The API Security Enforcer (ASE) maintains both allow lists and deny lists.
- Allow list
- List of safe IP addresses, cookies, OAuth2 Tokens, API keys, or usernames that are not blocked by ASE.
- The list is manually generated by adding the client identifiers using command-line interface (CLI) commands.
- Deny list
- List of bad IP addresses, cookies, OAuth2 Tokens, API keys, or usernames that are always blocked by ASE.
- The list consists of entries from one or more of the following sources:
- API Behavioral Security (ABS)-detected attacks, such as data exfiltration. ABS-detected attacks have a time-to-live (TTL) in minutes. The TTL is configured in ABS.
- ASE-detected attacks, such as invalid method or decoy API accessed.
- List of bad clients manually generated by CLI.
Managing the allow list
To manage operations for OAuth2 Tokens, cookies, IP addresses, API keys, and usernames on an allow list:
-
To add an IP address to an allow list, run the add_whitelist
command with the ip option.
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin add_whitelist ip 10.10.10.10 ip 10.10.10.10 added to whitelist
-
Add a cookie to an allow list, run the add_whitelist command
with the cookie option.
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin add_whitelist cookie JSESSIONID cookie_1.4 cookie JSESSIONID cookie_1.4 added to whitelist
-
To add a token to an allow list, run the add_whitelist with
the token option.
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin add_whitelist token token1.4 token token1.4 added to whitelist
-
To add an API key to an allow list, run the add_whitelist
command with the api_key option.
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin add_whitelist api_key X-API-KEY key_1.4 api_key X-API-KEY key_1.4 added to whitelist
-
To add a username to an allow list, run the add_whitelist
command with the username option.
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin add_whitelist username abc@example.com username abc@example.com added to whitelist
-
To view an allow list, run the view_whitelist command.
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin view_whitelist Whitelist 1) type : ip, value : 1.1.1.1 2) type : cookie, name : JSESSIONID, value : cookie_1.1 3) type : token, value : token1.3 4) type : api_key, name : X-API-KEY, value : key_1.4 5) type : username, value : abc@example.com
-
To delete an entry from an allow list, run the
delete_whitelist command.
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin delete_whitelist ip 4.4.4.4 ip 4.4.4.4 deleted from whitelist /opt/pingidentity/ase/bin/cli.sh -u admin -p admin delete_whitelist cookie JSESSIONID cookie_1.1 cookie JSESSIONID cookie_1.1 deleted from whitelist /opt/pingidentity/ase/bin/cli.sh -u admin -p admin delete_whitelist token token1.1 token token1.1 deleted from whitelist /opt/pingidentity/ase/bin/cli.sh -u admin -p admin delete_whitelist api_key X-API-KEY key_1.4 api_key X-API-KEY key_1.4 deleted from whitelist /opt/pingidentity/ase/bin/cli.sh -u admin -p admin delete_whitelist username abc@example.com
-
To clear the allow list, run the clear_whitelist
command.
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin clear_whitelist This will delete all whitelist Attacks, Are you sure (y/n) : y Whitelist cleared /opt/pingidentity/ase/bin/cli.sh -u admin -p admin clear_whitelist This will delete all whitelist Attacks, Are you sure (y/n) : n Action canceled
Managing the deny list
To manage IP addresses, Cookies, OAuth2 Tokens, and API keys on a deny list:
-
To add an IP address to the deny list.
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin add_blacklist ip 1.1.1.1 ip 1.1.1.1 added to blacklist
-
To add a cookie to a deny list, run the add_blacklist
command with the cookie option.
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin add_blacklist cookie JSESSIONID ad233edqsd1d23redwefew cookie JSESSIONID ad233edqsd1d23redwefew added to blacklist
-
To add a token to a deny list, run the add_blacklist command
with the token option.
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin add_blacklist token ad233edqsd1d23redwefew token ad233edqsd1d23redwefew added to blacklist
-
To add an API key to a deny list, run the add_blacklist
command with the api_key option.
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin add_blacklist api_key AccessKey b31dfa4678b24aa5a2daa06aba1857d4 api_key AccessKey b31dfa4678b24aa5a2daa06aba1857d4 added to blacklist
-
To add a username to a deny list, run the add_black list
command with the username option.
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin add_blacklist username abc@example.com username abc@example.com added to blacklist
You can also add username with space to a deny list. For example,
your name
. -
To view the entire deny list, run the view_blacklist command
with the all option.
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin view_blacklist all Manual Blacklist 1) type : ip, value : 172.168.11.110 2) type : token, value : cdE94R3osh283B7NoiJR41XHgt7gxroot 3) type : username, value : blockeduser 4) type : cookie, name : JSESSIONID, value : pZlhg5s3i8csImMoas7vh81vz 5) type : api_key, name : x-api-key, value : d4d28833e2c24be0913f4267f3b91ce5 ABS Generated Blacklist 1) type : token, value : fAtTzxFJZ2Zkr7HZ9KM17s7kY2Mu 2) type : token, value : oFQOr11Gj8cCRv1k4849RZOPztPP 3) type : token, value : Rz7vn5KoLUcAhruQZ4H5cE00s2mG 4) type : token, value : gxbkGPNuFJw69Z5PF44PoRIfPugA 5) type : username, value : user1 Realtime Decoy Blacklist 1) type : ip, value : 172.16.40.15 2) type : ip, value : 1.2.3.4
Note:You can view the entire deny list or based on the type of real-time violation.
-
To view the deny list based on decoy IP addresses, run the
view_blacklist with the decoy
option.
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin view_blacklist decoy Realtime Decoy Blacklist 1) type : ip, value : 4.4.4.4
-
To view the deny list based on protocol violations, run the
view_blacklist with the invalid_protocol
option.
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin view_blacklist invalid_protocol Realtime Protocol Blacklist 1) type : token, value : token1.1 2) type : ip, value : 1.1.1.1 3) type : cookie, name : JSESSIONID, value : cookie_1.1
-
To view the deny list based on method violations, run the
view_blacklist with the invalid_method
option.
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin view_blacklist invalid_method Realtime Method Blacklist 1) type : token, value : token1.3 2) type : ip, value : 3.3.3.3 3) type : cookie, name : JSESSIONID, value : cookie_1.3
-
To view the deny list based on content-type violation, run the
view_blacklist with the
invalid_content_type option.
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin view_blacklist invalid_content_type Realtime Content-Type Blacklist 1) type : token, value : token1.2 2) type : ip, value : 2.2.2.2 3) type : cookie, name : JSESSIONID, value : cookie_1.2
-
To view ABS-detected attacks, run the view_blacklist with
the abs_detected option.
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin view_blacklist abs_detected No Blacklist
-
To delete an entry from a deny list, run the
delete_blacklist command.
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin delete_blacklist ip 1.1.1.1 ip 1.1.1.1 deleted from blacklist ./bin/cli.sh -u admin -p admin delete_blacklist cookie JSESSIONID avbry47wdfgd cookie JSESSIONID avbry47wdfgd deleted from blacklist ./bin/cli.sh -u admin -p admin delete_blacklist token 58fcb0cb97c54afbb88c07a4f2d73c35 token 58fcb0cb97c54afbb88c07a4f2d73c35 deleted from blacklist /opt/pingidentity/ase/bin/cli.sh -u admin -p admin delete_blacklist api_key AccessKey b31dfa4678b24aa5a2daa06aba1857d4
-
To clear the deny list, run the clear_blacklist
command.
Warning:
When clearing the deny list, make sure that the real-time ASE detected attacks and ABS detected attacks are disabled. If these are not disabled, the deny list gets populated again as both ASE and ABS are continuously detecting attacks.
./bin/cli.sh -u admin -p admin clear_blacklist This will delete all blacklist Attacks, Are you sure (y/n) :y Blacklist cleared ./bin/cli.sh -u admin -p admin clear_blacklist This will delete all blacklist Attacks, Are you sure (y/n) :n Action canceled