GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → jc1518 → SSSG-Ninja

jc1518 / SSSG-Ninja

Licence: Apache-2.0 license
All-in-one tool for site shield security group management

Programming Languages

python
139335 projects - #7 most used programming language

Labels

akamaisiteshield

Projects that are alternatives of or similar to SSSG-Ninja

cli-property-manager
Use this Property Manager CLI to automate Akamai property changes and deployments across many environments.
Stars: ✭ 22 (+37.5%)
Mutual labels:  akamai
AkamaiOPEN-edgegrid-php-client
PHP client library for Akamai {OPEN} EdgeGrid Authentication scheme (based on Guzzle)
Stars: ✭ 38 (+137.5%)
Mutual labels:  akamai
esi-test-server-docker
A dockerized version of Akamai's Edge Side Includes Test Server (ETS).
Stars: ✭ 30 (+87.5%)
Mutual labels:  akamai
cli-sandbox
Akamai CLI for Sandbox
Stars: ✭ 14 (-12.5%)
Mutual labels:  akamai
AkamaiOPEN-edgegrid-ruby
This library implements the Akamai OPEN EdgeGrid Authentication scheme for the ruby net/http library.
Stars: ✭ 19 (+18.75%)
Mutual labels:  akamai
NetStorageKit-Golang
Netstorage API for Golang
Stars: ✭ 17 (+6.25%)
Mutual labels:  akamai
AkamaiOPEN-edgegrid-java
Java library for Akamai OPEN EdgeGrid Client Authentication
Stars: ✭ 37 (+131.25%)
Mutual labels:  akamai
Zee5
Just a simple shit but no one knows
Stars: ✭ 29 (+81.25%)
Mutual labels:  akamai
wp-akamai
No description or website provided.
Stars: ✭ 21 (+31.25%)
Mutual labels:  akamai
akamai-collector
Akamai sensor data collector with API and database support!
Stars: ✭ 60 (+275%)
Mutual labels:  akamai
cli-eaa
CLI for Enterprise Application Access (EAA)
Stars: ✭ 19 (+18.75%)
Mutual labels:  akamai
detect-cloudflare-plus
True Sight Firefox extension.
Stars: ✭ 34 (+112.5%)
Mutual labels:  akamai
terraform-provider-akamai
Terraform Akamai provider
Stars: ✭ 75 (+368.75%)
Mutual labels:  akamai
akamai-toolkit
A set of tools to work on Akamai v1 anti-bot solution. Current supported version: 1.70
Stars: ✭ 215 (+1243.75%)
Mutual labels:  akamai
terraform-provider-akamai
An Akamai GTM Terraform provider
Stars: ✭ 14 (-12.5%)
Mutual labels:  akamai
NetStorageKit-Python
Akamai Netstorage API for Python
Stars: ✭ 22 (+37.5%)
Mutual labels:  akamai
AkamaiOPEN-edgegrid-C-Sharp
No description or website provided.
Stars: ✭ 13 (-18.75%)
Mutual labels:  akamai
aem-akamai-replication-agent
How to create custom replication agents in AEM using Akamai as an example.
Stars: ✭ 33 (+106.25%)
Mutual labels:  akamai

SSSG Ninja

Overview

Site Shield is the fancy name for IP white listing of Akamai, it provides an additional layer of protection that helps prevent attackers from bypassing cloud-based protections to target the application origin.

Security Group is the security component of AWS, it acts as a virutal firewall for insstances to controls the inbount/outbound traffics.

With the frequent site shield cidr updates (add or remove cidr) and the different acknowledge order for add and remove operations, it becomes difficult to keep the security groups up to date. Also you have to keep track of the security group usage, as it may reach the limits.

SSSG Ninja is the all-in-one management tool for SSSG (Site Shield Security Group), it not only makes recommendations but also can do the jobs for you. Here are current supported features:

  • Make recommendations based on health check
  • Add missed site shield cidr to security groups
  • Add new site shield cidr to security groups
  • Remove obsolete site shield cidr from security groups
  • Check the security group limits
  • Check site shield map information
  • Search cidr in security groups
  • Acknowledge site shield change
  • Debug mode logging

Terminologies

If you want to deep dive into the tool, here are a few terms you need to know

Terminology Description
current cidr current site shield production cidr
proposed cidr new site shield production cidr
new cidr additional cidr to current site shield production cidr
staging cidr site shield staging cidr
configed cidr source cidr in security groups
trusted cidr non site shield cidr but colocate within security groups
missed cidr missed site shield production or staging cidr in security groups
obsolete cidr obsolete site shield cidr in security groups
empty slots free security group rule space

Installation

Refer the example section for details

  1. Clone the project
  2. Install requirements pip install -r requirements.txt.
  3. Set up your Akamai API credential environment variables: SS_BASEURL, SS_CLIENTTOKEN, SS_CLIENTSECRET, SS_ACCESSTOKEN.
  4. Set up your AWS credential file or use instance role if you are running on EC2.
  5. Run python sssg.py -i to get the maps IDs, then put them in the siteshield_map_ids array in sssg.py file.
  6. Add your security groups IDs in the array siteshield_sg_groups array in sssg.py file.
  7. As Akamai does not have API for staging IP, so you have to get a list of the current staging IP then add them into the staging_ip file.

Usage

The arguments can be used seperately or together. For example, to remove obsolete cidr then add missed cidr, the command is 'python sssg.py -o -m'

Optional arguments Description
-h, --help show this help message and exit
-a, --advisor make recommedations based on current settings
-d, --debug enable debug logging mode
-i, --mapinfo get site shield map name and id
-k, --acknowledge acknowledge site shield updates. Warning: ensure you update security groups before acknowledge
-m, --missed add missed site shield cidr to security groups
-n, --new add new site shield cidr to security groups
-o, --obsolete remove obsolete site shield cidr from security groups
-s cidr, --search cidr find security group that contains this cidr (e.g 23.50.48.0/20)

Example

Setup site shield credential as environment variables

export SS_ACCESSTOKEN="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
export SS_BASEURL="https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.luna.akamaiapis.net"
export SS_CLIENTSECRET="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
export SS_CLIENTTOKEN="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

Setup AWS credential in file ~/.aws/credentials

[default]
aws_access_key_id = xxxxxxxxxxxxxxx
aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Get map id

$ python sssg.py -i
Checking, please wait...
There are 2 site shield maps.
Name:s500.akamaiedge.net ID:1000
Name:s600.akamai.net ID:1001

Set map id in sssg.py file

siteshield_map_ids = ['1000', '1001']

Create the AWS security groups
Create the security groups then asssociate them to ELB

Setup security groups ID in sssg.py file

siteshield_sg_groups = ['sg-672b3203', 'sg-792b321d', 'sg-552b3231', 'sg-262b3242']

Setup staging ip in staging_ip file
As Akamai does not have API for staging IP, you have to get it from the Luna port: Configure > Security > Firewall Rules Notification
stagingip

Test: SSSG advisor
I added a new cidr 1.1.1.1/32 into staging_ip, then run a health check.

$ python sssg.py -a

------------Diagnose------------
Checking current cidr...
Checking proposed cidr...
Checking staging cidr...
Checking configed cidr...
Checking missed cidr...
Missed production cidr number: 0
Missed staging cidr number: 1
1.1.1.1/32
Checking obsolete cidr...
Obsolete cidr number: 0
Checking new cidr...
New cidr number: 0
Checking total empty slots...

------------Results------------
Current cidr number: 77
Proposed cidr number: 46
New cidr number: 0
Staging cidr number: 82
Trusted cidr number: 37
Configed cidr number: 158
Missed cidr number: 1
Obsolete cidr number: 0
Total empty slots: 42

------------Recommedations------------
- There are some site shield cidr are missed in the security groups. The details can be found in Diagnose, please add them in.
- Site shield has new updates, please change the security groups accordingly.

Test: SSSG check updates
In the above test, it shows site shield has new updats, but the New cidr number is 0. Why? It means the new updates do not have any new cidr to add, but some cidr to remove. new

Also, the add new command result confirms it.

$ python sssg.py -n

------------Diagnose------------
Checking current cidr...
Checking proposed cidr...
Checking staging cidr...
Checking configed cidr...
Checking missed cidr...
Missed production cidr number: 0
Missed staging cidr number: 0
Checking obsolete cidr...
Obsolete cidr number: 0
Checking new cidr...
New cidr number: 0
Checking total empty slots...

------------Add New Cidr------------
No new cidr were found!

Test: Search cidr
If you are interested to know which security group has the cidr, you can search it.

$ python sssg.py -s 184.84.221.0/24
184.84.221.0/24 is found in sg-672b3203

Test: Add missed cidr
In the above test, it shows 1.1.1.1/32 is missed. Here is how to fix it.

$ python sssg.py -m

------------Diagnose------------
Checking current cidr...
Checking proposed cidr...
Checking staging cidr...
Checking configed cidr...
Checking missed cidr...
Missed production cidr number: 0
Missed staging cidr number: 1
1.1.1.1/32
Checking obsolete cidr...
Obsolete cidr number: 0
Checking new cidr...
New cidr number: 0
Checking total empty slots...

------------Add Missed Cidr------------
- Adding cidr: 1.1.1.1/32 to sg-672b3203
{'ResponseMetadata': {'RetryAttempts': 0, 'HTTPStatusCode': 200, 'RequestId': '420e5d8f-3f27-499a-bb9f-d34d5016eda7', 'HTTPHeaders': {'transfer-encoding': 'chunked', 'vary': 'Accept-Encoding', 'server': 'AmazonEC2', 'content-type': 'text/xml;charset=UTF-8', 'date': 'Tue, 29 Nov 2016 03:46:41 GMT'}}}

Test: Remove obsolete cidr
Now let me remove 1.1.1.1/32 from the staging_ip, and let SSSG Ninja to remove it from the security group.

$ python sssg.py -o

------------Diagnose------------
Checking current cidr...
Checking proposed cidr...
Checking staging cidr...
Checking configed cidr...
Checking missed cidr...
Missed production cidr number: 0
Missed staging cidr number: 0
Checking obsolete cidr...
Obsolete cidr number: 1
1.1.1.1/32
Checking new cidr...
New cidr number: 0
Checking total empty slots...

------------Remove Obsolete Cidr------------
1.1.1.1/32 is found in sg-672b3203
- Removing obsolete cidr: 1.1.1.1/32 from sg-672b3203
{'ResponseMetadata': {'RetryAttempts': 0, 'HTTPStatusCode': 200, 'RequestId': 'fc110210-084c-4b27-bc84-cd337a532471', 'HTTPHeaders': {'transfer-encoding': 'chunked', 'vary': 'Accept-Encoding', 'server': 'AmazonEC2', 'content-type': 'text/xml;charset=UTF-8', 'date': 'Tue, 29 Nov 2016 03:48:50 GMT'}}}

Automation

It is easy to automate all SSSG management jobs. A single command does all things: remove obsolete cidr, add missed cidr, add new cidr, acknowledge update. Enjory :)

$ python sssg.py -o -m -n -k
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].