reaches Nginx.</p> <p>Linux has a built-in firewall called <strong>iptables</strong>. Think of it as a bouncer at the door. We can tell it: "Drop all packets from this IP address."<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">subprocess</span> <span class="k">def</span> <span class="nf">_iptables</span><span class="p">(</span><span class="n">action</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">ip</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="n">cmd</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">iptables</span><span class="sh">"</span><span class="p">,</span> <span class="n">action</span><span class="p">,</span> <span class="sh">"</span><span class="s">INPUT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-s</span><span class="sh">"</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="sh">"</span><span class="s">-j</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">DROP</span><span class="sh">"</span><span class="p">]</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">5</span><span class="p">)</span> </code></pre> </div> <ul> <li> <code>iptables -I INPUT -s 203.0.113.42 -j DROP</code> → <strong>ban</strong> (insert at top of chain)</li> <li> <code>iptables -D INPUT -s 203.0.113.42 -j DROP</code> → <strong>unban</strong> (delete rule)</li> </ul> <p>The <code>-I</code> flag inserts the rule at position 1, which means it's evaluated first — highest priority. The attacker's packets get dropped at the kernel level before any Python or Nginx code even sees them.</p> <h3> The Backoff Schedule </h3> <p>We don't ban forever on the first offense. We use a backoff schedule that gets harsher with repeat offenders:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Offense</th> <th>Ban Duration</th> </tr> </thead> <tbody> <tr> <td>1st</td> <td>10 minutes</td> </tr> <tr> <td>2nd</td> <td>30 minutes</td> </tr> <tr> <td>3rd</td> <td>2 hours</td> </tr> <tr> <td>4th+</td> <td>Permanent</td> </tr> </tbody> </table></div> <p>This is stored in <code>config.yaml</code> so you can tune it without touching code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">ban</span><span class="pi">:</span> <span class="na">schedule</span><span class="pi">:</span> <span class="pi">-</span> <span class="m">600</span> <span class="c1"># 10 min</span> <span class="pi">-</span> <span class="m">1800</span> <span class="c1"># 30 min</span> <span class="pi">-</span> <span class="m">7200</span> <span class="c1"># 2 hours</span> <span class="pi">-</span> <span class="s">-1</span> <span class="c1"># permanent</span> </code></pre> </div> <h2> Part 7: Auto-Unban (unbanner.py) </h2> <p>A background thread polls every 10 seconds and checks if any ban has expired:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_check_and_unban</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="n">now</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="k">for</span> <span class="n">ip</span><span class="p">,</span> <span class="n">info</span> <span class="ow">in</span> <span class="nf">list</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">state</span><span class="p">[</span><span class="sh">"</span><span class="s">banned</span><span class="sh">"</span><span class="p">].</span><span class="nf">items</span><span class="p">()):</span> <span class="k">if</span> <span class="n">info</span><span class="p">[</span><span class="sh">"</span><span class="s">until</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">:</span> <span class="k">continue</span> <span class="c1"># permanent, skip </span> <span class="k">if</span> <span class="n">now</span> <span class="o">&gt;=</span> <span class="n">info</span><span class="p">[</span><span class="sh">"</span><span class="s">until</span><span class="sh">"</span><span class="p">]:</span> <span class="c1"># Remove iptables rule </span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">([</span><span class="sh">"</span><span class="s">iptables</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-D</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">INPUT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-s</span><span class="sh">"</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="sh">"</span><span class="s">-j</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">DROP</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># Remove from our state </span> <span class="k">del</span> <span class="n">self</span><span class="p">.</span><span class="n">state</span><span class="p">[</span><span class="sh">"</span><span class="s">banned</span><span class="sh">"</span><span class="p">][</span><span class="n">ip</span><span class="p">]</span> <span class="c1"># Send Slack notification </span> <span class="n">self</span><span class="p">.</span><span class="n">notifier</span><span class="p">.</span><span class="nf">unban_alert</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">info</span><span class="p">)</span> </code></pre> </div> <p>Every unban also sends a Slack notification and writes an audit log entry.</p> <h2> Part 8: Slack Alerts (notifier.py) </h2> <p>Slack has a feature called "Incoming Webhooks" — a URL you can POST JSON to and it appears as a message in a channel. We use this for real-time alerts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">ban_alert</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="n">condition</span><span class="p">,</span> <span class="n">rate</span><span class="p">,</span> <span class="n">baseline</span><span class="p">,</span> <span class="n">duration</span><span class="p">,</span> <span class="n">offense</span><span class="p">):</span> <span class="n">text</span> <span class="o">=</span> <span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">:rotating_light: *IP BANNED* `</span><span class="si">{</span><span class="n">ip</span><span class="si">}</span><span class="s">`</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">• *Condition:* </span><span class="si">{</span><span class="n">condition</span><span class="si">}</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">• *Current rate:* </span><span class="si">{</span><span class="n">rate</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s"> req/s</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">• *Baseline mean:* </span><span class="si">{</span><span class="n">baseline</span><span class="si">:</span><span class="p">.</span><span class="mi">4</span><span class="n">f</span><span class="si">}</span><span class="s"> req/s</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">• *Ban duration:* </span><span class="si">{</span><span class="n">duration</span><span class="si">}</span><span class="s">s (offense #</span><span class="si">{</span><span class="n">offense</span><span class="si">}</span><span class="s">)</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">• *Timestamp:* </span><span class="si">{</span><span class="n">timestamp</span><span class="si">}</span><span class="sh">"</span> <span class="p">)</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">webhook_url</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">:</span> <span class="n">text</span><span class="p">})</span> </code></pre> </div> <p>All alerts are fired in a background thread so they never block the detection loop. If Slack is slow, your detector doesn't slow down.</p> <h2> Part 9: The Live Dashboard (dashboard.py) </h2> <p>We built a Flask web app that shows everything happening in real time:</p> <ul> <li> <strong>Global req/s</strong> — current traffic rate vs. baseline</li> <li> <strong>Banned IPs</strong> — with offense count, condition that triggered the ban, and time until unban</li> <li> <strong>Top 10 source IPs</strong> — most active IPs in the last 60 seconds</li> <li> <strong>CPU and memory usage</strong> — system health</li> <li> <strong>Effective mean and stddev</strong> — what the baseline currently looks like</li> </ul> <p>The page uses <code>&lt;meta http-equiv="refresh" content="3"&gt;</code> to auto-reload every 3 seconds. There's also a <code>/api/metrics</code> endpoint that returns everything as JSON, useful for monitoring tools or external dashboards.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/metrics</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">metrics</span><span class="p">():</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span> <span class="sh">"</span><span class="s">global_rps</span><span class="sh">"</span><span class="p">:</span> <span class="n">state</span><span class="p">[</span><span class="sh">"</span><span class="s">global_rps</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">baseline_mean</span><span class="sh">"</span><span class="p">:</span> <span class="n">baseline</span><span class="p">.</span><span class="n">effective_mean</span><span class="p">,</span> <span class="sh">"</span><span class="s">baseline_stddev</span><span class="sh">"</span><span class="p">:</span> <span class="n">baseline</span><span class="p">.</span><span class="n">effective_stddev</span><span class="p">,</span> <span class="sh">"</span><span class="s">banned</span><span class="sh">"</span><span class="p">:</span> <span class="n">state</span><span class="p">[</span><span class="sh">"</span><span class="s">banned</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">top_ips</span><span class="sh">"</span><span class="p">:</span> <span class="n">state</span><span class="p">[</span><span class="sh">"</span><span class="s">top_ips</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">cpu_percent</span><span class="sh">"</span><span class="p">:</span> <span class="n">psutil</span><span class="p">.</span><span class="nf">cpu_percent</span><span class="p">(),</span> <span class="sh">"</span><span class="s">mem_percent</span><span class="sh">"</span><span class="p">:</span> <span class="n">psutil</span><span class="p">.</span><span class="nf">virtual_memory</span><span class="p">().</span><span class="n">percent</span><span class="p">,</span> <span class="sh">"</span><span class="s">uptime_seconds</span><span class="sh">"</span><span class="p">:</span> <span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">-</span> <span class="n">state</span><span class="p">[</span><span class="sh">"</span><span class="s">start_time</span><span class="sh">"</span><span class="p">]),</span> <span class="p">})</span> </code></pre> </div> <h2> Part 10: The Audit Log </h2> <p>Every significant event is written to a structured audit log file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">[2026-04-28T23:15:01Z] BAN ip=203.0.113.42 | condition=zscore=4.21&gt;</span><span class="o">=</span>3.0 | <span class="nv">rate</span><span class="o">=</span>18.3200 | <span class="nv">baseline</span><span class="o">=</span>2.1000 | <span class="nv">duration</span><span class="o">=</span>600s | <span class="nv">offense</span><span class="o">=</span>1 <span class="gp">[2026-04-28T23:25:01Z] UNBAN ip=203.0.113.42 | condition=zscore=4.21&gt;</span><span class="o">=</span>3.0 | <span class="nv">rate</span><span class="o">=</span>N/A | <span class="nv">baseline</span><span class="o">=</span>N/A | <span class="nv">duration</span><span class="o">=</span>600s | <span class="nv">offense</span><span class="o">=</span>1 <span class="go">[2026-04-28T23:26:40Z] BASELINE_RECALC ip=global | source=hour_slot[23] | mean=2.1450 | stddev=0.3821 | samples=960 </span></code></pre> </div> <p>This gives you a full history of what happened, when, and why — invaluable for incident review.</p> <h2> Putting It All Together with Docker Compose </h2> <p>All of this runs as Docker containers defined in a single <code>docker-compose.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">db</span><span class="pi">:</span> <span class="c1"># MariaDB database for Nextcloud</span> <span class="na">nextcloud</span><span class="pi">:</span> <span class="c1"># The cloud storage app</span> <span class="na">nginx</span><span class="pi">:</span> <span class="c1"># Reverse proxy that writes JSON logs</span> <span class="na">detector</span><span class="pi">:</span> <span class="c1"># Our anomaly detection daemon</span> </code></pre> </div> <p>The magic glue is the shared Docker volume <code>HNG-nginx-logs</code>. Nginx writes logs to it; the detector reads from it. They never talk directly — they just share a filesystem path.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">volumes</span><span class="pi">:</span> <span class="na">HNG-nginx-logs</span><span class="pi">:</span> <span class="c1"># Named volume shared between nginx and detector</span> </code></pre> </div> <p>The detector runs with <code>network_mode: host</code> and <code>cap_add: NET_ADMIN</code> so it can modify iptables rules on the host machine.</p> <h2> Testing It </h2> <p>To verify the system works, you can simulate an attack using Apache Bench:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ab <span class="nt">-n</span> 5000 <span class="nt">-c</span> 100 http://YOUR_SERVER_IP/ </code></pre> </div> <p>This fires 5000 requests with 100 concurrent connections. Within seconds you should see:</p> <ol> <li>The detector logs: <code>IP ANOMALY 1.2.3.4: zscore=8.4&gt;=3.0</code> </li> <li>A Slack message: "🚨 IP BANNED 1.2.3.4"</li> <li>An iptables rule: <code>DROP all -- 1.2.3.4 anywhere</code> </li> <li>The dashboard updating with the banned IP</li> </ol> <h2> Key Lessons Learned </h2> <p><strong>1. Never hardcode thresholds.</strong> What's "too much" traffic depends on time of day, day of week, and the specific server. A baseline that learns from real traffic is always more accurate than a hardcoded number.</p> <p><strong>2. Two detection signals are better than one.</strong> Z-score alone can miss slow attacks on variable traffic. Rate multiplier alone can miss subtle statistical anomalies. Together they cover each other's blind spots.</p> <p><strong>3. Deques are perfect for sliding windows.</strong> Python's <code>collections.deque</code> evicts from the left in O(1) time. It's the ideal data structure for time-window problems.</p> <p><strong>4. Block at the network layer, not the application layer.</strong> iptables drops packets before they reach Nginx or Python. It's faster and more reliable than any application-level rate limiting.</p> <p><strong>5. Alert on everything, block on IP anomalies.</strong> Global traffic spikes might be legitimate (a viral post, a TV mention). We alert on global anomalies but only auto-block individual IPs where the evidence is clear.</p> <h2> Conclusion </h2> <p>Building this project taught me that security tooling doesn't have to be mysterious. At its core, this is just:</p> <ul> <li> <strong>Read</strong> logs line by line</li> <li> <strong>Count</strong> requests in a time window using a deque</li> <li> <strong>Compare</strong> current rates against a learned baseline</li> <li> <strong>Act</strong> when something looks wrong</li> </ul> <p>The maths is simple (mean, standard deviation, z-score). The data structures are simple (deque). The blocking mechanism is a single shell command. But combined, they form a system that responds to attacks in under 10 seconds, adapts to changing traffic patterns, and gets progressively stricter with repeat offenders.</p> <p>If you're interested in security, DevOps, or systems programming, I hope this gives you a clear mental model for how real anomaly detection works — and the confidence to build your own.</p> <p><em>The full source code is available at: <a href="https://github.com/babaolu/HNG_c14DO3" rel="noopener noreferrer">https://github.com/babaolu/HNG_c14DO3</a></em></p> <p><em>Built as part of the HNG Internship Stage 3 DevSecOps challenge.</em></p> beginners machinelearning security showdev