Smart Server Defense
Powered by BlueIce3
Automation Documentation

This page has extra information on the steps that are needed to automate the BlueIce2 log scanning process.
Cron Commands
We recommend using the database approach to storing the application data for the cron job with the shortest execution interval. A script with the following commands should be scheduled to run every 5 minutes.
#blueice3 script file located ./small_interval_blueice3
python [full path]/BlueIce2/ -dbLogResult -dbTrainingFiles -dbValidWebFiles
python [full path]/BlueIce2Utils/ -j storeBlockedIps [full path]/BlueIce2/data/output/ip_block_list.txt
python [full path]/BlueIce2Utils/ -j expireBlockedIps
python [full path]/BlueIce2Utils/ -j blockIpsUbuntu16
The IP address blocking approach taken by BlueIce3 is to add the bad IP addresses to the hosts.deny file in /etc. The last line of the recommended small interval execution file can be replaced by your own script to block the target list of IP addresses. The IP addresses on the block list will only remain blocked for an interval of 5 minutes. If the IP address is the origin of another attack it will be blocked again for 5 minutes.
We recommend running a file system scan every day or so to keep BlueIce3 up to date. A script with the following commands should be set to run every 24 hours.
#blueice3 script file located ./large_interval_blueice3
[full path]/blueice3_install -u -int -apkg
python [full path]/BlueIce2Utils/ -j storeTrainingFiles [full path]/BlueIce2/data/access_logs/
python [full path]/BlueIce2Utils/ -j storeValidWebFiles /var/www/html/myWebSite default
An example of a recommended cron setup is listed below. The small interval script is executed every 5 minutes. The large interval script will update the database with file system information once a day at 12:05 PM.
*/5 * * * * [full path]/small_interval_blueice3
5 23 * * * [full path]/large_interval_blueice3
That's really all it takes. You'll want to verify that your scripts are working correctly. If you add new files into the training directories you should see a change in the contents of the checkpoints folder. You should also see changes in the apache_log_files table entries if -dbLogResult is on, and in the ./output/ip_block_list.txt output file.
Copyright © 2018    Middlemind LLC.    Victor G. Brusca