Managing blacklists manually in SafeLine used to be a real pain—especially when you're dealing with unpredictable and high-frequency attacks. Every time an attack hit, we had to log in and do it all manually. Exhausting, right?
Luckily, things have changed.
SafeLine WAF recently released its Open API, and with version 7.2, we finally have public API documentation to work with. So I decided to build an automation script that detects frequent attackers and auto-blacklists them. Here’s how I did it—and how you can too.
OpenAPI
Set X-SLCE-API-TOKEN: Your API Token in an HTTP header.
import requests
import json
header = {
"X-SLCE-API-TOKEN": "Your API Token"
}
url = 'https://IP:9443/api/open/site'
request_playload = {
"ports": ["80"],
"server_names": ["*"],
"upstreams": ["http://127.0.0.1:9443"],
"comment": "",
"load_balance": {"balance_type": 1}
}
request_playload = json.dumps(request_playload)
requests.post(url=url, headers=header, data=request_playload, verify=False)
Setup: Before You Start
-
Create a dedicated API Token
This token will be used only for automation tasks.
Example token:
07ztvayj0rQl3GnMZ32F21LaJz0MvbtJ
- Create a custom IP group Label it something like "Auto Blacklist Group"—we'll be updating this group via the API.
- Set up a blacklist rule Create a blacklist that targets the IP group you just created.
How It Works
The general idea:
- Manually create a high-frequency attack detection rule (e.g., block IPs with multiple hits in a short time window). Here we set the ban time to 10 minutes (just to capture frequent attacker IPs).
- Use the Open API to fetch the offending IPs.
If it’s hard to locate, you can open the page in your browser, press
F12to inspect the network requests, and search for the relevant API.
- Push those IPs into your "Auto Blacklist Group" via the IP group update API.
Example Script
Step 1: Get the frequent attack IPs.
⚠️ Don’t forget to replace the token and the URL with your actual data.
import requests
import json
# Replace with your actual API token
header = {
"X-SLCE-API-TOKEN": "07ztvayj0rQl3GnMZ32F21LaJz0MvbtJ"
}
# Replace with your actual SafeLine WAF API endpoint
url = 'https://xxxx:9443/api/open/records/acl?page=1&page_size=20'
# Disable SSL warning if needed
requests.packages.urllib3.disable_warnings()
response = requests.get(url=url, headers=header, verify=False)
data = response.json()["data"]["data"]
ip_list = []
for item in data:
ip = item['ip']
ip_list.append(ip)
print("Suspicious IPs:", ip_list)
Step 2: Push the IPs into the blacklist group.
Once the IPs are retrieved, simply call the API to write them into the IP group.
Find the corresponding edit interface.
# Replace with your actual IP group ID and URL
ipgroup_url = 'https://101.126.66.231:9443/api/open/ipgroup'
payload = {
"id": 3, # The ID of the "Auto Blacklist" group
"reference": "",
"comment": "Auto-blacklist group",
"ips": ip_list
}
response = requests.put(
url=ipgroup_url,
data=json.dumps(payload),
headers=header,
verify=False
)
print("Update response:", response.text)
Optional Optimization
If you want to ensure only new IPs are added each time, you can first query the current IPs in the group, compare them with the new list, and only push the differences.
Refer to the endpoint to view existing IP group data.
Final Thoughts
This is a simple but powerful way to automate IP blacklisting using SafeLine WAF's Open API. No more manual clicking. Just run the script on a schedule (e.g., with cron), and you're protected.
If you're using SafeLine and haven't explored the Open API yet—now’s the time.
Top comments (0)