azure-nsg-ban-ips

Block malicious IPs for some days, perfect for Azure Kubernetes (AKS)

Usage no npm install needed!

<script type="module">
  import azureNsgBanIps from 'https://cdn.skypack.dev/azure-nsg-ban-ips';
</script>

README

azure-nsg-ban-ips

Block attacker IPs for some days, perfect for Azure Kubernetes (AKS).a

This is much better than banning IPs e.g. in NGINX, because attackers don't reach any services at all.

Node.js: npm package

Usage: Code

const nsg = require( 'azure-nsg-ban-ips' )

nsg.login( SERVICE_PRICIPAL_ID, SECRET_KEY, AAD_ID, SUBSCRIPTION_ID, RESSOURCE_GROUP, NSG_NAME )

// clean up and keep ban rules 4 days
await nsg.cleanupOldBlacklists( 4 )

// add IPs to todays blacklist
let todaysBlacklist = await nsg.addIpAddrArrToBlacklist( ['1.2.3.4','6.6.6.6'] )
console.log( 'Todays IPs', todaysBlacklist )

Details: see example.js

Usage: Container

There is a ready to use

This reads the NginX Ingress Controller logs, identify attacks and bans the IP addresses in the NSG.

CI code is provided for easy end-to-end set up of EventHub, LogAnalytics log feed-out etc.

API

Init and get credentials for all following operations first:

login( SERVICE_PRICIPAL_ID, SECRET_KEY, AAD_ID, SUBSCRIPTION_ID, RESSOURCE_GROUP, NSG_NAME )

Clean up NSG rules. Optional parameter: keep ban rules X days, default is 2, max is 13:

cleanupOldBlacklists()
cleanupOldBlacklists( 4 )

Add IP array to todays NSG rule. Returns an array of banned IPs in todays NSG rule.

addIpAddrArrToBlacklist( IP_ADDRESS_ARRAY )

Read and return all secuirity rules in the NSG:

getNsgRules()

Set the base prio number for blacklist rules, e.g.


setNsgBasePrioConfig( 10000 )

Behind the Scenes

This package creates NSG security rules, for example for the NSG which comes with your AKS.

About the rules:

  • one rule is created per day
  • rule names are blacklistYYYYMMDD, for example blacklist20201108
  • rules use prio 1000...1365 (1000 + day in year)
  • rule description field contains created by blacklist job

The description is also used as a filter in the cleanupOldBlacklists() to identify old blacklists to delete.

If you need to set up whitelist rules, you should use a prio with e.g. 200.