Chris Turnbull profile pictureAbout
Portfolio

kiowa

Advanced Web Server Security & Log Analysis Tool
CLI ToolApacheiptablesBot DetectionLog Analysis
kiowa Logo

kiowa is a robust, TypeScript-based command-line utility designed for system administrators and DevOps professionals who need advanced log analysis and automated security enforcement for web servers. Built specifically for Linux environments, kiowa integrates with iptables to provide real-time monitoring, malicious activity detection, and automated IP blocking for enhanced server protection. It is a useful ally for Apache HTTP Server.

Log Monitoring & Analysis

  • Real-time Log Tailing: Monitor multiple virtual host logs simultaneously with domain filtering
  • Historical Log Analysis: Retrieve and analyse log entries within specified time frames (minutes or days)
  • Smart Log Parsing: Convert Common Log Format (CLF) entries into structured data with enhanced metadata
  • Geolocation Integration: Automatically resolve IP addresses to country codes and names for geographical insights
  • Bot Detection: Identify and categorize crawler and bot traffic using advanced user agent analysis
kiowa Command Line ToolCommand line tool

Security Automation

  • Malicious Request Detection: Pattern-based identification of suspicious or malicious requests
  • Automatic IP Blocking: Configure thresholds to automatically block IPs making repeated suspicious requests
  • Country-based Filtering: Whitelist or blacklist traffic based on country of origin
  • Attack Pattern Rules: Configurable rule system to identify common attack vectors (e.g., WordPress login attempts)
  • Firewall Management: Command-line interface for managing iptables firewall rules

Use Cases

  • Managed Service Providers: Monitor multiple client websites hosted on a single server
  • Security Operations: Quickly identify and respond to suspicious activity across domains
  • DevOps Automation: Integrate with monitoring systems to automate security responses
  • Server Hardening: Implement protective measures against common web attacks
  • Traffic Analysis: Gain insights into traffic patterns, bot activity, and potential security issues

Architecture

kiowa is built using modern TypeScript with a focus on modularity and extensibility. The system architecture consists of several key components.

Command Line Interface

The application uses Commander.js to provide an intuitive CLI with multiple commands and subcommands:

  • tail / t: Real-time monitoring of log files
  • cat / c: View historical log entries
  • firewall / f: Manage iptables firewall rules
  • block / unblock: Control IP address blocking
  • malicious: Auto-detect and block suspicious activity
  • purge / export: Manage firewall rule sets

Log Processing Engine

Components that transform raw log data into actionable intelligence:

  • Parser System: Converts Common Log Format entries into structured kiowa format
  • Enrichment Pipeline: Adds geolocation data, bot detection, and user agent parsing
  • Presentation Layer: Formats log entries for human-readable output with customizable truncation

Security Enforcement

kiowa's security system includes:

  • Rule Engine: Configurable rules for identifying suspicious behaviour patterns
  • Threshold System: Configurable attempt counts and time windows for triggering blocks
  • Firewall Integration: Direct management of iptables rules with specialized comment format for tracking

Technologies Used

  • TypeScript & Node.js: Core language and runtime
  • Commander.js: CLI framework for command structure
  • clf-parser & geoip-lite: Log parsing and geolocation
  • isbot & ua-parser-js: Bot detection and user agent analysis
  • iptables: Linux kernel firewall integration
  • tsx & pkg: TypeScript execution and binary packaging

Security-Conscious Design

kiowa employs several security-focused design patterns that make it particularly valuable for production environments.

Non-Intrusive Monitoring

kiowa reads log files without modifying them, ensuring the integrity of server logs while providing real-time analysis.

Audit-Friendly Rule Management

All firewall rules created by kiowa include specially formatted comments that contain:

  • Timestamp of rule creation
  • Whether the rule was manually or automatically created
  • Country code of the blocked IP (when available)
  • Reference to the specific detection rule that triggered the block

This metadata enables precise auditing of security events and justification for all blocking actions.

Geographic Intelligence

The country-based whitelist system enables organizations to implement geographic security policies while maintaining access for legitimate users from specific regions.

Graceful Privilege Handling

While kiowa requires sudo privileges for firewall manipulation, it minimizes the attack surface by:

  • Using targeted command execution only for specific firewall operations
  • Implementing careful input sanitization before constructing privileged commands

Persistent & Portable Firewall Rules

kiowa allows exporting and importing rules in a format compatible with iptables, enabling:

  • Backup of security configurations
  • Transfer of rules between systems
  • Restoration of rules after server reboots
Want to collaborate?

Reach out to me on LinkedIn

Connect