Tools

Tools: Building a Smart Security Guard for Your Server πŸ›‘οΈ

2026-04-28 0 views admin
Tools: Building a Smart Security Guard for Your Server πŸ›‘οΈ

What Are We Building?

Understanding the Key Concepts (No Jargon, I Promise!)

1. The Sliding Window (Think: Security Camera Footage)

2. The Baseline (Your "Normal" Traffic Pattern)

3. The Z-Score (How Weird is This Traffic?)

4. The 5x Rule (Backup Check)

Setting Up Your Project

What You'll Need

Step 1: Create Your Cloud Server

Step 2: Connect to Your Server

Step 3: Install the Tools

Building the Detection System

Project Structure

The Core Logic (In Plain English!)

Testing Your System

Step 1: Let It Learn (5-10 minutes)

Step 2: Simulate an Attack

The Dashboard

Common Problems (And How to Fix Them)

Problem 1: "My logs are empty!"

Problem 2: "The detector isn't blocking anything!"

Problem 3: "Dashboard won't load!"

What I Learned

Key Takeaways This project is part of the HNG DevOps internship (Stage 3), and trust me, it sounds way more complicated than it actually is. Let's break it down together. Think of it like hiring a smart security guard for your website who: Cool, right? Let's see how it all works! Imagine you have a camera recording your front door. Instead of keeping all footage forever, you only keep the last 60 seconds. When a new second is recorded, the oldest one gets deleted. Why is this useful?

It helps us spot sudden spikes in traffic that might indicate an attack! Your baseline is like knowing your daily routine. If you usually get 10-15 visitors per second, that's your "normal." The z-score is just a fancy way of asking: "How unusual is this compared to normal?" Sometimes the z-score isn't enough. The 5x rule is simple: If traffic is 5 times higher than normal, it's an attack β€” no matter what! Why? If you normally get 2 visitors/second, even 10 might not trigger the z-score, but it's still 5x your normal traffic! Don't forget: Open port 8080 for your dashboard! Click the "SSH" button next to your VM in Google Cloud Console. A terminal will open β€” this is where the magic happens! Run these commands one by one: Congrats! Your server is ready! πŸŽ‰ Here's how we'll organize everything: 1. Monitor the Traffic (monitor.py) This script watches your web server logs and counts visitors every second. 2. Learn What's Normal (baseline.py) After collecting data for 30 minutes, calculate your baseline. 3. Detect Attacks (detector.py) Compare current traffic to your baseline using the z-score. 4. Block the Attacker (blocker.py) Use iptables (a firewall tool) to block the bad IP address. 5. Send an Alert (notifier.py) Post a message to Slack so you know what's happening. Generate some normal traffic so the system can build a baseline: Watch your detector logs: You should see it learning and updating the baseline! Now let's test if it can detect attacks: If you see all of this, you did it! 🎊 Your dashboard runs on port 8080 and shows: Building this project taught me: Start simple - Build one piece at a time Test frequently - Don't wait until the end to test Learn the concepts - Understanding why > memorizing code Use tools wisely - Python and Docker handle the heavy lifting Monitor everything - Logs are your best friend Good luck, and happy coding! πŸš€ P.S. If you found this helpful, give it a ❀️ and follow me for more DevOps tutorials! Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Command

Copy

# Simple example (Python makes this easy!) from collections import deque # This automatically keeps only the last 60 items recent_traffic = deque(maxlen=60) # Every second, we add new data recent_traffic.append(current_visitors) # Old data automatically disappears! # Simple example (Python makes this easy!) from collections import deque # This automatically keeps only the last 60 items recent_traffic = deque(maxlen=60) # Every second, we add new data recent_traffic.append(current_visitors) # Old data automatically disappears! # Simple example (Python makes this easy!) from collections import deque # This automatically keeps only the last 60 items recent_traffic = deque(maxlen=60) # Every second, we add new data recent_traffic.append(current_visitors) # Old data automatically disappears! import statistics # Collect 30 minutes of data traffic_data = [12, 15, 13, 14, 16, 11, 12, ...] # Calculate your "normal" average = statistics.mean(traffic_data) # Example: 13.5 variation = statistics.stdev(traffic_data) # Example: 2.1 import statistics # Collect 30 minutes of data traffic_data = [12, 15, 13, 14, 16, 11, 12, ...] # Calculate your "normal" average = statistics.mean(traffic_data) # Example: 13.5 variation = statistics.stdev(traffic_data) # Example: 2.1 import statistics # Collect 30 minutes of data traffic_data = [12, 15, 13, 14, 16, 11, 12, ...] # Calculate your "normal" average = statistics.mean(traffic_data) # Example: 13.5 variation = statistics.stdev(traffic_data) # Example: 2.1 z-score = (current traffic - normal traffic) / variation z-score = (current traffic - normal traffic) / variation z-score = (current traffic - normal traffic) / variation normal = 13.5 visitors/second variation = 2.1 current = 30 visitors/second z_score = (30 - 13.5) / 2.1 # Result: 7.86 β€” Definitely an attack! if z_score > 3.0: print("🚨 ATTACK DETECTED!") normal = 13.5 visitors/second variation = 2.1 current = 30 visitors/second z_score = (30 - 13.5) / 2.1 # Result: 7.86 β€” Definitely an attack! if z_score > 3.0: print("🚨 ATTACK DETECTED!") normal = 13.5 visitors/second variation = 2.1 current = 30 visitors/second z_score = (30 - 13.5) / 2.1 # Result: 7.86 β€” Definitely an attack! if z_score > 3.0: print("🚨 ATTACK DETECTED!") # Update your system -weight: 600;">sudo -weight: 500;">apt -weight: 500;">update && -weight: 600;">sudo -weight: 500;">apt -weight: 500;">upgrade -y # Install Docker (the easy way!) -weight: 500;">curl -fsSL https://get.-weight: 500;">docker.com -o get--weight: 500;">docker.sh -weight: 600;">sudo sh get--weight: 500;">docker.sh # Install Docker Compose -weight: 600;">sudo -weight: 500;">apt -weight: 500;">install -weight: 500;">docker-compose -y # Install Python -weight: 600;">sudo -weight: 500;">apt -weight: 500;">install python3 python3--weight: 500;">pip -weight: 500;">git -y # Create your project folder mkdir ~/hng-stage3 cd ~/hng-stage3 # Update your system -weight: 600;">sudo -weight: 500;">apt -weight: 500;">update && -weight: 600;">sudo -weight: 500;">apt -weight: 500;">upgrade -y # Install Docker (the easy way!) -weight: 500;">curl -fsSL https://get.-weight: 500;">docker.com -o get--weight: 500;">docker.sh -weight: 600;">sudo sh get--weight: 500;">docker.sh # Install Docker Compose -weight: 600;">sudo -weight: 500;">apt -weight: 500;">install -weight: 500;">docker-compose -y # Install Python -weight: 600;">sudo -weight: 500;">apt -weight: 500;">install python3 python3--weight: 500;">pip -weight: 500;">git -y # Create your project folder mkdir ~/hng-stage3 cd ~/hng-stage3 # Update your system -weight: 600;">sudo -weight: 500;">apt -weight: 500;">update && -weight: 600;">sudo -weight: 500;">apt -weight: 500;">upgrade -y # Install Docker (the easy way!) -weight: 500;">curl -fsSL https://get.-weight: 500;">docker.com -o get--weight: 500;">docker.sh -weight: 600;">sudo sh get--weight: 500;">docker.sh # Install Docker Compose -weight: 600;">sudo -weight: 500;">apt -weight: 500;">install -weight: 500;">docker-compose -y # Install Python -weight: 600;">sudo -weight: 500;">apt -weight: 500;">install python3 python3--weight: 500;">pip -weight: 500;">git -y # Create your project folder mkdir ~/hng-stage3 cd ~/hng-stage3 hng-stage3/ β”œβ”€β”€ -weight: 500;">docker-compose.yml # Starts all our services β”œβ”€β”€ nginx/ β”‚ └── nginx.conf # Web server config β”œβ”€β”€ detector/ β”‚ β”œβ”€β”€ main.py # Main program β”‚ β”œβ”€β”€ monitor.py # Watches the logs β”‚ β”œβ”€β”€ baseline.py # Calculates "normal" β”‚ β”œβ”€β”€ detector.py # Spots attacks β”‚ β”œβ”€β”€ blocker.py # Blocks bad IPs β”‚ β”œβ”€β”€ notifier.py # Sends Slack alerts β”‚ β”œβ”€β”€ dashboard.py # Web dashboard β”‚ β”œβ”€β”€ config.yaml # Your settings β”‚ └── requirements.txt # Python packages needed hng-stage3/ β”œβ”€β”€ -weight: 500;">docker-compose.yml # Starts all our services β”œβ”€β”€ nginx/ β”‚ └── nginx.conf # Web server config β”œβ”€β”€ detector/ β”‚ β”œβ”€β”€ main.py # Main program β”‚ β”œβ”€β”€ monitor.py # Watches the logs β”‚ β”œβ”€β”€ baseline.py # Calculates "normal" β”‚ β”œβ”€β”€ detector.py # Spots attacks β”‚ β”œβ”€β”€ blocker.py # Blocks bad IPs β”‚ β”œβ”€β”€ notifier.py # Sends Slack alerts β”‚ β”œβ”€β”€ dashboard.py # Web dashboard β”‚ β”œβ”€β”€ config.yaml # Your settings β”‚ └── requirements.txt # Python packages needed hng-stage3/ β”œβ”€β”€ -weight: 500;">docker-compose.yml # Starts all our services β”œβ”€β”€ nginx/ β”‚ └── nginx.conf # Web server config β”œβ”€β”€ detector/ β”‚ β”œβ”€β”€ main.py # Main program β”‚ β”œβ”€β”€ monitor.py # Watches the logs β”‚ β”œβ”€β”€ baseline.py # Calculates "normal" β”‚ β”œβ”€β”€ detector.py # Spots attacks β”‚ β”œβ”€β”€ blocker.py # Blocks bad IPs β”‚ β”œβ”€β”€ notifier.py # Sends Slack alerts β”‚ β”œβ”€β”€ dashboard.py # Web dashboard β”‚ β”œβ”€β”€ config.yaml # Your settings β”‚ └── requirements.txt # Python packages needed # Every second, check how many people visited def count_visitors(): # Read the log file # Count new entries # Return the number return visitor_count # Every second, check how many people visited def count_visitors(): # Read the log file # Count new entries # Return the number return visitor_count # Every second, check how many people visited def count_visitors(): # Read the log file # Count new entries # Return the number return visitor_count def calculate_baseline(data): average = sum(data) / len(data) # Calculate how much traffic varies variation = calculate_standard_deviation(data) return { 'mean': average, 'stddev': variation } def calculate_baseline(data): average = sum(data) / len(data) # Calculate how much traffic varies variation = calculate_standard_deviation(data) return { 'mean': average, 'stddev': variation } def calculate_baseline(data): average = sum(data) / len(data) # Calculate how much traffic varies variation = calculate_standard_deviation(data) return { 'mean': average, 'stddev': variation } def is_attack(current_traffic, baseline): z_score = (current_traffic - baseline['mean']) / baseline['stddev'] # Check z-score rule if z_score > 3.0: return True # Check 5x rule if current_traffic > (baseline['mean'] * 5): return True return False def is_attack(current_traffic, baseline): z_score = (current_traffic - baseline['mean']) / baseline['stddev'] # Check z-score rule if z_score > 3.0: return True # Check 5x rule if current_traffic > (baseline['mean'] * 5): return True return False def is_attack(current_traffic, baseline): z_score = (current_traffic - baseline['mean']) / baseline['stddev'] # Check z-score rule if z_score > 3.0: return True # Check 5x rule if current_traffic > (baseline['mean'] * 5): return True return False def block_ip(ip_address): # Add firewall rule to block this IP os.system(f"iptables -A INPUT -s {ip_address} -j DROP") print(f"🚫 Blocked {ip_address}") def block_ip(ip_address): # Add firewall rule to block this IP os.system(f"iptables -A INPUT -s {ip_address} -j DROP") print(f"🚫 Blocked {ip_address}") def block_ip(ip_address): # Add firewall rule to block this IP os.system(f"iptables -A INPUT -s {ip_address} -j DROP") print(f"🚫 Blocked {ip_address}") import requests def send_slack_alert(message): webhook_url = "YOUR_SLACK_WEBHOOK_URL" payload = {"text": message} requests.post(webhook_url, json=payload) import requests def send_slack_alert(message): webhook_url = "YOUR_SLACK_WEBHOOK_URL" payload = {"text": message} requests.post(webhook_url, json=payload) import requests def send_slack_alert(message): webhook_url = "YOUR_SLACK_WEBHOOK_URL" payload = {"text": message} requests.post(webhook_url, json=payload) # Install the testing tool -weight: 600;">sudo -weight: 500;">apt -weight: 500;">install apache2-utils -y # Send normal traffic (10 requests/second for 60 seconds) ab -n 600 -c 1 -t 60 http://localhost/ # Install the testing tool -weight: 600;">sudo -weight: 500;">apt -weight: 500;">install apache2-utils -y # Send normal traffic (10 requests/second for 60 seconds) ab -n 600 -c 1 -t 60 http://localhost/ # Install the testing tool -weight: 600;">sudo -weight: 500;">apt -weight: 500;">install apache2-utils -y # Send normal traffic (10 requests/second for 60 seconds) ab -n 600 -c 1 -t 60 http://localhost/ -weight: 500;">docker logs hng-detector -f -weight: 500;">docker logs hng-detector -f -weight: 500;">docker logs hng-detector -f # Send 100 requests/second for 60 seconds ab -n 6000 -c 10 -t 60 http://localhost/ # Send 100 requests/second for 60 seconds ab -n 6000 -c 10 -t 60 http://localhost/ # Send 100 requests/second for 60 seconds ab -n 6000 -c 10 -t 60 http://localhost/ # Make sure the web server is running -weight: 500;">docker ps # Test by visiting your site -weight: 500;">curl http://localhost/ # Check if logs are being created -weight: 500;">docker exec hng-nginx tail /var/log/nginx/hng-access.log # Make sure the web server is running -weight: 500;">docker ps # Test by visiting your site -weight: 500;">curl http://localhost/ # Check if logs are being created -weight: 500;">docker exec hng-nginx tail /var/log/nginx/hng-access.log # Make sure the web server is running -weight: 500;">docker ps # Test by visiting your site -weight: 500;">curl http://localhost/ # Check if logs are being created -weight: 500;">docker exec hng-nginx tail /var/log/nginx/hng-access.log # Make sure the detector has permission to use the firewall -weight: 500;">docker inspect hng-detector | grep -i privileged # Should show: "Privileged": true # If not, add this to your -weight: 500;">docker-compose.yml: # privileged: true # network_mode: "host" # Make sure the detector has permission to use the firewall -weight: 500;">docker inspect hng-detector | grep -i privileged # Should show: "Privileged": true # If not, add this to your -weight: 500;">docker-compose.yml: # privileged: true # network_mode: "host" # Make sure the detector has permission to use the firewall -weight: 500;">docker inspect hng-detector | grep -i privileged # Should show: "Privileged": true # If not, add this to your -weight: 500;">docker-compose.yml: # privileged: true # network_mode: "host" # Check if the port is open on GCP # Go to: VPC Network β†’ Firewall β†’ allow-dashboard-8080 # Test from your computer: -weight: 500;">curl http://YOUR_SERVER_IP:8080/api/metrics # Check if the port is open on GCP # Go to: VPC Network β†’ Firewall β†’ allow-dashboard-8080 # Test from your computer: -weight: 500;">curl http://YOUR_SERVER_IP:8080/api/metrics # Check if the port is open on GCP # Go to: VPC Network β†’ Firewall β†’ allow-dashboard-8080 # Test from your computer: -weight: 500;">curl http://YOUR_SERVER_IP:8080/api/metrics - Watches the door - Keeps track of everyone visiting your site - Learns the pattern - Figures out what "normal" traffic looks like - Spots the troublemakers - Detects when something fishy is happening - Takes action - Blocks suspicious visitors automatically - Sends you alerts - Notifies you on Slack when there's trouble - Shows a dashboard - Gives you a live view of what's happening - We track how many people visited in the last 60 seconds - Every second, we add new data and -weight: 500;">remove the oldest - This gives us a "rolling" view of recent activity - Watch traffic for 30 minutes - Calculate the average (mean) - Calculate how much it varies (standard deviation) - Normal traffic: 13 visitors/second Β± 2 - This means 11-15 is totally normal - But 50 visitors/second? That's suspicious! - Z-score of 0 = Perfectly normal - Z-score of 1-2 = A bit high, but okay - Z-score of 3+ = ALERT! Something's wrong! - A Google Cloud account (free tier works!) - A Slack account (to receive alerts) - Basic knowledge of: Running commands in terminal What Docker is (even just a basic idea) Python basics (if statements, loops) - Running commands in terminal - What Docker is (even just a basic idea) - Python basics (if statements, loops) - Running commands in terminal - What Docker is (even just a basic idea) - Python basics (if statements, loops) - Go to Google Cloud Console - Create a new VM (virtual machine): Name: hng-stage3 Type: e2-medium (2 CPU, 4GB RAM) Disk: Ubuntu 22.04 LTS, 20GB Firewall: Allow HTTP and HTTPS traffic - Name: hng-stage3 - Type: e2-medium (2 CPU, 4GB RAM) - Disk: Ubuntu 22.04 LTS, 20GB - Firewall: Allow HTTP and HTTPS traffic - Click "Create" and wait a minute - Name: hng-stage3 - Type: e2-medium (2 CPU, 4GB RAM) - Disk: Ubuntu 22.04 LTS, 20GB - Firewall: Allow HTTP and HTTPS traffic - Go to VPC Network β†’ Firewall - Create a new rule called allow-dashboard-8080 - Allow TCP port 8080 from anywhere (0.0.0.0/0) - Detector spots the unusual traffic - Calculates a high z-score - Blocks the IP address - Sends you a Slack alert - Shows the attack on your dashboard - Live traffic graph - See requests per second - Baseline tracker - Your "normal" traffic pattern - Recent alerts - What attacks were detected - Blocked IPs - Who's been banned - How real security systems work - It's not magic, just math! - The power of baselines - Understanding "normal" helps you spot "abnormal" - Why automation matters - Blocking attacks manually would be impossible - Docker makes deployment easy - Everything runs in containers - Monitoring is crucial - You can't fix what you can't see - 🐍 Python Documentation - 🐳 Docker Getting Started - πŸ”” Slack Webhooks Guide

🏷️ Tags

toolsutilitiessecurity toolsbuildingsmartsecurityguardserver

More from Tools

Tools: πŸš€ShellGPT on Kali Linux β€” Fully Automated Installer (No Headaches)

Tools: πŸš€ShellGPT on Kali Linux β€” Fully Automated Installer (No Headaches)

2026-04-28 0
Tools: Latest: How to Secure Your Linux Server in 10 Steps

Tools: Latest: How to Secure Your Linux Server in 10 Steps

2026-04-28 0
Tools: Domain Events in Go Without an Event Bus

Tools: Domain Events in Go Without an Event Bus

2026-04-28 0
Tools: Update: Why we self-hosted Open-Meteo: AI crawlers, rate limits, and 100 ms we didn't expect to win

Tools: Update: Why we self-hosted Open-Meteo: AI crawlers, rate limits, and 100 ms we didn't expect to win

2026-04-28 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 β€’ 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 β€’ 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 β€’ 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 β€’ 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 β€’ 81 views