11# iprepd
22
3- iprepd is a centralized IP reputation daemon that can be used to store reputation information
4- for IP addresses and retrieve reputation scores for addresses.
3+ iprepd is a centralized reputation daemon that can be used to store reputation information
4+ for various objects such as IP addresses and retrieve reputation scores for the objects.
5+
6+ The project initially focused on managing reputation information for only IP addresses, but
7+ has since been expanded to allow reputation tracking for other types of values such as account
8+ names or email addresses.
59
610The daemon provides an HTTP API for requests, and uses a Redis server as the backend storage
711mechanism. Multiple instances of the daemon can be deployed using the same Redis backend.
@@ -29,11 +33,16 @@ docker run -ti --rm -v `pwd`/iprepd.yaml:/app/iprepd.yaml mozilla/iprepd:latest
2933
3034## API
3135
32- #### GET /10.0.0.1
36+ ### Endpoints
3337
34- Request the reputation for an IP address. Responds with 200 and a JSON document describing the
35- reputation if found. Responds with a 404 if the IP address is unknown to iprepd, or is in the
36- exceptions list.
38+ #### GET /type/ip/10.0.0.1
39+
40+ Request the reputation for an object of a given type. Responds with 200 and a JSON
41+ document describing the reputation if found. Responds with a 404 if the object is
42+ unknown to iprepd, or is in the exceptions list.
43+
44+ The current supported object types are ` ip ` for an IP address and ` email ` for an
45+ email address.
3746
3847The response body may include a ` decayafter ` element if the reputation for the address was changed
3948with a recovery suppression applied. If the timestamp is present, it indicates the time after which
@@ -43,22 +52,24 @@ the reputation for the address will begin to recover.
4352
4453``` json
4554{
46- "ip" : " 10.0.0.1"
55+ "object" : " 10.0.0.1"
56+ "type" : " ip"
4757 "reputation" : 75 ,
4858 "reviewed" : false ,
4959 "lastupdated" : " 2018-04-23T18:25:43.511Z"
5060}
5161```
5262
53- #### DELETE /10.0.0.1
63+ #### DELETE /type/ip/ 10.0.0.1
5464
55- Deletes the reputation entry for the IP address .
65+ Deletes the reputation entry for the requested object of the specified type .
5666
57- #### PUT /10.0.0.1
67+ #### PUT /type/ip/ 10.0.0.1
5868
59- Sets a reputation score for the IP address. A reputation JSON document must be provided with the
60- request body. The ` reputation ` field must be provided in the document. The reviewed field
61- can be included and set to true to toggle the reviewed field for a given reputation entry.
69+ Sets a reputation score for the specified object of the specified type. A reputation JSON
70+ document must be provided with the request body. The ` reputation ` field must be provided
71+ in the document. The reviewed field can be included and set to true to toggle the reviewed
72+ field for a given reputation entry.
6273
6374Note that if the reputation decays back to 100, if the reviewed field is set on the entry it will
6475toggle back to false.
@@ -72,27 +83,15 @@ decay logic should begin to be applied for the entry.
7283
7384``` json
7485{
75- "ip" : " 10.0.0.1"
86+ "object" : " 10.0.0.1"
87+ "type" : " ip"
7688 "reputation" : 75
7789}
7890```
7991
80- #### GET /violations
81-
82- Returns violations configured in iprepd in a JSON document.
83-
84- ##### Response body
85-
86- ``` json
87- [
88- {"name" : " violation1" "penalty" : 5 , "decreaselimit" : 50 },
89- {"name" : " violation2" "penalty" : 25 , "decreaselimit" : 0 },
90- ]
91- ```
92-
93- #### PUT /violations/10.0.0.1
92+ #### PUT /violations/type/ip/10.0.0.1
9493
95- Applies a violation penalty to an IP address .
94+ Applies a violation penalty to the specified object of the specified type .
9695
9796If an unknown violation penalty is submitted, this endpoint will still return 200, but the
9897error will be logged.
@@ -103,20 +102,21 @@ to decay back to 100. If this setting is not included, the reputation will begin
103102immediately. If the violation is being applied to an existing entry, the ` suppress_recovery ` field
104103will only be applied if the existing entry has no current recovery suppression, or the specified
105104recovery suppression time frame would result in a time in the future beyond which the entry
106- currently has. If ` suppress_recovery ` is included it must be less than ` 259200 ` (72 hours ).
105+ currently has. If ` suppress_recovery ` is included it must be less than ` 1209600 ` (14 days ).
107106
108107##### Request body
109108
110109``` json
111110{
112- "ip" : " 10.0.0.1"
111+ "object" : " 10.0.0.1"
112+ "type" : " ip"
113113 "violation" : " violation1"
114114}
115115```
116116
117- #### PUT /violations
117+ #### PUT /violations/type/ip
118118
119- Applies a violation penalty to a multiple IP addresses .
119+ Applies a violation penalty to a multiple objects of a given type .
120120
121121If an unknown violation penalty is submitted, this endpoint will still return 200, but the
122122error will be logged.
@@ -125,9 +125,21 @@ error will be logged.
125125
126126``` json
127127[
128- {"ip" : " 10.0.0.1" "violation" : " violation1"
129- {"ip" : " 10.0.0.2" "violation" : " violation1"
130- {"ip" : " 10.0.0.3" "violation" : " violation2"
128+ {"object" : " 10.0.0.1" "type" : " ip" "violation" : " violation1"
129+ {"object" : " 10.0.0.2" "type" : " ip" "violation" : " violation1"
130+ {"object" : " 10.0.0.3" "type" : " ip" "violation" : " violation2"
131+ ]
132+
133+ #### GET /violations
134+
135+ Returns violations configured in iprepd in a JSON document.
136+
137+ ##### Response body
138+
139+ ```json
140+ [
141+ {"name" : " violation1" "penalty" : 5 , "decreaselimit" : 50 },
142+ {"name" : " violation2" "penalty" : 25 , "decreaselimit" : 0 },
131143]
132144```
133145
@@ -160,6 +172,104 @@ Service heartbeat endpoint.
160172
161173Return version data.
162174
175+ ### Legacy endpoints
176+
177+ The initial version of iprepd focused purely on reputation management for IP addresses.
178+ Requests to the legacy endpoints deal only with IP addresses, and are intended to maintain
179+ compatibility with older clients.
180+
181+ Requests to the legacy endpoints are essentially the same thing as making a request to the
182+ standard endpoints with a type set to ` ip ` .
183+
184+ #### GET /10.0.0.1
185+
186+ Request the reputation for an IP address. Responds with 200 and a JSON document describing the
187+ reputation if found. Responds with a 404 if the IP address is unknown to iprepd, or is in the
188+ exceptions list.
189+
190+ The response body may include a ` decayafter ` element if the reputation for the address was changed
191+ with a recovery suppression applied. If the timestamp is present, it indicates the time after which
192+ the reputation for the address will begin to recover.
193+
194+ ##### Response body
195+
196+ ``` json
197+ {
198+ "ip" : " 10.0.0.1"
199+ "reputation" : 75 ,
200+ "reviewed" : false ,
201+ "lastupdated" : " 2018-04-23T18:25:43.511Z"
202+ }
203+ ```
204+
205+ #### DELETE /10.0.0.1
206+
207+ Deletes the reputation entry for the IP address.
208+
209+ #### PUT /10.0.0.1
210+
211+ Sets a reputation score for the IP address. A reputation JSON document must be provided with the
212+ request body. The ` reputation ` field must be provided in the document. The reviewed field
213+ can be included and set to true to toggle the reviewed field for a given reputation entry.
214+
215+ Note that if the reputation decays back to 100, if the reviewed field is set on the entry it will
216+ toggle back to false.
217+
218+ The reputation will begin to decay back to 100 immediately for the address based on the decay
219+ settings in the configuration file. If it is desired that the reputation should not decay for a
220+ period of time, the ` decayafter ` field can be set with a timestamp to indicate when the reputation
221+ decay logic should begin to be applied for the entry.
222+
223+ ##### Request body
224+
225+ ``` json
226+ {
227+ "ip" : " 10.0.0.1"
228+ "reputation" : 75
229+ }
230+ ```
231+
232+ #### PUT /violations/10.0.0.1
233+
234+ Applies a violation penalty to an IP address.
235+
236+ If an unknown violation penalty is submitted, this endpoint will still return 200, but the
237+ error will be logged.
238+
239+ If desired, ` suppress_recovery ` can be included in the request body and set to an integer which
240+ indicates the number of seconds that must elapse before the reputation for this entry will begin
241+ to decay back to 100. If this setting is not included, the reputation will begin to decay
242+ immediately. If the violation is being applied to an existing entry, the ` suppress_recovery ` field
243+ will only be applied if the existing entry has no current recovery suppression, or the specified
244+ recovery suppression time frame would result in a time in the future beyond which the entry
245+ currently has. If ` suppress_recovery ` is included it must be less than ` 259200 ` (72 hours).
246+
247+ ##### Request body
248+
249+ ``` json
250+ {
251+ "ip" : " 10.0.0.1"
252+ "violation" : " violation1"
253+ }
254+ ```
255+
256+ #### PUT /violations
257+
258+ Applies a violation penalty to a multiple IP addresses.
259+
260+ If an unknown violation penalty is submitted, this endpoint will still return 200, but the
261+ error will be logged.
262+
263+ ##### Request body
264+
265+ ``` json
266+ [
267+ {"ip" : " 10.0.0.1" "violation" : " violation1"
268+ {"ip" : " 10.0.0.2" "violation" : " violation1"
269+ {"ip" : " 10.0.0.3" "violation" : " violation2"
270+ ]
271+ ```
272+
163273## Acknowledgements
164274
165275The API design and overall concept for this project are based on work done in
0 commit comments