DEV Community: Timilehin Obalereko The latest articles on DEV Community by Timilehin Obalereko (@devopstimi). https://dev.to/devopstimi https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3903124%2F1e639440-bead-4968-bb76-9488ae218469.png DEV Community: Timilehin Obalereko https://dev.to/devopstimi en I Built a Tool That Writes Its Own Infrastructure Timilehin Obalereko Wed, 06 May 2026 12:18:42 +0000 https://dev.to/devopstimi/i-built-a-tool-that-writes-its-own-infrastructure-5g09 https://dev.to/devopstimi/i-built-a-tool-that-writes-its-own-infrastructure-5g09 <p><em>A complete beginner-friendly walkthrough of building SwiftDeploy: a CLI tool that generates Nginx configs, manages Docker containers, enforces deployment policies, and gives you a live metrics dashboard — all from a single YAML file.</em></p> <h2> Who This Post Is For </h2> <p>If you have heard words like "Docker", "Nginx", "deployment", or "policy-as-code" and felt a little lost — this post is for you. I will explain every concept from scratch before using it. By the end, you will understand not just what I built, but <em>why</em> every piece exists.</p> <h2> The Problem This Solves </h2> <p>Imagine you are deploying a web app. Normally you would have to:</p> <ol> <li>Write a Docker Compose file to describe your containers</li> <li>Write an Nginx config to set up your web server</li> <li>Remember to update both files every time something changes</li> <li>Hope you did not make a typo somewhere</li> </ol> <p>That is a lot of manual work, and manual work leads to mistakes.</p> <p><strong>What if instead you just wrote one simple file describing what you want, and a smart tool generated everything else?</strong></p> <p>That is exactly what SwiftDeploy does. You write <code>manifest.yaml</code>. SwiftDeploy does the rest.</p> <h2> Quick Glossary (Read This First) </h2> <p>Before we dive in, here are the key terms used throughout this post:</p> <p><strong>Docker</strong> — A tool that packages your app into a "container" — think of it like a shipping container for software. It runs the same way everywhere.</p> <p><strong>Container</strong> — A lightweight isolated box running your app. Like a mini computer inside your computer.</p> <p><strong>Docker Compose</strong> — A tool that lets you run multiple containers together and define how they connect.</p> <p><strong>Nginx</strong> — A web server that sits in front of your app and handles incoming traffic. Think of it as a receptionist who forwards calls to the right person.</p> <p><strong>Reverse proxy</strong> — When Nginx receives a request from a user and forwards it to your app. The user never talks to your app directly.</p> <p><strong>YAML</strong> — A simple file format using indentation to represent data. Like a structured shopping list.</p> <p><strong>CLI</strong> — Command Line Interface. A tool you run by typing commands in the terminal.</p> <p><strong>Canary deployment</strong> — A technique where you run two versions of your app at the same time — a stable version for most users and a "canary" version for testing. Like sending one canary into a mine before sending all the miners.</p> <p><strong>OPA (Open Policy Agent)</strong> — A policy engine. You write rules in a language called Rego, and OPA decides whether an action is allowed based on those rules.</p> <p><strong>Prometheus metrics</strong> — A standard format for exposing app statistics like request counts and response times. Looks like plain text with specific formatting.</p> <h2> Part 1 — The Foundation: manifest.yaml as the Single Source of Truth </h2> <h3> What Is a "Single Source of Truth"? </h3> <p>In software, a "single source of truth" means one place where the authoritative information lives. If you have the same information in multiple files and they disagree, which one is right? Nobody knows. That is a bug waiting to happen.</p> <p>SwiftDeploy solves this by making <code>manifest.yaml</code> the <strong>only</strong> file you ever edit. Every other config file is generated from it automatically.</p> <p>Here is what the manifest looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">swift-deploy-1-node:latest</span> <span class="c1"># Which Docker image to run</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3000</span> <span class="c1"># What port your app uses inside the container</span> <span class="na">mode</span><span class="pi">:</span> <span class="s">stable</span> <span class="c1"># stable or canary</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.0.0"</span> <span class="c1"># App version</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="c1"># Restart if it crashes</span> <span class="na">nginx</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:latest</span> <span class="c1"># The Nginx web server image</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="c1"># The port the outside world connects to</span> <span class="na">proxy_timeout</span><span class="pi">:</span> <span class="m">30</span> <span class="c1"># Give up after 30 seconds</span> <span class="na">network</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">swiftdeploy-net</span> <span class="c1"># Name of the internal network</span> <span class="na">driver_type</span><span class="pi">:</span> <span class="s">bridge</span> <span class="c1"># Type of network</span> <span class="na">contact</span><span class="pi">:</span> <span class="s2">"</span><span class="s">admin@swiftdeploy.local"</span> <span class="c1"># Shown in error messages</span> </code></pre> </div> <p>Plain English: "Run my app on port 3000, put Nginx in front of it on port 8080, connect them on an internal network."</p> <h3> How Does <code>swiftdeploy init</code> Work? </h3> <p>When you run <code>./swiftdeploy init</code>, it:</p> <ol> <li>Reads <code>manifest.yaml</code> </li> <li>Opens <code>templates/nginx.conf.tmpl</code> — a template with placeholder values like <code>{{NGINX_PORT}}</code> </li> <li>Replaces every placeholder with the real value from the manifest</li> <li>Writes the result to <code>nginx.conf</code> </li> <li>Does the same thing for <code>docker-compose.yml</code> </li> </ol> <p>The key insight is <strong>string replacement</strong>. The template has <code>{{NGINX_PORT}}</code> and the script replaces it with <code>8080</code>. Simple but powerful.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># This is the core of how it works </span><span class="n">nginx_conf</span> <span class="o">=</span> <span class="n">nginx_conf</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">'</span><span class="s">{{NGINX_PORT}}</span><span class="sh">'</span><span class="p">,</span> <span class="n">nginx_port</span><span class="p">)</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">'</span><span class="s">{{PROXY_TIMEOUT}}</span><span class="sh">'</span><span class="p">,</span> <span class="n">proxy_timeout</span><span class="p">)</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">'</span><span class="s">{{APP_PORT}}</span><span class="sh">'</span><span class="p">,</span> <span class="n">app_port</span><span class="p">)</span> </code></pre> </div> <p>The grader can delete the generated files and run <code>./swiftdeploy init</code> again — they will be recreated perfectly from the manifest. That is the whole point.</p> <h2> Part 2 — The Architecture: Three Containers, One Network </h2> <p>When you run <code>./swiftdeploy deploy</code>, three containers start:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Outside World | | port 8080 ↓ ┌─────────┐ │ Nginx │ ← Receives all traffic, forwards to app └────┬────┘ │ internal network (swiftdeploy-net) ↓ ┌─────────┐ │ App │ ← Python service, port 3000 (never exposed to outside) └─────────┘ ┌─────────┐ │ OPA │ ← Policy engine, port 8181 (CLI only, not through Nginx) └─────────┘ </code></pre> </div> <p><strong>Why does the app port never get exposed?</strong></p> <p>This is a security decision. If port 3000 was exposed directly, anyone could bypass Nginx and hit your app without going through timeouts, error handling, logging, or security headers. By keeping it internal, all traffic is forced through Nginx.</p> <p><strong>Why is OPA isolated from Nginx?</strong></p> <p>OPA is only for the CLI to query. It is not a user-facing service. If it were accessible through Nginx on port 8080, anyone could query your policies. So OPA lives on the same internal Docker network but is never proxied by Nginx.</p> <h2> Part 3 — The App: A Python HTTP Service </h2> <p>The app (<code>app/main.py</code>) is a pure Python web server — no external frameworks, just Python's built-in <code>http.server</code>. This keeps the Docker image tiny (74MB, well under the 300MB limit).</p> <h3> The Three Endpoints </h3> <p><strong><code>GET /</code></strong> — Welcome message with mode, version, and timestamp:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Welcome to SwiftDeploy! Running in canary mode."</span><span class="p">,</span><span class="w"> </span><span class="nl">"mode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"canary"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"time"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-05-05T21:00:00+00:00"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong><code>GET /healthz</code></strong> — Is the app alive? How long has it been running?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ok"</span><span class="p">,</span><span class="w"> </span><span class="nl">"uptime"</span><span class="p">:</span><span class="w"> </span><span class="mf">342.15</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Docker polls this endpoint every 10 seconds. If it fails three times in a row, Docker marks the container "unhealthy" and restarts it. That is why we never apply chaos to <code>/healthz</code> — if we did, Docker would kill our container during a chaos test.</p> <p><strong><code>POST /chaos</code></strong> — Only available in canary mode. Simulates failures:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Make 50% of requests fail with 500 errors</span> curl <span class="nt">-X</span> POST http://localhost:8080/chaos <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"mode": "error", "rate": 0.5}'</span> <span class="c"># Make every request sleep 5 seconds</span> curl <span class="nt">-X</span> POST http://localhost:8080/chaos <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"mode": "slow", "duration": 5}'</span> <span class="c"># Cancel all chaos</span> curl <span class="nt">-X</span> POST http://localhost:8080/chaos <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"mode": "recover"}'</span> </code></pre> </div> <h3> Why Only in Canary Mode? </h3> <p>Because canary mode <strong>is</strong> the "I am testing something risky" mode. Stable mode means production traffic — you should never be able to break it intentionally. Canary mode is the sandbox where chaos makes sense.</p> <h3> Thread Safety </h3> <p>The app handles multiple requests at the same time. If two requests tried to update the chaos state simultaneously, they could corrupt each other. Python's <code>threading.Lock()</code> prevents this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Lock means: only one request can change this at a time </span><span class="k">with</span> <span class="n">chaos_lock</span><span class="p">:</span> <span class="n">chaos_state</span><span class="p">[</span><span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span> <span class="n">chaos_state</span><span class="p">[</span><span class="sh">"</span><span class="s">rate</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="mf">0.5</span> </code></pre> </div> <p>This is called "thread safety" — making sure shared data is not corrupted by concurrent access.</p> <h2> Part 4 — The Nginx Configuration </h2> <p>Nginx sits between the user and the app. Here is what our generated <code>nginx.conf</code> does:</p> <h3> Custom Log Format </h3> <p>The task required logs in a specific format. In Nginx, you define log formats with <code>log_format</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">log_format</span> <span class="s">swiftdeploy</span> <span class="s">'</span><span class="nv">$time_iso8601</span> <span class="s">|</span> <span class="nv">$status</span> <span class="s">|</span> <span class="nv">$request_times</span> <span class="s">|</span> <span class="nv">$upstream_addr</span> <span class="s">|</span> <span class="nv">$request</span><span class="s">'</span><span class="p">;</span> </code></pre> </div> <p>This produces logs like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">2026-05-05T21:00:00+00:00 | 200 | 0.001s | 172.18.0.2:3000 | GET / HTTP/1.1 </span></code></pre> </div> <p>Timestamp | Status code | How long it took | Where it went | What was requested</p> <h3> JSON Error Responses </h3> <p>When the app is down or slow, Nginx returns an error. By default, Nginx returns HTML error pages — ugly and not useful for APIs. We override this with JSON:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">location</span> <span class="s">@err502</span> <span class="p">{</span> <span class="kn">default_type</span> <span class="nc">application/json</span><span class="p">;</span> <span class="kn">return</span> <span class="mi">502</span> <span class="s">'</span><span class="p">{</span><span class="kn">"error":</span> <span class="s">"Bad</span> <span class="s">Gateway",</span> <span class="s">"code":</span> <span class="mi">502</span><span class="s">,</span> <span class="s">"service":</span> <span class="s">"swiftdeploy-api",</span> <span class="s">"contact":</span> <span class="s">"admin@swiftdeploy.local"</span><span class="err">}</span><span class="s">'</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>502 means "Bad Gateway" — Nginx could not reach the app. 503 means "Service Unavailable". 504 means "Gateway Timeout" — the app took too long.</p> <h3> The DNS Resolution Trick </h3> <p>One problem we hit: when running <code>nginx -t</code> to validate the config syntax, Nginx tries to resolve the hostname <code>app</code> (the Docker container name). But <code>app</code> only exists inside the Docker network — not during standalone validation. This caused a "host not found" error even though the config was syntactically correct.</p> <p>The fix is to use a variable for the upstream address:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">resolver</span> <span class="mf">127.0</span><span class="s">.0.11</span> <span class="s">valid=10s</span><span class="p">;</span> <span class="c1"># Docker's internal DNS server</span> <span class="k">location</span> <span class="n">/</span> <span class="p">{</span> <span class="kn">set</span> <span class="nv">$upstream</span> <span class="s">http://app:3000</span><span class="p">;</span> <span class="c1"># Variable = skip DNS at startup</span> <span class="kn">proxy_pass</span> <span class="nv">$upstream</span><span class="p">;</span> <span class="c1"># Nginx resolves it per-request instead</span> <span class="p">}</span> </code></pre> </div> <p>When <code>proxy_pass</code> uses a variable, Nginx skips DNS resolution at startup and resolves it per-request. This lets <code>nginx -t</code> pass even when the app container does not exist yet.</p> <h2> Part 5 — Stable vs Canary Mode </h2> <p>Canary deployments come from a real practice in mining. Miners used to bring canaries into mines — if the canary died, the air was bad and the miners knew to leave. In software, a "canary" is a small deployment that gets traffic first. If it fails, only a small percentage of users are affected before you roll back.</p> <p>SwiftDeploy implements a simple version:</p> <ul> <li> <strong>Stable</strong> — normal mode, chaos disabled</li> <li> <strong>Canary</strong> — test mode, chaos enabled, every response gets <code>X-Mode: canary</code> header</li> </ul> <p>When you promote:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./swiftdeploy promote canary </code></pre> </div> <p>The script:</p> <ol> <li>Runs a 30-second OPA policy check (explained in Part 7)</li> <li>Updates <code>mode: canary</code> in <code>manifest.yaml</code> in-place (preserving all comments)</li> <li>Regenerates <code>docker-compose.yml</code> with the new <code>MODE=canary</code> environment variable</li> <li>Restarts <strong>only</strong> the app container — Nginx stays up, no downtime</li> <li>Polls <code>/healthz</code> to confirm the new mode is active</li> </ol> <p>The <code>X-Mode: canary</code> header indicates to clients that they are talking to the canary version. Nginx forwards it from the app to the user:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">proxy_pass_header</span> <span class="s">X-Mode</span><span class="p">;</span> <span class="k">add_header</span> <span class="s">X-Mode</span> <span class="nv">$upstream_http_x_mode</span> <span class="s">always</span><span class="p">;</span> </code></pre> </div> <h2> Part 6 — Prometheus Metrics: The "Eyes" of the System </h2> <h3> What Are Metrics? </h3> <p>Metrics are numbers that describe how your app is behaving. Things like:</p> <ul> <li>How many requests per second?</li> <li>What percentage are failing?</li> <li>How long do requests take?</li> </ul> <p>Prometheus is a popular monitoring system. It expects metrics in a specific text format.</p> <h3> What We Track </h3> <p><strong><code>http_requests_total</code></strong> — A counter. Counts every request, labelled by method, path, and status code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight prometheus"><code><span class="n">http_requests_total</span><span class="p">{</span><span class="na">method</span><span class="o">=</span><span class="s2">"GET"</span><span class="p">,</span><span class="na">path</span><span class="o">=</span><span class="s2">"/"</span><span class="p">,</span><span class="na">status_code</span><span class="o">=</span><span class="s2">"200"</span><span class="p">}</span> <span class="mi">142</span> <span class="n">http_requests_total</span><span class="p">{</span><span class="na">method</span><span class="o">=</span><span class="s2">"GET"</span><span class="p">,</span><span class="na">path</span><span class="o">=</span><span class="s2">"/"</span><span class="p">,</span><span class="na">status_code</span><span class="o">=</span><span class="s2">"500"</span><span class="p">}</span> <span class="mi">8</span> </code></pre> </div> <p><strong><code>http_request_duration_seconds</code></strong> — A histogram. Groups request durations into buckets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight prometheus"><code><span class="n">http_request_duration_seconds_bucket</span><span class="p">{</span><span class="na">le</span><span class="o">=</span><span class="s2">"0.1"</span><span class="p">}</span> <span class="mi">140</span> <span class="c"># 140 requests took ≤ 0.1s</span> <span class="n">http_request_duration_seconds_bucket</span><span class="p">{</span><span class="na">le</span><span class="o">=</span><span class="s2">"0.5"</span><span class="p">}</span> <span class="mi">142</span> <span class="c"># 142 requests took ≤ 0.5s</span> <span class="n">http_request_duration_seconds_bucket</span><span class="p">{</span><span class="na">le</span><span class="o">=</span><span class="s2">"+Inf"</span><span class="p">}</span> <span class="mi">150</span> <span class="c"># 150 total requests</span> </code></pre> </div> <p>A histogram is what allows us to calculate percentile latency. The P99 (99th percentile) means "99% of requests completed within this time." It is more meaningful than the average because averages hide slow outliers.</p> <p><strong><code>app_mode</code></strong> — 0 for stable, 1 for canary.</p> <p><strong><code>chaos_active</code></strong> — 0 for none, 1 for slow, 2 for error.</p> <h3> How <code>record_request()</code> Works </h3> <p>After every request completes, we call:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nf">record_request</span><span class="p">(</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">,</span> <span class="mi">200</span><span class="p">,</span> <span class="n">duration</span><span class="p">)</span> </code></pre> </div> <p>This updates both the counter and the histogram in one call. We do NOT record <code>/healthz</code> or <code>/metrics</code> — those are infrastructure endpoints, not user traffic.</p> <h2> Part 7 — OPA: The "Brain" That Makes Decisions </h2> <h3> What Is OPA? </h3> <p>Open Policy Agent is a general-purpose policy engine. You write rules in a language called Rego (pronounced "ray-go"), and OPA evaluates them against data you send it.</p> <p><strong>The core principle:</strong> The CLI never decides whether to allow or deny. It only collects data, sends it to OPA, and surfaces the result. All decision logic lives in Rego.</p> <p>Why does this matter? Because it means you can change your policies without touching your deployment code. Policy and mechanics are separated.</p> <h3> The Infrastructure Policy </h3> <p>Before every deployment, we check if the host has enough resources. Here is <code>policies/infrastructure.rego</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rego"><code><span class="ow">package</span> <span class="n">infrastructure</span> <span class="ow">default</span> <span class="n">allow</span> <span class="o">:=</span> <span class="kc">false</span> <span class="n">allow</span> <span class="n">if</span> <span class="p">{</span> <span class="n">count</span><span class="p">(</span><span class="n">deny</span><span class="p">)</span> <span class="o">==</span> <span class="m">0</span> <span class="c1"># Allow if there are zero deny reasons</span> <span class="p">}</span> <span class="n">deny</span> <span class="n">contains</span> <span class="n">reason</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">disk_free_gb</span> <span class="o">&lt;</span> <span class="n">data</span><span class="p">.</span><span class="n">infrastructure</span><span class="p">.</span><span class="n">min_disk_free_gb</span> <span class="n">reason</span> <span class="o">:=</span> <span class="n">sprintf</span><span class="p">(</span><span class="s2">"Disk free %.1fGB is below minimum %dGB"</span><span class="p">,</span> <span class="p">[</span><span class="n">input</span><span class="p">.</span><span class="n">disk_free_gb</span><span class="p">,</span> <span class="n">data</span><span class="p">.</span><span class="n">infrastructure</span><span class="p">.</span><span class="n">min_disk_free_gb</span><span class="p">])</span> <span class="p">}</span> <span class="n">deny</span> <span class="n">contains</span> <span class="n">reason</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">cpu_load</span> <span class="o">&gt;</span> <span class="n">data</span><span class="p">.</span><span class="n">infrastructure</span><span class="p">.</span><span class="n">max_cpu_load</span> <span class="n">reason</span> <span class="o">:=</span> <span class="n">sprintf</span><span class="p">(</span><span class="s2">"CPU load %.2f exceeds maximum %.2f"</span><span class="p">,</span> <span class="p">[</span><span class="n">input</span><span class="p">.</span><span class="n">cpu_load</span><span class="p">,</span> <span class="n">data</span><span class="p">.</span><span class="n">infrastructure</span><span class="p">.</span><span class="n">max_cpu_load</span><span class="p">])</span> <span class="p">}</span> </code></pre> </div> <p>Notice: the thresholds (<code>min_disk_free_gb</code>, <code>max_cpu_load</code>) are not written in the Rego file. They come from <code>data.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"infrastructure"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"min_disk_free_gb"</span><span class="p">:</span><span class="w"> </span><span class="mi">10</span><span class="p">,</span><span class="w"> </span><span class="nl">"max_cpu_load"</span><span class="p">:</span><span class="w"> </span><span class="mf">2.0</span><span class="p">,</span><span class="w"> </span><span class="nl">"max_mem_percent"</span><span class="p">:</span><span class="w"> </span><span class="mi">90</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This separation means: change the threshold by editing <code>data.json</code>, not the policy logic. Environments have different needs — a production server and a test server should not have the same disk requirements.</p> <h3> The Canary Safety Policy </h3> <p>Before every promotion, we check if the running service is healthy enough to switch modes. This is <code>policies/canary.rego</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rego"><code><span class="ow">package</span> <span class="n">canary</span> <span class="ow">default</span> <span class="n">allow</span> <span class="o">:=</span> <span class="kc">false</span> <span class="n">allow</span> <span class="n">if</span> <span class="p">{</span> <span class="n">count</span><span class="p">(</span><span class="n">deny</span><span class="p">)</span> <span class="o">==</span> <span class="m">0</span> <span class="p">}</span> <span class="n">deny</span> <span class="n">contains</span> <span class="n">reason</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">error_rate_percent</span> <span class="o">&gt;</span> <span class="n">data</span><span class="p">.</span><span class="n">canary</span><span class="p">.</span><span class="n">max_error_rate_percent</span> <span class="n">reason</span> <span class="o">:=</span> <span class="n">sprintf</span><span class="p">(</span><span class="s2">"Error rate %.2f%% exceeds maximum %.2f%% over last 30s"</span><span class="p">,</span> <span class="p">[</span><span class="n">input</span><span class="p">.</span><span class="n">error_rate_percent</span><span class="p">,</span> <span class="n">data</span><span class="p">.</span><span class="n">canary</span><span class="p">.</span><span class="n">max_error_rate_percent</span><span class="p">])</span> <span class="p">}</span> <span class="n">deny</span> <span class="n">contains</span> <span class="n">reason</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">p99_latency_ms</span> <span class="o">&gt;</span> <span class="n">data</span><span class="p">.</span><span class="n">canary</span><span class="p">.</span><span class="n">max_p99_latency_ms</span> <span class="n">reason</span> <span class="o">:=</span> <span class="n">sprintf</span><span class="p">(</span><span class="s2">"P99 latency %.0fms exceeds maximum %dms over last 30s"</span><span class="p">,</span> <span class="p">[</span><span class="n">input</span><span class="p">.</span><span class="n">p99_latency_ms</span><span class="p">,</span> <span class="n">data</span><span class="p">.</span><span class="n">canary</span><span class="p">.</span><span class="n">max_p99_latency_ms</span><span class="p">])</span> <span class="p">}</span> </code></pre> </div> <h3> How the 30-Second Window Works </h3> <p>The requirement says "over the last 30 seconds." But Prometheus metrics are <strong>cumulative</strong> — they count from when the app started, not just the last 30 seconds.</p> <p>The trick: take two snapshots 30 seconds apart and subtract them.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Snapshot 1 (time T) → wait 30s → Snapshot 2 (time T+30) delta = Snapshot2 - Snapshot1 ← this is what happened in the last 30 seconds </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">delta_total</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">(</span><span class="n">totals2</span><span class="p">.</span><span class="nf">values</span><span class="p">())</span> <span class="o">-</span> <span class="nf">sum</span><span class="p">(</span><span class="n">totals1</span><span class="p">.</span><span class="nf">values</span><span class="p">())</span> <span class="n">delta_errors</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">(</span><span class="n">errors</span> <span class="ow">in</span> <span class="n">snapshot2</span><span class="p">)</span> <span class="o">-</span> <span class="nf">sum</span><span class="p">(</span><span class="n">errors</span> <span class="ow">in</span> <span class="n">snapshot1</span><span class="p">)</span> <span class="n">error_rate_percent</span> <span class="o">=</span> <span class="p">(</span><span class="n">delta_errors</span> <span class="o">/</span> <span class="n">delta_total</span> <span class="o">*</span> <span class="mi">100</span><span class="p">)</span> </code></pre> </div> <p>This gives us a true "what happened in the last 30 seconds" measurement, regardless of historical traffic.</p> <h3> How the CLI Talks to OPA </h3> <p>OPA exposes a REST API. The CLI sends a POST request with the data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST http://127.0.0.1:8181/v1/data/infrastructure <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{ "input": { "disk_free_gb": 11.0, "cpu_load": 0.18, "mem_percent": 53.5 } }'</span> </code></pre> </div> <p>OPA responds with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"result"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"allow"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"deny"</span><span class="p">:</span><span class="w"> </span><span class="p">[]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Or if blocked:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"result"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"allow"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"deny"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"Disk free 4.0GB is below minimum 10GB"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The CLI reads <code>allow</code> to know what to do, and prints the <code>deny</code> reasons so the operator knows exactly why something was blocked.</p> <h2> Part 8 — What Happened When I Injected Chaos </h2> <p>This is where it gets interesting. After deploying in canary mode and activating error chaos:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./swiftdeploy promote canary curl <span class="nt">-X</span> POST http://localhost:8080/chaos <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"mode": "error", "rate": 0.5}'</span> </code></pre> </div> <p>The status dashboard started showing failures:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>══════════════════════════════════════════════════════ SwiftDeploy Status Dashboard 2026-05-05T21:55:12Z ══════════════════════════════════════════════════════ Mode: canary Chaos: error Total reqs: 89 Error rate: 48.31% P99 latency: 10000ms Policy Compliance: ✅ infrastructure: PASS (disk=11GB, cpu=0.22, mem=54.1%) ❌ canary: FAIL (error=48.31%, p99=10000ms) </code></pre> </div> <p>Then when I tried to promote to stable while the chaos was running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>── OPA Pre-Promote Policy Check ────────────────────── Sampling metrics over a 30-second window... Last 30s: 80 requests, 36 errors Error rate: 45.0000%, P99 latency: 10000.00ms ❌ BLOCK: Canary policy denied promotion ↳ Error rate 45.00% exceeds maximum 1.00% over last 30s ↳ P99 latency 10000ms exceeds maximum 500ms over last 30s ❌ Promotion blocked by policy. </code></pre> </div> <p><strong>The policy worked.</strong> The system refused to let me promote while the service was actively failing. This is the whole point — you cannot accidentally promote a broken service.</p> <p>After recovering:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST http://localhost:8080/chaos <span class="nt">-d</span> <span class="s1">'{"mode": "recover"}'</span> ./swiftdeploy promote stable <span class="c"># Now succeeds</span> </code></pre> </div> <h2> Part 9 — The Audit Trail </h2> <p>Every significant event is written to <code>history.jsonl</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="nl">"timestamp"</span><span class="p">:</span><span class="s2">"2026-05-05T21:00:00Z"</span><span class="p">,</span><span class="nl">"event"</span><span class="p">:</span><span class="s2">"deploy"</span><span class="p">,</span><span class="nl">"details"</span><span class="p">:{</span><span class="nl">"mode"</span><span class="p">:</span><span class="s2">"stable"</span><span class="p">}}</span><span class="w"> </span><span class="p">{</span><span class="nl">"timestamp"</span><span class="p">:</span><span class="s2">"2026-05-05T21:10:00Z"</span><span class="p">,</span><span class="nl">"event"</span><span class="p">:</span><span class="s2">"promote"</span><span class="p">,</span><span class="nl">"details"</span><span class="p">:{</span><span class="nl">"mode"</span><span class="p">:</span><span class="s2">"canary"</span><span class="p">}}</span><span class="w"> </span><span class="p">{</span><span class="nl">"timestamp"</span><span class="p">:</span><span class="s2">"2026-05-05T21:15:00Z"</span><span class="p">,</span><span class="nl">"event"</span><span class="p">:</span><span class="s2">"policy_check"</span><span class="p">,</span><span class="nl">"details"</span><span class="p">:{</span><span class="nl">"policy"</span><span class="p">:</span><span class="s2">"canary"</span><span class="p">,</span><span class="nl">"result"</span><span class="p">:</span><span class="s2">"fail"</span><span class="p">,</span><span class="nl">"error_rate_percent"</span><span class="p">:</span><span class="mf">45.0</span><span class="p">}}</span><span class="w"> </span><span class="p">{</span><span class="nl">"timestamp"</span><span class="p">:</span><span class="s2">"2026-05-05T21:20:00Z"</span><span class="p">,</span><span class="nl">"event"</span><span class="p">:</span><span class="s2">"promote"</span><span class="p">,</span><span class="nl">"details"</span><span class="p">:{</span><span class="nl">"mode"</span><span class="p">:</span><span class="s2">"stable"</span><span class="p">}}</span><span class="w"> </span></code></pre> </div> <p>Running <code>./swiftdeploy audit</code> transforms this into a readable Markdown report:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gh"># SwiftDeploy Audit Report</span> Generated: 2026-05-05T21:30:00Z Total events: 24 <span class="gu">## Timeline</span> | Timestamp | Event | Details | |-----------|-------|---------| | 2026-05-05T21:00:00Z | deploy | mode=stable | | 2026-05-05T21:10:00Z | promote | → canary | | 2026-05-05T21:15:00Z | policy_check | canary: fail | <span class="gu">## Policy Violations</span> | Timestamp | Policy | Reasons | |-----------|--------|---------| | 2026-05-05T21:15:00Z | canary | Error rate 45.00% exceeds maximum 1.00% over last 30s | </code></pre> </div> <h2> Part 10 — Lessons Learned </h2> <h3> 1. The DNS Resolution Problem Was the Biggest Surprise </h3> <p>I spent a long time debugging why <code>nginx -t</code> kept failing with "host not found" even though my config was correct. The issue was that Nginx tries to resolve hostnames at startup — but <code>app</code> is a Docker hostname that only exists inside a running Docker network.</p> <p>The fix (using <code>set $upstream</code> as a variable) was not obvious. It is an Nginx-specific trick that delays DNS resolution from startup to per-request. Learning this saved me from a broken validation check.</p> <h3> 2. Capabilities Matter More Than You Think </h3> <p>Running containers as non-root is well-known advice. But dropping capabilities (like <code>cap_drop: ALL</code>) is less discussed. When I dropped all capabilities from Nginx, it crashed on startup with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>chown("/var/cache/nginx/client_temp", 101) failed (1: Operation not permitted) </code></pre> </div> <p>Nginx needs <code>CHOWN</code> to set up its temp directories. Dropping ALL capabilities silently breaks things. The lesson: drop specific capabilities you know the container does not need, not everything at once.</p> <h3> 3. OPA's <code>sprintf</code> Handles Integers and Floats Differently </h3> <p>When my Rego policy tried to format an integer from <code>data.json</code> using <code>%.0f</code>, OPA produced <code>%!f(int=500)</code> — a formatting error. The fix was to use <code>%d</code> for integers from data.json and <code>%.0f</code> only for float inputs. OPA does not silently convert types the way Python does.</p> <h3> 4. Cumulative Metrics Need Careful Handling </h3> <p>Prometheus metrics are cumulative counters — they only go up. To calculate "what happened in the last 30 seconds," you cannot just look at the current value. You need two snapshots and a delta. This is obvious in retrospect, but took a few failed attempts to get right.</p> <h3> 5. The Manifest as the Single Source of Truth Actually Works </h3> <p>The grader requirement was: delete generated files, run <code>./swiftdeploy init</code>, and verify they regenerate correctly. This forced a discipline that turned out to be genuinely useful. When you know everything comes from one file, debugging is much easier. There is only one place to look.</p> <h2> Complete Setup Instructions </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Clone the repo</span> git clone https://github.com/YOUR_USERNAME/swiftdeploy-automation.git <span class="nb">cd </span>swiftdeploy-automation <span class="c"># Install Python dependency</span> pip <span class="nb">install </span>pyyaml <span class="c"># Build the Docker image</span> docker build <span class="nt">-t</span> swift-deploy-1-node:latest <span class="nb">.</span> <span class="c"># Make CLI executable</span> <span class="nb">chmod</span> +x swiftdeploy <span class="c"># Deploy</span> ./swiftdeploy deploy <span class="c"># Try everything</span> curl http://localhost:8080/ curl http://localhost:8080/healthz curl http://localhost:8080/metrics ./swiftdeploy status ./swiftdeploy promote canary ./swiftdeploy promote stable ./swiftdeploy audit ./swiftdeploy teardown <span class="nt">--clean</span> </code></pre> </div> <h2> Conclusion </h2> <p>SwiftDeploy taught me that the most valuable thing in infrastructure is not the tools themselves — it is the <strong>discipline</strong> they enforce.</p> <p>Making the manifest the single source of truth means you cannot have config drift. Putting all policy logic in OPA means your deployment tool cannot make silent decisions. Requiring metrics before promotion means you cannot promote a broken service by accident.</p> <p>Each of these constraints feels like a restriction at first. But each one also prevents a whole category of mistakes.</p> <p>If you want to replicate this project, the full source code is at the GitHub link below. Every file is commented and explained. Start with <code>manifest.yaml</code>, read <code>swiftdeploy</code> from top to bottom, then look at the Rego policies.</p> <p>The best way to learn is to break it intentionally — fill up the disk, inject chaos, watch the policies fire. That is what the chaos endpoint is for.</p> <p><em>Source code: <a href="https://github.com/devops-timi/swiftdeploy-automation" rel="noopener noreferrer">github.com/devops-timi/swiftdeploy-automation</a></em></p> beginners devops docker showdev Real-Time Anomaly Detection Engine for a Cloud Storage Platform Timilehin Obalereko Tue, 28 Apr 2026 20:50:23 +0000 https://dev.to/devopstimi/how-i-built-a-real-time-anomaly-detection-engine-for-a-cloud-storage-platform-30o3 https://dev.to/devopstimi/how-i-built-a-real-time-anomaly-detection-engine-for-a-cloud-storage-platform-30o3 <p>I built a Python daemon that watches incoming HTTP traffic in real time, learns what "normal" looks like, and automatically blocks attackers using Linux's built-in firewall — all without any third-party security tools.</p> <h2> The Problem </h2> <p>Imagine you run a cloud storage company. Your platform is public — anyone on the internet can send requests to it. Most of those people are legitimate users uploading files. But some of them are attackers — bots hammering your server with thousands of requests per second, trying to crash it, brute-force passwords, or scrape data.</p> <p>You need something that:</p> <ul> <li>Watches all incoming traffic <strong>in real time</strong> </li> <li> <strong>Learns</strong> what normal traffic looks like</li> <li> <strong>Detects</strong> when something looks abnormal</li> <li> <strong>Automatically blocks</strong> the attacker</li> <li> <strong>Alerts</strong> your team on Slack</li> <li>Shows you a <strong>live dashboard</strong> of what is happening</li> </ul> <p>That is exactly what I built for my HNG DevSecOps internship. Let me walk you through every part of it in plain English.</p> <h2> The Big Picture </h2> <p>Before we dive into code, here is how all the pieces fit together:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[User's Browser / Attacker Bot] │ │ HTTP Request ▼ ┌─────────┐ │ Nginx │ ← logs every request as JSON └────┬────┘ │ ▼ ┌───────────┐ │ Nextcloud │ ← the actual cloud storage app └───────────┘ ┌──────────────────────────┐ │ Shared Docker Volume │ ← log file lives here └──────────────────────────┘ │ reads logs ▼ ┌─────────────────────────────────────┐ │ Detector Daemon │ │ │ │ monitor.py → reads log lines │ │ baseline.py → learns normal │ │ detector.py → spots anomalies │ │ blocker.py → runs iptables │ │ unbanner.py → lifts bans later │ │ notifier.py → sends Slack alerts │ │ dashboard.py → web UI │ └─────────────────────────────────────┘ │ ▼ iptables blocks attacker IPs Slack receives alerts Dashboard shows live stats </code></pre> </div> <p>The key insight is that the detector runs <strong>alongside</strong> Nextcloud — not inside it. It reads Nginx's logs from a shared Docker volume and acts as an automated security guard.</p> <h2> Part 1: Reading Logs in Real Time </h2> <p>The first challenge is reading the Nginx log file as new lines appear — like watching a live news feed.</p> <p>In bash, you do this with <code>tail -f</code>. In Python, I built the same thing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">tail_log</span><span class="p">(</span><span class="n">log_path</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Generator that continuously reads new lines from a log file. Yields one parsed log entry at a time. </span><span class="sh">"""</span> <span class="c1"># Wait until the log file exists </span> <span class="k">while</span> <span class="ow">not</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">exists</span><span class="p">(</span><span class="n">log_path</span><span class="p">):</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">log_path</span><span class="p">,</span> <span class="sh">"</span><span class="s">r</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="c1"># Jump to the END of the file </span> <span class="c1"># We only want NEW requests, not old history </span> <span class="n">f</span><span class="p">.</span><span class="nf">seek</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">line</span> <span class="o">=</span> <span class="n">f</span><span class="p">.</span><span class="nf">readline</span><span class="p">()</span> <span class="k">if</span> <span class="n">line</span><span class="p">:</span> <span class="n">parsed</span> <span class="o">=</span> <span class="nf">parse_line</span><span class="p">(</span><span class="n">line</span><span class="p">.</span><span class="nf">strip</span><span class="p">())</span> <span class="k">if</span> <span class="n">parsed</span><span class="p">:</span> <span class="k">yield</span> <span class="n">parsed</span> <span class="c1"># send one entry to the caller </span> <span class="k">else</span><span class="p">:</span> <span class="c1"># No new line yet — wait 50ms and try again </span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mf">0.05</span><span class="p">)</span> </code></pre> </div> <p>A few things worth explaining here:</p> <p><strong><code>f.seek(0, 2)</code></strong> — This jumps to the end of the file. Without this, we would process every old log line from before the daemon started, which would give us garbage baseline data.</p> <p><strong><code>yield parsed</code></strong> — This makes the function a <em>generator</em>. Instead of returning a whole list of log entries (which would use lots of memory), it sends entries one at a time to the caller. The caller gets each entry the instant it arrives.</p> <p><strong><code>time.sleep(0.05)</code></strong> — When there are no new lines, we wait 50 milliseconds before checking again. This is the "tail" behaviour — fast enough to catch requests in real time, not so fast that we burn CPU.</p> <p>Nginx writes logs in JSON format, so parsing is simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">parse_line</span><span class="p">(</span><span class="n">line</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="n">data</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">line</span><span class="p">)</span> <span class="c1"># Make sure all required fields are present </span> <span class="n">required</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">source_ip</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">method</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">path</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">response_size</span><span class="sh">"</span><span class="p">]</span> <span class="k">for</span> <span class="n">field</span> <span class="ow">in</span> <span class="n">required</span><span class="p">:</span> <span class="k">if</span> <span class="n">field</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">data</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="k">return</span> <span class="n">data</span> <span class="k">except</span> <span class="n">json</span><span class="p">.</span><span class="n">JSONDecodeError</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="c1"># skip malformed lines </span></code></pre> </div> <h2> Part 2: The Sliding Window </h2> <p>Now that we can read log lines, we need to calculate <strong>how many requests per second</strong> a given IP is making.</p> <p>The naive approach would be: count all requests in the last minute, divide by 60. But this is called a "per-minute counter" and it has a problem — it only updates once per minute, so it misses short bursts.</p> <p>The right approach is a <strong>sliding window</strong>.</p> <p>Think of it like this: you are standing on a moving train, looking out a window that shows exactly 60 seconds of track behind you. As the train moves forward, the window always shows the LAST 60 seconds — older track disappears from view automatically.</p> <p>In code, this uses Python's <code>collections.deque</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">deque</span><span class="p">,</span> <span class="n">defaultdict</span> <span class="kn">import</span> <span class="n">time</span> <span class="k">class</span> <span class="nc">SlidingWindowDetector</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">config</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">window_seconds</span> <span class="o">=</span> <span class="mi">60</span> <span class="c1"># look at last 60 seconds </span> <span class="c1"># One deque per IP — each entry is a timestamp </span> <span class="n">self</span><span class="p">.</span><span class="n">ip_windows</span> <span class="o">=</span> <span class="nf">defaultdict</span><span class="p">(</span><span class="n">deque</span><span class="p">)</span> <span class="c1"># One global deque for all traffic combined </span> <span class="n">self</span><span class="p">.</span><span class="n">global_window</span> <span class="o">=</span> <span class="nf">deque</span><span class="p">()</span> <span class="k">def</span> <span class="nf">record</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="n">status</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Called for every incoming request.</span><span class="sh">"""</span> <span class="n">now</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="n">ip_windows</span><span class="p">[</span><span class="n">ip</span><span class="p">].</span><span class="nf">append</span><span class="p">(</span><span class="n">now</span><span class="p">)</span> <span class="c1"># add timestamp </span> <span class="n">self</span><span class="p">.</span><span class="n">global_window</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">now</span><span class="p">)</span> <span class="c1"># add to global too </span> <span class="k">def</span> <span class="nf">_evict_old</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">dq</span><span class="p">,</span> <span class="n">now</span><span class="p">,</span> <span class="n">window</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Remove timestamps older than `window` seconds. Deques are ordered — oldest on the LEFT, newest on the RIGHT. We pop from the left until the oldest entry is within our window. This is the eviction logic — what makes it a SLIDING window. </span><span class="sh">"""</span> <span class="n">cutoff</span> <span class="o">=</span> <span class="n">now</span> <span class="o">-</span> <span class="n">window</span> <span class="c1"># anything before this is too old </span> <span class="k">while</span> <span class="n">dq</span> <span class="ow">and</span> <span class="n">dq</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">cutoff</span><span class="p">:</span> <span class="n">dq</span><span class="p">.</span><span class="nf">popleft</span><span class="p">()</span> <span class="c1"># remove oldest entry </span> <span class="k">def</span> <span class="nf">get_ip_rate</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">ip</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Returns requests per second for this IP.</span><span class="sh">"""</span> <span class="n">now</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="n">dq</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">ip_windows</span><span class="p">[</span><span class="n">ip</span><span class="p">]</span> <span class="n">self</span><span class="p">.</span><span class="nf">_evict_old</span><span class="p">(</span><span class="n">dq</span><span class="p">,</span> <span class="n">now</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">window_seconds</span><span class="p">)</span> <span class="c1"># Whatever is left = requests in the last 60 seconds </span> <span class="k">return</span> <span class="nf">len</span><span class="p">(</span><span class="n">dq</span><span class="p">)</span> <span class="o">/</span> <span class="n">self</span><span class="p">.</span><span class="n">window_seconds</span> </code></pre> </div> <p>Here is why this is elegant:</p> <ul> <li>Every request adds one timestamp to the deque</li> <li>When you want the rate, you throw away everything older than 60 seconds</li> <li>Count what remains, divide by 60 — that is your rate</li> <li>The window "slides" because old timestamps fall off automatically</li> </ul> <p>We have <strong>two</strong> windows:</p> <ol> <li> <strong>Per-IP window</strong> — detects a single attacker hammering the server</li> <li> <strong>Global window</strong> — detects a distributed attack (botnet) where thousands of IPs each send moderate requests, overwhelming the server even though no single IP looks bad</li> </ol> <h2> Part 3: The Baseline — Learning What Normal Looks Like </h2> <p>This is the most important part. To detect anomalies, we first need to know what "normal" looks like.</p> <p>At 2am, maybe your server averages 1 request per second. At 2pm, maybe it averages 50. The baseline <strong>must adapt</strong> to these patterns — it cannot be a hardcoded number.</p> <p>My approach: every second, I count how many requests arrived. I store these per-second counts in a rolling window of 30 minutes (1800 seconds). Every 60 seconds, I compute the <strong>mean</strong> and <strong>standard deviation</strong> of these counts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">BaselineEngine</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">config</span><span class="p">):</span> <span class="c1"># Store up to 1800 per-second counts (30 min) </span> <span class="n">self</span><span class="p">.</span><span class="n">global_samples</span> <span class="o">=</span> <span class="nf">deque</span><span class="p">(</span><span class="n">maxlen</span><span class="o">=</span><span class="mi">1800</span><span class="p">)</span> <span class="c1"># Floor values prevent division by zero at idle </span> <span class="n">self</span><span class="p">.</span><span class="n">floor_mean</span> <span class="o">=</span> <span class="mf">1.0</span> <span class="n">self</span><span class="p">.</span><span class="n">floor_stddev</span> <span class="o">=</span> <span class="mf">0.5</span> <span class="c1"># Start at floor values </span> <span class="n">self</span><span class="p">.</span><span class="n">effective_mean</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">floor_mean</span> <span class="n">self</span><span class="p">.</span><span class="n">effective_stddev</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">floor_stddev</span> <span class="k">def</span> <span class="nf">_recalculate</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Compute mean and stddev from rolling samples.</span><span class="sh">"""</span> <span class="n">samples</span> <span class="o">=</span> <span class="p">[</span><span class="n">count</span> <span class="nf">for </span><span class="p">(</span><span class="n">_</span><span class="p">,</span> <span class="n">count</span><span class="p">)</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">global_samples</span><span class="p">]</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">samples</span><span class="p">)</span> <span class="o">&lt;</span> <span class="mi">10</span><span class="p">:</span> <span class="k">return</span> <span class="c1"># not enough data yet </span> <span class="c1"># Mean = average requests per second </span> <span class="n">mean</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">(</span><span class="n">samples</span><span class="p">)</span> <span class="o">/</span> <span class="nf">len</span><span class="p">(</span><span class="n">samples</span><span class="p">)</span> <span class="c1"># Standard deviation = how much traffic varies </span> <span class="c1"># sqrt( average of squared differences from the mean ) </span> <span class="n">variance</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">((</span><span class="n">x</span> <span class="o">-</span> <span class="n">mean</span><span class="p">)</span><span class="o">**</span><span class="mi">2</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">samples</span><span class="p">)</span> <span class="o">/</span> <span class="nf">len</span><span class="p">(</span><span class="n">samples</span><span class="p">)</span> <span class="n">stddev</span> <span class="o">=</span> <span class="n">math</span><span class="p">.</span><span class="nf">sqrt</span><span class="p">(</span><span class="n">variance</span><span class="p">)</span> <span class="c1"># Apply floor values — never go below minimum </span> <span class="n">self</span><span class="p">.</span><span class="n">effective_mean</span> <span class="o">=</span> <span class="nf">max</span><span class="p">(</span><span class="n">mean</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">floor_mean</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">effective_stddev</span> <span class="o">=</span> <span class="nf">max</span><span class="p">(</span><span class="n">stddev</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">floor_stddev</span><span class="p">)</span> </code></pre> </div> <p><strong>Mean</strong> tells us: "on average, how many requests per second do we get?"</p> <p><strong>Standard deviation</strong> tells us: "how much does that vary?" A small stddev means traffic is very consistent. A large stddev means traffic is spiky.</p> <h3> The Spike Guard — Keeping the Baseline Clean </h3> <p>Here is a subtle but critical problem: what happens when an attack occurs?</p> <p>Without protection, the attacker's 500 req/s gets fed into the baseline. After a minute, the baseline thinks 500 req/s is "normal." The next attack looks completely fine and goes undetected.</p> <p>The solution is a <strong>spike guard</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_flush_second</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">count</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">current_second_count</span> <span class="c1"># If this second's count is more than 10x the current mean, </span> <span class="c1"># it is almost certainly attack traffic — discard it </span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">global_samples</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="mi">10</span><span class="p">:</span> <span class="k">if</span> <span class="n">count</span> <span class="o">&gt;</span> <span class="mi">10</span> <span class="o">*</span> <span class="n">self</span><span class="p">.</span><span class="n">effective_mean</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[Baseline] Spike guard: </span><span class="si">{</span><span class="n">count</span><span class="si">}</span><span class="s"> req/s discarded</span><span class="sh">"</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">current_second_count</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">return</span> <span class="c1"># do NOT save this to baseline </span> <span class="c1"># Normal traffic — save it </span> <span class="n">self</span><span class="p">.</span><span class="n">global_samples</span><span class="p">.</span><span class="nf">append</span><span class="p">((</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">(),</span> <span class="n">count</span><span class="p">))</span> <span class="n">self</span><span class="p">.</span><span class="n">current_second_count</span> <span class="o">=</span> <span class="mi">0</span> </code></pre> </div> <p>With this in place:</p> <ul> <li>Attack happens → spike is discarded → baseline stays clean ✅</li> <li>Attack stops → baseline is still accurate ✅</li> <li>Second attack → detected immediately because baseline is still clean ✅</li> </ul> <h2> Part 4: Detecting Anomalies </h2> <p>Now we have:</p> <ul> <li>The current request rate (from the sliding window)</li> <li>The baseline mean and stddev (from the baseline engine)</li> </ul> <p>How do we decide if the rate is "too high"?</p> <h3> Method 1: Z-Score </h3> <p>The z-score measures how many standard deviations above the mean a value is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>z-score = (current_rate - mean) / stddev </code></pre> </div> <p>If the mean is 5 req/s and stddev is 1, and we see 8.5 req/s:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>z-score = (8.5 - 5) / 1 = 3.5 </code></pre> </div> <p>In statistics, a z-score above 3.0 means the value is so extreme it only occurs 0.13% of the time in normal data. In other words: <strong>99.87% chance something is wrong.</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">check_ip_anomaly</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="n">baseline</span><span class="p">):</span> <span class="n">rate</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">get_ip_rate</span><span class="p">(</span><span class="n">ip</span><span class="p">)</span> <span class="n">mean</span> <span class="o">=</span> <span class="n">baseline</span><span class="p">[</span><span class="sh">"</span><span class="s">mean</span><span class="sh">"</span><span class="p">]</span> <span class="n">stddev</span> <span class="o">=</span> <span class="n">baseline</span><span class="p">[</span><span class="sh">"</span><span class="s">stddev</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Z-score check </span> <span class="k">if</span> <span class="n">stddev</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">:</span> <span class="n">zscore</span> <span class="o">=</span> <span class="p">(</span><span class="n">rate</span> <span class="o">-</span> <span class="n">mean</span><span class="p">)</span> <span class="o">/</span> <span class="n">stddev</span> <span class="k">else</span><span class="p">:</span> <span class="n">zscore</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">if</span> <span class="n">zscore</span> <span class="o">&gt;</span> <span class="mf">3.0</span><span class="p">:</span> <span class="k">return</span> <span class="bp">True</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">z-score </span><span class="si">{</span><span class="n">zscore</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s"> &gt; 3.0</span><span class="sh">"</span><span class="p">,</span> <span class="n">rate</span> <span class="c1"># Rate multiplier check (backup) </span> <span class="k">if</span> <span class="n">rate</span> <span class="o">&gt;</span> <span class="mf">5.0</span> <span class="o">*</span> <span class="n">mean</span><span class="p">:</span> <span class="k">return</span> <span class="bp">True</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">rate </span><span class="si">{</span><span class="n">rate</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s"> &gt; 5x mean </span><span class="si">{</span><span class="n">mean</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">rate</span> <span class="k">return</span> <span class="bp">False</span><span class="p">,</span> <span class="sh">""</span><span class="p">,</span> <span class="n">rate</span> </code></pre> </div> <h3> Method 2: Rate Multiplier </h3> <p>Even if z-score math produces unexpected results, if someone is sending 5x the normal amount of traffic, that is unambiguously suspicious. This is the backup check that catches edge cases.</p> <h3> Error Surge Detection </h3> <p>If an IP is causing lots of 404s (page not found) and 401s (unauthorized), it is likely probing for vulnerabilities. We automatically tighten the thresholds for these IPs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">error_rate</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">get_ip_error_rate</span><span class="p">(</span><span class="n">ip</span><span class="p">)</span> <span class="k">if</span> <span class="n">error_rate</span> <span class="o">&gt;=</span> <span class="mf">3.0</span> <span class="o">*</span> <span class="n">baseline</span><span class="p">[</span><span class="sh">"</span><span class="s">error_mean</span><span class="sh">"</span><span class="p">]:</span> <span class="c1"># Suspicious error pattern — use tighter thresholds </span> <span class="n">zscore_threshold</span> <span class="o">=</span> <span class="mf">2.0</span> <span class="c1"># was 3.0 </span> <span class="n">rate_threshold</span> <span class="o">=</span> <span class="mf">3.0</span> <span class="c1"># was 5.0 </span></code></pre> </div> <h2> Part 5: Blocking with iptables </h2> <p>When we detect an anomaly, we block the IP using <strong>iptables</strong> — Linux's built-in packet filter.</p> <p>iptables sits at the <strong>network level</strong>, before any application (Nginx, Nextcloud, Python) ever sees a packet. When you add a DROP rule, the Linux kernel silently discards all packets from that IP. The attacker's requests just time out — they get no response at all.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">subprocess</span> <span class="k">def</span> <span class="nf">ban_ip</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">ip</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Add an iptables DROP rule for this IP.</span><span class="sh">"""</span> <span class="c1"># -I INPUT 1 = insert at position 1 (top priority) </span> <span class="c1"># -s {ip} = match packets FROM this IP </span> <span class="c1"># -j DROP = silently discard the packet </span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">([</span> <span class="sh">"</span><span class="s">iptables</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-I</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">INPUT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">1</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-s</span><span class="sh">"</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="sh">"</span><span class="s">-j</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">DROP</span><span class="sh">"</span> <span class="p">])</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[Blocker] BANNED </span><span class="si">{</span><span class="n">ip</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">unban_ip</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">ip</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Remove the iptables DROP rule.</span><span class="sh">"""</span> <span class="c1"># -D = delete the matching rule </span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">([</span> <span class="sh">"</span><span class="s">iptables</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-D</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">INPUT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-s</span><span class="sh">"</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="sh">"</span><span class="s">-j</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">DROP</span><span class="sh">"</span> <span class="p">])</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[Blocker] UNBANNED </span><span class="si">{</span><span class="n">ip</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>We use <code>-I INPUT 1</code> (insert at position 1) rather than <code>-A</code> (append) so the DROP rule has the highest priority — it is checked before any ACCEPT rules.</p> <h3> The Auto-Unban Backoff Schedule </h3> <p>We do not ban forever immediately. The ban schedule escalates with repeated offenses:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Offense</th> <th>Ban Duration</th> </tr> </thead> <tbody> <tr> <td>1st</td> <td>10 minutes</td> </tr> <tr> <td>2nd</td> <td>30 minutes</td> </tr> <tr> <td>3rd</td> <td>2 hours</td> </tr> <tr> <td>4th+</td> <td>Permanent</td> </tr> </tbody> </table></div> <p>A background thread checks every 30 seconds and lifts expired bans:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_check_bans</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">now</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="k">for</span> <span class="n">ip</span><span class="p">,</span> <span class="n">ban_info</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">blocker</span><span class="p">.</span><span class="nf">get_active_bans</span><span class="p">().</span><span class="nf">items</span><span class="p">():</span> <span class="n">duration</span> <span class="o">=</span> <span class="n">ban_info</span><span class="p">[</span><span class="sh">"</span><span class="s">duration</span><span class="sh">"</span><span class="p">]</span> <span class="n">banned_at</span> <span class="o">=</span> <span class="n">ban_info</span><span class="p">[</span><span class="sh">"</span><span class="s">banned_at</span><span class="sh">"</span><span class="p">]</span> <span class="k">if</span> <span class="n">duration</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">:</span> <span class="k">continue</span> <span class="c1"># permanent ban, never auto-unban </span> <span class="k">if</span> <span class="n">now</span> <span class="o">&gt;=</span> <span class="n">banned_at</span> <span class="o">+</span> <span class="n">duration</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">blocker</span><span class="p">.</span><span class="nf">unban_ip</span><span class="p">(</span><span class="n">ip</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">detector</span><span class="p">.</span><span class="n">banned_ips</span><span class="p">.</span><span class="nf">discard</span><span class="p">(</span><span class="n">ip</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">notifier</span><span class="p">.</span><span class="nf">send_unban</span><span class="p">(</span><span class="n">ip</span><span class="o">=</span><span class="n">ip</span><span class="p">,</span> <span class="p">...)</span> </code></pre> </div> <h2> Part 6: Slack Alerts </h2> <p>Every ban, unban, and global anomaly sends a message to Slack via an Incoming Webhook — a special URL that posts messages to a channel when you send an HTTP POST request to it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">send_ban</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="n">reason</span><span class="p">,</span> <span class="n">rate</span><span class="p">,</span> <span class="n">baseline</span><span class="p">,</span> <span class="n">duration</span><span class="p">):</span> <span class="n">message</span> <span class="o">=</span> <span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">🚨 *IP BANNED* — `</span><span class="si">{</span><span class="n">ip</span><span class="si">}</span><span class="s">`</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Condition:* </span><span class="si">{</span><span class="n">reason</span><span class="si">}</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Current Rate:* </span><span class="si">{</span><span class="n">rate</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s"> req/s</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Baseline Mean:* </span><span class="si">{</span><span class="n">baseline</span><span class="p">[</span><span class="sh">'</span><span class="s">mean</span><span class="sh">'</span><span class="p">]</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s"> req/s</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Ban Duration:* </span><span class="si">{</span><span class="n">duration_str</span><span class="si">}</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Time:* </span><span class="si">{</span><span class="n">timestamp</span><span class="si">}</span><span class="sh">"</span> <span class="p">)</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="n">self</span><span class="p">.</span><span class="n">webhook_url</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">:</span> <span class="n">message</span><span class="p">},</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">10</span> <span class="p">)</span> </code></pre> </div> <p>The 10-second timeout is important — if Slack's servers are slow, we do not want the Slack call to block our detection loop.</p> <h2> Part 7: The Live Dashboard </h2> <p>The dashboard is a Flask web app that serves a single HTML page. The page polls a <code>/api/metrics</code> endpoint every 3 seconds and updates the display without reloading:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/metrics</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">metrics</span><span class="p">():</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span> <span class="sh">"</span><span class="s">global_rate</span><span class="sh">"</span><span class="p">:</span> <span class="n">detector</span><span class="p">.</span><span class="nf">get_global_rate</span><span class="p">(),</span> <span class="sh">"</span><span class="s">top_ips</span><span class="sh">"</span><span class="p">:</span> <span class="n">detector</span><span class="p">.</span><span class="nf">get_top_ips</span><span class="p">(</span><span class="mi">10</span><span class="p">),</span> <span class="sh">"</span><span class="s">banned_ips</span><span class="sh">"</span><span class="p">:</span> <span class="n">blocker</span><span class="p">.</span><span class="nf">get_active_bans</span><span class="p">(),</span> <span class="sh">"</span><span class="s">cpu_percent</span><span class="sh">"</span><span class="p">:</span> <span class="n">psutil</span><span class="p">.</span><span class="nf">cpu_percent</span><span class="p">(),</span> <span class="sh">"</span><span class="s">mem_percent</span><span class="sh">"</span><span class="p">:</span> <span class="n">psutil</span><span class="p">.</span><span class="nf">virtual_memory</span><span class="p">().</span><span class="n">percent</span><span class="p">,</span> <span class="sh">"</span><span class="s">baseline_mean</span><span class="sh">"</span><span class="p">:</span> <span class="n">baseline</span><span class="p">.</span><span class="n">effective_mean</span><span class="p">,</span> <span class="sh">"</span><span class="s">baseline_stddev</span><span class="sh">"</span><span class="p">:</span> <span class="n">baseline</span><span class="p">.</span><span class="n">effective_stddev</span><span class="p">,</span> <span class="sh">"</span><span class="s">uptime</span><span class="sh">"</span><span class="p">:</span> <span class="nf">calculate_uptime</span><span class="p">(),</span> <span class="p">})</span> </code></pre> </div> <p>The JavaScript side polls this every 3 seconds:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">refresh</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/metrics</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">d</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">global-rate</span><span class="dl">'</span><span class="p">).</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">d</span><span class="p">.</span><span class="nx">global_rate</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">baseline-mean</span><span class="dl">'</span><span class="p">).</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">d</span><span class="p">.</span><span class="nx">baseline_mean</span><span class="p">;</span> <span class="c1">// ... update all other fields</span> <span class="p">}</span> <span class="nf">setInterval</span><span class="p">(</span><span class="nx">refresh</span><span class="p">,</span> <span class="mi">3000</span><span class="p">);</span> <span class="c1">// run every 3 seconds</span> </code></pre> </div> <h2> Part 8: Putting It All Together </h2> <p>The <code>main.py</code> orchestrator wires everything together in one loop:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">for</span> <span class="n">log_entry</span> <span class="ow">in</span> <span class="nf">tail_log</span><span class="p">(</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">log_path</span><span class="sh">"</span><span class="p">]):</span> <span class="n">ip</span> <span class="o">=</span> <span class="n">log_entry</span><span class="p">[</span><span class="sh">"</span><span class="s">source_ip</span><span class="sh">"</span><span class="p">]</span> <span class="n">status</span> <span class="o">=</span> <span class="n">log_entry</span><span class="p">[</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># 1. Record in sliding window for rate detection </span> <span class="n">detector</span><span class="p">.</span><span class="nf">record</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">status</span><span class="p">)</span> <span class="c1"># 2. Feed into baseline ONLY if IP is not banned </span> <span class="c1"># (prevents attack traffic from corrupting baseline) </span> <span class="k">if</span> <span class="ow">not</span> <span class="n">blocker</span><span class="p">.</span><span class="nf">is_banned</span><span class="p">(</span><span class="n">ip</span><span class="p">):</span> <span class="n">baseline</span><span class="p">.</span><span class="nf">record_request</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">status</span><span class="p">)</span> <span class="c1"># 3. Maybe recalculate baseline every 60 seconds </span> <span class="k">if</span> <span class="n">baseline</span><span class="p">.</span><span class="nf">maybe_recalculate</span><span class="p">():</span> <span class="n">audit_logger</span><span class="p">.</span><span class="nf">log_baseline_recalc</span><span class="p">(...)</span> <span class="c1"># 4. Get current baseline </span> <span class="n">b</span> <span class="o">=</span> <span class="n">baseline</span><span class="p">.</span><span class="nf">get_baseline</span><span class="p">()</span> <span class="c1"># 5. Check if this IP is anomalous </span> <span class="n">is_anomaly</span><span class="p">,</span> <span class="n">reason</span><span class="p">,</span> <span class="n">rate</span> <span class="o">=</span> <span class="n">detector</span><span class="p">.</span><span class="nf">check_ip_anomaly</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">b</span><span class="p">)</span> <span class="k">if</span> <span class="n">is_anomaly</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">blocker</span><span class="p">.</span><span class="nf">is_banned</span><span class="p">(</span><span class="n">ip</span><span class="p">):</span> <span class="n">duration</span> <span class="o">=</span> <span class="n">blocker</span><span class="p">.</span><span class="nf">ban_ip</span><span class="p">(</span><span class="n">ip</span><span class="p">)</span> <span class="n">notifier</span><span class="p">.</span><span class="nf">send_ban</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">reason</span><span class="p">,</span> <span class="n">rate</span><span class="p">,</span> <span class="n">b</span><span class="p">,</span> <span class="n">duration</span><span class="p">)</span> <span class="n">audit_logger</span><span class="p">.</span><span class="nf">log_ban</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">reason</span><span class="p">,</span> <span class="n">rate</span><span class="p">,</span> <span class="n">b</span><span class="p">,</span> <span class="n">duration</span><span class="p">)</span> <span class="c1"># 6. Check if global traffic is anomalous </span> <span class="n">global_anomaly</span><span class="p">,</span> <span class="n">reason</span><span class="p">,</span> <span class="n">rate</span> <span class="o">=</span> <span class="n">detector</span><span class="p">.</span><span class="nf">check_global_anomaly</span><span class="p">(</span><span class="n">b</span><span class="p">)</span> <span class="k">if</span> <span class="n">global_anomaly</span><span class="p">:</span> <span class="n">notifier</span><span class="p">.</span><span class="nf">send_global_alert</span><span class="p">(</span><span class="n">reason</span><span class="p">,</span> <span class="n">rate</span><span class="p">,</span> <span class="n">b</span><span class="p">)</span> </code></pre> </div> <p>Every single log line goes through this sequence within milliseconds of Nginx writing it.</p> <h2> The Results </h2> <p>When an attack hits the server, here is what happens end to end:</p> <ol> <li>Attacker sends 150 concurrent requests per second</li> <li>Nginx logs each request as JSON to the shared volume</li> <li> <code>monitor.py</code> detects new lines within 50ms</li> <li>Sliding window calculates rate: 150 req/s</li> <li>Z-score: <code>(150 - 1.5) / 0.8 = 185</code> — massively above threshold</li> <li> <code>iptables -I INPUT 1 -s {attacker_ip} -j DROP</code> fires</li> <li>Slack alert sent within seconds</li> <li>Audit log entry written</li> <li>After 10 minutes, auto-unban fires</li> <li>Slack unban alert sent</li> <li>If attacker returns — detected again immediately because baseline stayed clean</li> </ol> <h2> Key Lessons Learned </h2> <p><strong>1. The baseline is everything.</strong><br> If your baseline gets corrupted by attack traffic, your detector becomes blind. The spike guard is not optional — it is the difference between a system that works once and one that works reliably.</p> <p><strong>2. Two windows catch two attack types.</strong><br> Per-IP windows catch single aggressive attackers. The global window catches distributed botnets. You need both.</p> <p><strong>3. Z-score beats fixed thresholds.</strong><br> A fixed threshold of "flag if rate &gt; 10 req/s" would miss attacks during busy periods and false positives during quiet periods. Z-score adapts to whatever the current normal is.</p> <p><strong>4. iptables operates at the kernel level.</strong><br> Blocking at the application level (in Nginx or Python) still lets the packet reach your server. iptables drops it before any application code runs — much more efficient.</p> <p><strong>5. Auto-unban is necessary.</strong><br> Without it, you accumulate false positives forever. Legitimate users behind shared IPs (corporate NAT, university networks) would be permanently blocked.</p> <h2> Tech Stack </h2> <ul> <li> <strong>Python 3.11</strong> — main language</li> <li> <strong>Docker + Docker Compose</strong> — containerization</li> <li> <strong>Nginx</strong> — reverse proxy and JSON logging</li> <li> <strong>Nextcloud</strong> — the cloud storage application</li> <li> <strong>Flask + Waitress</strong> — dashboard web server</li> <li> <strong>iptables</strong> — IP blocking at kernel level</li> <li> <strong>Slack Webhooks</strong> — alerting</li> <li> <strong>psutil</strong> — system metrics</li> </ul> <h2> Source Code </h2> <p>The full source code is available at:<br> <strong><a href="https://github.com/devops-timi/anomaly-detection-engine" rel="noopener noreferrer">https://github.com/devops-timi/anomaly-detection-engine</a></strong></p> <p>The repository includes:</p> <ul> <li>All Python source files with detailed comments</li> <li>Nginx configuration</li> <li>Docker Compose setup</li> <li>Architecture diagram</li> <li>Full README with setup instructions</li> </ul> <h2> Conclusion </h2> <p>Building this taught me that real security tooling is not about fancy AI or expensive software. At its core, it is about:</p> <ul> <li>Watching what is happening (log tailing)</li> <li>Learning what normal looks like (rolling baseline)</li> <li>Spotting deviations quickly (z-score detection)</li> <li>Responding automatically (iptables + alerts)</li> </ul> <p>The hardest part was not the detection logic — it was making sure the baseline stayed honest. Once the spike guard was in place, everything else clicked into place.</p> <p>If you are learning DevSecOps or cloud infrastructure, I highly recommend trying to build something like this from scratch. You will learn more about how the internet works in one project than in months of reading.</p> machinelearning python security showdev