Bot Detection

After a Publisher publishes APIs in the API Developer Portal, hackers can invoke the APIs without an access token by scanning the open ports of a system. Therefore, WSO2 API Manager has a bot detection mechanism in place to prevent such attacks by identifying who tried to enter and invoke resources without proper authorization. WSO2 API Manager's bot detection mechanism traces and logs details of such unauthorized API calls and sends notifications in this regard via emails. Thereby this helps Publishers to protect their data from bot attackers and improve the security of their data.

If hackers (e.g., bot attackers) tries to invoke open service APIs, WSO2 API Manager will log all unauthorized API calls in the <API-M_HOME>/repository/logs/wso2-BotDetectedData.log file. The following is a sample log record.

INFO BotDetectionMediator MessageId : urn:uuid:535437f1-a178-4722-a232-164e4a7e0207 | Request Method : POST | Message Body : <soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><jsonObject/></soapenv:Body> | client Ip : 127.0.0.1 | Headers set : [Accept=*/*, activityid=4b932127-d07e-43c3-bee2-4f5344074185, Content-Length=2, Content-Type=application/json, Host=localhost:8243, User-Agent=curl/7.58.0]

Info

You can view the above logs without configuring API Manager Analytics

If you enable WSO2 API Manager Analytics with WSO2 API Manager, you can enable email notifications for all unauthorized API calls that you receive and also view the bot detection data easily via the Admin Portal.

Note

If you wish to work with a third-party monitoring tool, then you can use the details in the /repository/logs/wso2-BotDetectedData.log trace log and build an alert mechanism to receive alerts.

Enabling email notifications for bot detection

Follow the instructions below to enable email notifications for bot detection:

  1. Enable WSO2 API Manager Analytics.

    Follow steps 1, 2, and 3 of the quick setup in Configuring API Manager Analytics.

  2. Share your API-M database (AM_DB).

    Modify the <API-M_ANALYTICS_HOME>/conf/worker/deployment.yaml file as follows. 

    - name: AM_DB
   description: "The datasource used for APIM MGW analytics data."
   jndiConfig:
     name: jdbc/AM_DB
   definition:
     type: RDBMS
     configuration:
       jdbcUrl: 'jdbc:mysql://localhost:3306/apimgt_database'
       username: username
       password: password
       driverClassName: com.mysql.jdbc.Driver
       maxPoolSize: 50
       idleTimeout: 60000
       connectionTestQuery: SELECT 1
       validationTimeout: 30000
       isAutoCommit: false

  3. Enable Alerts.

  4. Follow the instructions below to configure an email address to send email alerts to subscribers.

    • Open the <API-M_ANALYTICS_HOME>/conf/worker/deployment.yaml file.
    • Navigate to the extensions configuration under siddhi configurations.
    • Add a new extension to configure the sender email address. The sample code is shown below.
        siddhi:
      extensions:
    ...
        -
          extension:
            name: email
            namespace: sink
            properties:
              username: alex@gmail.com
              address: alex@gmail.com
              password: password 
    ...

    Warning

    Note that you might have to bypass a security warning to configure this with a private email address.

    • Go to the <API-M_ANALYTICS_HOME>/resources/apim-analytics/ directory. Copy the APIM_ALERT_BOT_DETECTION_EMAIL.siddhi file and paste it in the <API-M_ANALYTICS_HOME>/wso2/worker/deployment/siddhi-files directory.

  5. Start the WSO2 API Manager Analytcs server.

    Navigate to the <API-M_ANALYTICS_HOME>/bin directory in your console and execute one of the following scripts based on your OS.

    • On Windows: worker.bat --run
    • On Linux/Mac OS: sh worker.sh

  6. Start the WSO2 API Manager server.

    Navigate to the <API-M_HOME>/bin directory in your console and execute one of the following scripts based on your OS.

    • On Windows: wso2server.bat --run
    • On Linux/Mac OS: sh wso2server.sh

  7. Sign in to the API Manager Admin Portal.

    https://<IP_Address>:9443/admin

  8. Click BOT DETECTION.

  9. Click CONFIGURE EMAILS.

    Add email recipients

  10. Add the recipient's email address and click Add.

    If a hacker (e.g., bot attacker) tries to invoke an open service API, WSO2 API Manager will send emails to the email alert recipients. The following is a sample email notification.

    Sample email notification for unauthorized API call

Viewing bot detection data via the Admin Portal

Follow the instructions below to view the bot detection data for the unauthorized API calls via the Admin Portal.

Note

Skip steps 1 to 7 if you have already enabled API Manager Analytics, configured the AM_DB database, configured Alerts, started the WSO2 API Manager Analytics and WSO2 API Manager servers, and signed in to the Admin Portal.

  1. Enable WSO2 API Manager Analytics.

    Follow steps 1, 2, and 3 of the quick setup in Configuring API Manager Analytics.

  2. Share your API-M database (AM_DB) by modifying the <API-M_ANALYTICS_HOME>/conf/worker/deployment.yaml file as follows. 

    - name: AM_DB
   description: "The datasource used for APIM MGW analytics data."
   jndiConfig:
     name: jdbc/AM_DB
   definition:
     type: RDBMS
     configuration:
       jdbcUrl: 'jdbc:mysql://localhost:3306/apimgt_database'
       username: username
       password: password
       driverClassName: com.mysql.jdbc.Driver
       maxPoolSize: 50
       idleTimeout: 60000
       connectionTestQuery: SELECT 1
       validationTimeout: 30000
       isAutoCommit: false

  3. Enable Alerts.

  4. Follow the instructions below to configure an email address to send email alerts to subscribers.

    • Open the <API-M_ANALYTICS_HOME>/conf/worker/deployment.yaml file.
    • Navigate to the extensions configuration under siddhi configurations.
    • Add a new extension to configure the sender email address. The sample code is shown below.
        siddhi:
      extensions:
    ...
        -
          extension:
            name: email
            namespace: sink
            properties:
              username: alex@gmail.com
              address: alex@gmail.com
              password: password 
    ...

    Warning

    Note that you might have to bypass a security warning to configure this with a private email address.

    • Go to the <API-M_ANALYTICS_HOME>/resources/apim-analytics/ directory. Copy the APIM_ALERT_BOT_DETECTION_EMAIL.siddhi file and paste it in the <API-M_ANALYTICS_HOME>/wso2/worker/deployment/siddhi-files directory.

  5. Start the WSO2 API Manager Analytcs server.

    Navigate to the <API-M_ANALYTICS_HOME>/bin directory in your console and execute one of the following scripts based on your OS.

    • On Windows: worker.bat --run
    • On Linux/Mac OS: sh worker.sh

  6. Start the WSO2 API Manager server.

    Navigate to the <API-M_HOME>/bin directory in your console and execute one of the following scripts based on your OS.

    • On Windows: wso2server.bat --run
    • On Linux/Mac OS: sh wso2server.sh

  7. Sign in to the API Manager Admin Portal.

    https://<IP_Address>:9443/admin

  8. Click BOT DETECTION DATA.

    Bot detection data details for unauthorized API calls

    If a hacker (e.g., bot attacker) tries to invoke an open service API, the Bot detection data details, which appear in the <API-M_HOME>/repository/logs/wso2-BotDetectedData.log trace log, will appear.

Top