Secure API Manager provides an Access Services feature to help protect the components of Secure API Manager against attacks. Access Services increase the security of Secure API Manager by allowing you to define rules, add exemptions to the rules, or always block access. You can configure these rules for the sshd process, for incoming access to the API Gateway, or for any access requests to Secure API Manager.
NOTE:Secure API Manager allows you to use only IP addresses instead of IP addresses and DNS names. DNS names can change but IP addresses do not change. Always use IP addresses when configuring Access Services.
The following sections contain the information to help you configure Access Services. For information about managing Access Services, see Manage Access Services. Use the following information to configure Access Services:
Access Services provide denial-of-service protection for Secure API Manager. The denial-of-service feature is based on the open source project of Fail2ban. Fail2ban works on the basis of jails to provide protection. A jail is a grouping of rules or policies to ban bad actors from accessing a server. A bad actor is an external IP address that tries to break into Secure API Manager, specifically the API Gateway.
Secure API Manager allows you to define rules (jails) against attacks, add IP addresses or IP subnets that are exempt from the rules, or always block any requests that come from a specific IP address or subnet.
Secure API Manager contains three jails. The following table lists the three jails and whether Secure API Manager enables them by default.
Table 2-1 Secure API Manager Jails for Protecting Against Attacks
|
Jail |
Enabled by Default |
Description |
|---|---|---|
|
sshd process |
Yes |
It protects against attacks trying to get command line access to the API Gateway through the secure shell (SSH). |
|
API Gateway |
Yes |
It protects against attacks to the API Gateway. |
|
Global |
No |
It protects against any attacks against Secure API Manager. If you add an IP address to the SSH tab and to the API Gateway tab, it automatically appears on the Global tab. If you add the IP address once to the Global tab, the IP address appears on the SSH tab and the API Gateway tab with the word Global beside it. |
Access Manager Administration Console > Dashboard > API Gateway Cluster > Access Services > SSH
Secure API Manager allows you to protect the sshd process for port 22. The sshd process allows you to access the command line of the API Gateway remotely through a secure shell (SSH). Many malicious attacks target the sshd port.
You add the IP addresses or range of IP addresses to the SSH tab to grant exemption from the rules protecting the sshd process. If a malicious attack resulted in access to the command line of the API Gateway, it could cause major issues and disruptions to the API Gateway. To increase the security of Secure API Manager, we commend a very small list of IP addresses that are exempt from the rules protecting the sshd process.
To define rules and exemptions for the sshd process:
On the appropriate API Gateway Cluster, in the right corner, select Access Services.
Click Enable to have Secure API Manager apply the rules that you define to protect the sshd process.
Use the following information to define the rules that protect the sshd process:
Specify the number of allowed failed attempts to access the sshd process. By default, it is 6 attempts.
Specify the period in which the attempts can occur. For example, you specified that there must be 5 failures in 60 seconds for the ban to occur. If 5 failures occurred in 65 seconds, Secure API Manager would not ban the request because the exact criteria were not met. By default, the period is 60 seconds.
Specify the maximum time period or number of failed attempts after which Secure API Manager blocks the IP address or IP subnet. By default, the period is 3600 seconds, which is one hour.
Add IP addresses or subnets to be exempt from the rules that protect the sshd process:
(Conditional) Click Apply if you want to save the changes but perform additional tasks in Access Services.
(Conditional) Click Save if you are finished making changes and want to the close the Access Services window.
(Conditional) If you are using the Docker deployment, you must restart the Docker service by issuing the following command:
systemctl restart docker
NOTE:After you make a change that impacts the Docker iptables, you must restart the Docker service to move the DOCKER-USER rule priority to the top of the FORWARD chain.
Access Manager Administration Console > Dashboard > API Gateway Cluster > Access Services > API Gateway
Secure API Manager allows you to create rules to protect the API Gateway. It also allows you to add any IP addresses or subnets that are exempt from these rules. These rules protect against any incoming requests to the API Gateway.
To define rules and exemptions for the API Gateway:
On the appropriate API Gateway cluster, in the right corner, select Access Services.
Click Enable to have Secure API Manager enable the rules to protect the API Gateway.
Use the following information to define the rules to protect the API Gateway:
Specify the maximum numbers of retries to access the API Gateway. The retries include any errors accessing the API Gateway. The default is 50.
Specify the period in which the attempts can occur. For example, there must be 50 or more attempts to access the API Gateway that cause errors in 60 minutes for Secure API Manager to ban the requests. The default period is 60 seconds.
Specify the period of time after which Secure API Manager blocks the IP address if the number of maximum retries has been exceeded and the attempts have exceeded the defined time period. For example, if an IP address tries to access the API Gateway more than 50 times in less than one hour, Access Services blocks the IP address. The default is 3600 seconds, which is one hour.
Add IP addresses or subnets to be exempt from the rules that protect the API Gateway:
(Conditional) Click Apply if you want to save the changes but perform additional tasks in Access Services.
(Conditional) Click Save if you are finished making changes and want to close the Access Services window.
(Conditional) If you are using the Docker deployment, you must restart the Docker service by issuing the following command:
systemctl restart docker
NOTE:After you make a change that impacts the Docker iptables, you must restart the Docker service to move the DOCKER-USER rule priority to the top of the FORWARD chain.
Access Manager Administration Console > Dashboard > API Gateway Cluster > Access Services > Global
Secure API Manager provides global protection rules that protect all Secure API Manager ports. You can have IP addresses that are exempt from the sshd process rules or exempt from the API Gateway rules. When you have the same IP address in both locations, Secure API Manager automatically adds those IP addresses or IP subnets to the Global exemption list.
Secure API Manager allows you to add specific IP addresses or IP subnets that you know belong to bad actors and that you want to block. The Deny List allows you to add IP addresses or IP subnets of that you never want to access any Secure API Manager ports.
To define the global rules and exemptions:
On the appropriate API Gateway cluster, in the right corner, select Access Services.
Click Enable to have Secure API Manager enable the rules that protect all of its ports.
To exempt IP addresses or subnet masks from the global rules:
To block any access from IP addresses or subnet masks:
(Conditional) Click Apply, if you want to save the changes but perform additional tasks in Access Services.
(Conditional) Click Save, if you are finished making changes and want to the close the Access Services window.
(Conditional) If you are using the Docker deployment, you must restart the Docker service by issuing the following command:
systemctl restart docker
NOTE:After you make a change that impacts the Docker iptables, you must restart the Docker service to move the DOCKER-USER rule priority to the top of the FORWARD chain.