DEV Community: meseret akalu The latest articles on DEV Community by meseret akalu (@meseret_akalu_1743b6f6aa5). https://dev.to/meseret_akalu_1743b6f6aa5 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3898824%2F55647a30-a14a-45f1-ad17-d7d2379e876b.jpg DEV Community: meseret akalu https://dev.to/meseret_akalu_1743b6f6aa5 en Devops meseret akalu Sun, 26 Apr 2026 13:47:55 +0000 https://dev.to/meseret_akalu_1743b6f6aa5/devops-track-3-4-20l2 https://dev.to/meseret_akalu_1743b6f6aa5/devops-track-3-4-20l2 <h1> How I Built a Real-Time Anomaly Detection Engine for Nextcloud </h1> <p>When my boss said "build something that watches all incoming traffic and automatically blocks attackers," I had no idea where to start. This post walks through exactly how I built it — from reading log files line by line to blocking IPs with iptables — in a way that makes sense even if you've never touched security tooling before.</p> <h2> What the project does </h2> <p>We have a Nextcloud instance (a file storage platform) running behind Nginx. The goal is to watch every HTTP request coming in, learn what "normal" traffic looks like, and automatically block any IP that starts behaving abnormally — like sending 500 requests per second when the normal rate is 2.</p> <p>The system has four main jobs:</p> <ol> <li>Read the Nginx access log in real time</li> <li>Track request rates using sliding windows</li> <li>Learn the baseline (what normal looks like)</li> <li>Detect anomalies and block bad IPs</li> </ol> <h2> How the sliding window works </h2> <p>Imagine a conveyor belt that's 60 seconds long. Every request that comes in gets placed on the right end of the belt. Every request older than 60 seconds falls off the left end automatically.</p> <p>In Python, this is a <code>collections.deque</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">deque</span> <span class="kn">import</span> <span class="n">time</span> <span class="n">window</span> <span class="o">=</span> <span class="nf">deque</span><span class="p">()</span> <span class="c1"># stores (timestamp, is_error) tuples </span> <span class="k">def</span> <span class="nf">record</span><span class="p">(</span><span class="n">ip</span><span class="p">):</span> <span class="n">now</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="n">window</span><span class="p">.</span><span class="nf">append</span><span class="p">((</span><span class="n">now</span><span class="p">,</span> <span class="bp">False</span><span class="p">))</span> <span class="k">def</span> <span class="nf">get_rate</span><span class="p">():</span> <span class="n">cutoff</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">-</span> <span class="mi">60</span> <span class="c1"># evict old entries from the left </span> <span class="k">while</span> <span class="n">window</span> <span class="ow">and</span> <span class="n">window</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="mi">0</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">cutoff</span><span class="p">:</span> <span class="n">window</span><span class="p">.</span><span class="nf">popleft</span><span class="p">()</span> <span class="k">return</span> <span class="nf">len</span><span class="p">(</span><span class="n">window</span><span class="p">)</span> <span class="o">/</span> <span class="mi">60</span> <span class="c1"># requests per second </span></code></pre> </div> <p>No libraries. No counters. Just a deque that evicts old entries on every read. We run one of these per IP and one globally.</p> <h2> How the baseline learns from traffic </h2> <p>The baseline answers the question: "what does normal traffic look like right now?"</p> <p>Every second, we record how many requests came in that second. We keep a rolling 30-minute history of these per-second counts. Every 60 seconds, we calculate the mean and standard deviation of that history.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">math</span> <span class="n">samples</span> <span class="o">=</span> <span class="p">[</span><span class="mi">2</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="p">...]</span> <span class="c1"># per-second counts </span> <span class="n">mean</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">(</span><span class="n">samples</span><span class="p">)</span> <span class="o">/</span> <span class="nf">len</span><span class="p">(</span><span class="n">samples</span><span class="p">)</span> <span class="n">variance</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">((</span><span class="n">x</span> <span class="o">-</span> <span class="n">mean</span><span class="p">)</span><span class="o">**</span><span class="mi">2</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">samples</span><span class="p">)</span> <span class="o">/</span> <span class="nf">len</span><span class="p">(</span><span class="n">samples</span><span class="p">)</span> <span class="n">stddev</span> <span class="o">=</span> <span class="n">math</span><span class="p">.</span><span class="nf">sqrt</span><span class="p">(</span><span class="n">variance</span><span class="p">)</span> </code></pre> </div> <p>We also keep per-hour slots. If the current hour has enough data, we prefer it over the full 30-minute window — because traffic at 3am looks different from traffic at 3pm.</p> <p>A floor value of 1.0 req/s prevents false positives when traffic is very low.</p> <h2> How the detection logic makes a decision </h2> <p>We use two checks — whichever fires first triggers a ban:</p> <p><strong>Z-score check:</strong> How many standard deviations above normal is this IP?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">z</span> <span class="o">=</span> <span class="p">(</span><span class="n">current_rate</span> <span class="o">-</span> <span class="n">baseline_mean</span><span class="p">)</span> <span class="o">/</span> <span class="n">baseline_stddev</span> <span class="k">if</span> <span class="n">z</span> <span class="o">&gt;</span> <span class="mf">3.0</span><span class="p">:</span> <span class="nf">ban</span><span class="p">(</span><span class="n">ip</span><span class="p">)</span> </code></pre> </div> <p><strong>Multiplier check:</strong> Is this IP sending more than 5x the normal rate?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="n">current_rate</span> <span class="o">&gt;</span> <span class="n">baseline_mean</span> <span class="o">*</span> <span class="mf">5.0</span><span class="p">:</span> <span class="nf">ban</span><span class="p">(</span><span class="n">ip</span><span class="p">)</span> </code></pre> </div> <p>If an IP also has a high error rate (lots of 4xx/5xx responses), we tighten the thresholds — the z-score threshold drops from 3.0 to 1.5. This catches credential stuffing attacks that send many failed login attempts.</p> <h2> How iptables blocks an IP </h2> <p>iptables is Linux's built-in firewall. When we detect an anomaly, we run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">subprocess</span> <span class="k">def</span> <span class="nf">ban_ip</span><span class="p">(</span><span class="n">ip</span><span class="p">):</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="p">[</span><span class="sh">"</span><span class="s">iptables</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-I</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">INPUT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-s</span><span class="sh">"</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="sh">"</span><span class="s">-j</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">DROP</span><span class="sh">"</span><span class="p">],</span> <span class="n">check</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> </code></pre> </div> <p><code>-I INPUT</code> inserts a rule at the top of the INPUT chain. <code>-s</code> means "source IP". <code>-j DROP</code> means silently drop all packets from that IP. The connection just times out on the attacker's side — no response, no error.</p> <p>Bans are temporary. We use a backoff schedule: 10 minutes, then 30 minutes, then 2 hours, then permanent. Each time the ban expires, if the IP was genuinely malicious it usually comes back — and gets a longer ban.</p> <h2> The auto-unban system </h2> <p>A background thread checks every 30 seconds whether any ban has expired:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">threading</span><span class="p">,</span> <span class="n">time</span> <span class="k">def</span> <span class="nf">unban_loop</span><span class="p">():</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="k">for</span> <span class="n">ip</span><span class="p">,</span> <span class="n">state</span> <span class="ow">in</span> <span class="nf">list</span><span class="p">(</span><span class="n">banned_ips</span><span class="p">.</span><span class="nf">items</span><span class="p">()):</span> <span class="n">elapsed</span> <span class="o">=</span> <span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">-</span> <span class="n">state</span><span class="p">[</span><span class="sh">"</span><span class="s">banned_at</span><span class="sh">"</span><span class="p">])</span> <span class="o">/</span> <span class="mi">60</span> <span class="k">if</span> <span class="n">elapsed</span> <span class="o">&gt;=</span> <span class="n">state</span><span class="p">[</span><span class="sh">"</span><span class="s">duration_min</span><span class="sh">"</span><span class="p">]:</span> <span class="nf">remove_iptables_rule</span><span class="p">(</span><span class="n">ip</span><span class="p">)</span> <span class="nf">send_slack_alert</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Unbanned </span><span class="si">{</span><span class="n">ip</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">30</span><span class="p">)</span> <span class="n">threading</span><span class="p">.</span><span class="nc">Thread</span><span class="p">(</span><span class="n">target</span><span class="o">=</span><span class="n">unban_loop</span><span class="p">,</span> <span class="n">daemon</span><span class="o">=</span><span class="bp">True</span><span class="p">).</span><span class="nf">start</span><span class="p">()</span> </code></pre> </div> <h2> The live dashboard </h2> <p>A Flask web app runs on port 8080 and shows:</p> <ul> <li>Global requests per second</li> <li>Baseline mean and stddev</li> <li>Currently banned IPs</li> <li>Top 10 source IPs in the last 60 seconds</li> <li>CPU and memory usage</li> <li>Uptime</li> </ul> <p>It refreshes every 3 seconds using JavaScript <code>fetch()</code> calls to <code>/api/status</code>.</p> <h2> Why this matters </h2> <p>DDoS attacks and credential stuffing are real problems for any public-facing service. Most solutions either cost money (Cloudflare, AWS WAF) or require manual intervention. This tool runs entirely on your own server, learns your traffic patterns automatically, and responds within seconds — no human needed.</p> <p>The key insight is that you don't need to know what an attack looks like in advance. You just need to know what normal looks like, and flag anything that deviates significantly.</p> <h2> Stack </h2> <ul> <li>Python 3.12</li> <li>Nginx (JSON access logs)</li> <li>Docker + Docker Compose</li> <li>iptables (blocking)</li> <li>Flask (dashboard)</li> <li>Slack webhooks (alerts)</li> </ul> <h2> Links </h2> <ul> <li>GitHub: <a href="https://github.com/meseretak/hng-stage3" rel="noopener noreferrer">https://github.com/meseretak/hng-stage3</a> </li> <li>Dashboard: <a href="http://136.115.145.233:8080" rel="noopener noreferrer">http://136.115.145.233:8080</a> </li> </ul> automation devops security tutorial