Configuring automated ASE attack blocking
When the AI Engine detects an attack, it adds an entry to its deny list, which consists of usernames, tokens, application programming interface (API) Keys, cookies, and Internet Protocol (IP) addresses of clients that were detected executing attacks.
About this task
If blocking is enabled for the API, the deny list is automatically sent to API Security Enforcer (ASE) nodes, which blocks the client’s future access using the identifiers on the list.
Steps
-
To activate API Behavioral Security (ABS) log processing, run the following ASE command:
Example:
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin enable_abs
After log processing is enabled, ASE sends log data to ABS which processes the log data to look for attacks and generate reports.
-
To activate automatic client blocking, run the following ASE command:
Example:
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin enable_abs_attack
ABS generates a list of clients which are suspected of executing attacks. ABS can be configured to automatically send the attack list to ASE which blocks client access. By default, automatic blocking is inactive.
-
To disable automatic sending of ABS attack lists to ASE, run the following ASE command:
Example:
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin disable_abs_attack