Why Real-Time Alerts
One of the most common use cases of Apility.io is to check that the information of third parties such as IP addresses, domains or emails are not harmful in any way to our infrastructure. In other words, try to find out if customer X may harm us in any way or abuse of our services. But what about our infrastructure? How do we know if the IP addresses or domains of our services (or our customers) do not harm anyone? It is the job of System Administrators in the Traditional IT and DevOps in the New IT to ensure that this does not happen by implementing the necessary security measures to prevent this from happening. But unfortunately, these measures are often not enough and our own services may be compromised and hurting someone out there. The Real-Time Alerts service allows you to check if any of our resources – IP addresses, domains or emails – have been classified as malicious by any of the blacklists that we scan in Apility.io.
How Real-Time Alerts work
From now on, Apility.io users will be able to create a number of alerts that will be proportional to the plan they have chosen. The lower plans are intended for small solutions with a few dozen IP addresses, and the larger plans are intended for Service Providers, Cloud Providers, and Telcos with millions of IP addresses.
The user can choose to enter individual IP addresses or complete CIDR blocks. It is possible to combine the two without overlap or duplication problems, although we obviously recommend that you do not duplicate resources.
Once the IP addresses and/or CIDR blocks have been uploaded, as soon as any of the IP addresses included in any of the blacklists that we draw up and match, an alert will be generated and sent by email informing of the situation. This email is sent every five minutes and bundles together all possible alerts that have occurred in that interval. From this point on, it becomes the responsibility of the recipient to take the appropriate steps to ‘clean’ that IP address.
The Overview page
When connecting to the management dashboard you can visualize at the top of the screen the different limits on each resource and its consumption. In this case, you can see the number of alerts we have available. This value is the subtraction of the maximum number of alerts for the chosen plan minus the IP addresses we are monitoring.
The configuration page
To access the configuration page, find the ‘Alerts’ menu entry on the left-hand side and click on it.
Then the following page will open for the first time:
Configure the email recipients and the Email reporting
At the top of the page, the user can fully turn on and off the email alert service. The switch at the right-hand side of the Enable Email Reports? will perform this action. If the switch is in YES position, then the email reporting service will forward all the alerts to the list of recipients in the textbox below. Or else if the switch is in NO position then the email reporting service will never forward any alert to the recipients. Even when the email alerts are disabled the alerts will be stored and can be displayed in the Alert Activity table below.
If the user has the FREE and TRIAL plan then she can only send email alerts to the email address used for the registry. Starting with the DEVELOPER plan it is possible to choose a list of email addresses of recipients different from the registry email. Depending on the plan the size of this list varies from two (2) emails in the DEVELOPER plan to seven (7) in the ENTERPRISE plan. To change the recipient lists, enter a comma-separated list of emails in the textbox below the label Report to these Email addresses and press the button Save to confirm.
Import IP addresses and CIDR blocks
To import the IP addresses and CIDR blocks to monitor the user should enter into the input box labeled IP address and CIDR to import the list of resources. Each line should have only an IP address or a CIDR block, and there is no limit to the number of elements to import, except the number of alerts to set up. We strongly recommend to create this list in a text editor and once the list is ready to copy and paste the content into the input box.
Click the button Import. All the valid IP addresses and CIDR blocks will be now in the table at the right-hand side, and the badly formatted resources and the IP addresses and CIDR blocks that do not fit with the number of alerts allowed will remain in the input box at the left-hand side.
To remove an IP address or CIDR block of the list of resources to monitor click on the Remove button in its row. To test if the email sent to the recipient list works, then click on the Test Email button and check your Inbox:
This email will contain the list of IP addresses that were found new in the blacklists Apility.io traces. Clicking on the link of each IP address the full information about the IP address and why has raised an alert. You have to be logged into Apility.io Management Dashboard to see the IP address information.
If the users of the recipients do not receive this email, then check the SPAM folder. We strongly recommend adding the email address firstname.lastname@example.org to your contact list in your Email application to avoid false positives tagging our emails are spammy.
All the alerts raised are stored in our databases. This activity log at the bottom of the page displays the following information:
- When the alert was created
- The status of the alert: Reported means the alert was sent to the users, and Acknowledged is the users accepted the alert.
- IP address: The IP that triggered the alert.
- Blacklists: list of blacklists of the IP address when the alert was triggered.
For each IP address the user can perform two actions:
- Mute an IP address: this IP address will be added to a whitelist and future alerts will be ignored.
- Acknowledge an alert: this flag indicates that the alert has been accepted by the user.