Backend Overview - jastit00/IT-Sec-Projekt GitHub Wiki

Author: Vincent K

The backend is responsible for processing log data, analyzing security-relevant events, and providing the corresponding interfaces. The implementation is based on two core Django applications:

log_processor

  • Handles the import and validation of incoming log files.
  • Extracts login activities and changes to system settings.
  • Converts raw data into a structured format and stores it in the database.

incident_detector

  • Analyzes the stored logs for security-critical activities.
  • Detects suspicious patterns such as multiple failed login attempts or unusual configuration changes.
  • Generates incidents from the identified security-critical events.

Project Structure

IT-Security-Projekt/
β”‚   .env
β”‚   manage.py
β”‚
β”œβ”€β”€β”€backend/                 # Django core settings and entry points
β”‚   β”‚   asgi.py
β”‚   β”‚   settings.py
β”‚   β”‚   urls.py
β”‚   β”‚   wsgi.py
β”‚
β”œβ”€β”€β”€log_processor/           # App for log upload and processing
β”‚   β”‚   apps.py
β”‚   β”‚   models.py
β”‚   β”‚   serializers.py
β”‚   β”‚   tests.py
β”‚   β”‚   urls.py
β”‚   β”‚
β”‚   β”œβ”€β”€β”€services/            # Log processing business logic
β”‚   β”‚   β”‚   log_parser.py
β”‚   β”‚   β”‚   log_uploader.py
β”‚   β”‚   β”‚   utils.py
β”‚   β”‚
β”‚   └───views/               # API views for log handling
β”‚       β”‚   analytics.py
β”‚       β”‚   config.py
β”‚       β”‚   unified_log.py
β”‚       β”‚   upload.py
β”‚       β”‚   utils.py
β”‚       β”‚   validation.py
β”‚
└───incident_detector/       # App for incident detection
    β”‚   apps.py
    β”‚   models.py
    β”‚   serializers.py
    β”‚   services.py
    β”‚   tests.py
    β”‚
    β”œβ”€β”€β”€services/            # Detection logic modules
    β”‚   β”‚   bruteforce.py
    β”‚   β”‚   concurrent_login.py
    β”‚   β”‚   critical_config.py
    β”‚   β”‚   ddos.py
    β”‚   β”‚   detection.py
    β”‚   β”‚   utils.py

Technologies

  • Python – The primary programming language used for backend development.
  • Django – A web framework that provides a robust ORM for database interaction and a modular architecture for scalable web applications.
  • Django REST Framework – Used for building RESTful APIs and managing HTTP requests and responses.
  • PostgreSQL – A relational database system for securely storing log data.
  • dotenv (python-dotenv) – Loads environment variables from configuration files for secure and flexible deployment.
  • PyJWT (jwt) – Handles encoding, decoding, and verification of JSON Web Tokens (JWT) for authentication and authorization.
  • cryptography – Provides cryptographic primitives and algorithms for secure data handling.
  • requests – A simple and powerful HTTP client for interacting with external APIs and services.
Library Purpose
Django Core backend framework providing ORM, routing, and request handling
djangorestframework REST API request/response management, serialization
django-cors-headers Enables Cross-Origin Resource Sharing (CORS)
psycopg2-binary PostgreSQL adapter for Django
re Regular expression operations
datetime, timezone Date, time, and timezone-aware timestamp processing
os, tempfile File system operations, temporary file handling
logging Application logging and debugging
python-dotenv Management of environment variables
PyJWT Encoding, decoding, and validating JSON Web Tokens (JWTs)
requests HTTP client for making external API calls (e.g. fetching public keys for JWT verification)
cryptography Cryptographic operations for secure data handling

CORS-Settings

The middleware django-cors-headers was integrated to enable Cross-Origin Resource Sharing (CORS), allowing the Angular frontend to communicate with the Django backend during development. The configuration ensures that requests from specific origins, headers, and methods are accepted while maintaining proper security controls.

CORS_ALLOWED_ORIGINS defines the allowed origins for cross-origin requests. In this case, requests from the Angular development server (both localhost and 127.0.0.1 on port 4200) are permitted:

CORS_ALLOWED_ORIGINS = [
    "http://localhost:4200",
    "http://127.0.0.1:4200",
]

CORS_ALLOW_HEADERS specifies which HTTP headers are permitted in cross-origin requests. This includes common headers such as Authorization, Content-Type, X-CSRFToken, and others needed for secure communication:

CORS_ALLOW_HEADERS = [
    'accept',
    'accept-encoding',
    'authorization',
    'content-type',
    'dnt',
    'origin',
    'user-agent',
    'x-csrftoken',
    'x-requested-with',
]

CORS_ALLOW_CREDENTIALS enables the use of credentials such as cookies or authorization headers in cross-origin requests.

CORS_ALLOW_CREDENTIALS = True

CORS_ALLOW_METHODS lists the HTTP methods that are allowed for cross-origin requests. This configuration supports the typical CRUD operations:

CORS_ALLOW_METHODS = [
    "GET",
    "POST",
    "PUT",
    "PATCH",
    "DELETE",
    "OPTIONS"
]

Database Settings

The database credentials are not hard-coded into the source code. Instead, they are securely stored in a .env file. These environment variables are loaded in settings.py using os.environ.get(), ensuring that sensitive information like usernames, passwords, and connection details are kept separate from the codebase and version control.

The database configuration is as follows:

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.postgresql',
        'NAME': os.environ.get('DB_NAME'),
        'USER': os.environ.get('DB_USER'),
        'PASSWORD': os.environ.get('DB_PASSWORD'),
        'HOST': os.environ.get('DB_HOST'),
        'PORT': os.environ.get('DB_PORT'),
    }
}

ENGINE: Specifies the database backend used, in this case, PostgreSQL.

NAME, USER, PASSWORD, HOST, PORT: These values are dynamically loaded from environment variables for enhanced security and flexibility.

Project Setup

The following commands are typically used during the initial setup and development of the project:

Command Description
python manage.py makemigrations Generates migration files based on changes to the data models
python manage.py migrate Applies migrations and updates the database schema accordingly
python manage.py runserver Starts the Django development server

The command python manage.py flush clears all data from the database. This is mainly used for resetting the database during development or testing, not typically during the initial setup.

Running Tests

Unit tests are implemented in:

  • log_processor/tests.py
  • incident_detector/tests.py

All tests can be executed using:

python manage.py test

API Endpoints

The Django backend provides a set of RESTful API endpoints to support log file processing, incident detection, and security event analysis. These endpoints are consumed by the frontend application and can also be used for integration with other systems or automation tools.

The API follows standard HTTP methods (GET, POST) and returns data in JSON format. Authentication is required for all endpoints to ensure secure access.

Below is an overview of the available API endpoints provided by log_processor/views.py:

Method Endpoint Description
POST /api/logfiles/ Upload a log file
POST /api/incidents-config/ Get or update current thresholds for incident detection
GET /api/logfiles/processed-logins/ List of processed login events
GET /api/logfiles/config-changes/ List of detected configuration changes
GET /api/logfiles/unified-event-log/ Combined event log (login, logout, etc.)
GET /api/logfiles/dos-packets/ Overview of detected DoS packets
GET /api/logfiles/ddos-packets/ Overview of detected DDoS packets
GET /api/logfiles/incidents/ List of detected incidents

Authentication

Authentication and authorization for the backend are handled via Keycloak, which issues JSON Web Tokens (JWT) to secure API endpoints. Integration details, including token validation, are documented in the log_processor article.