Introduction Imagine you're running a cloud storage platform powered by Nextcloud, serving users around the clock. One day, suspicious traffic starts flooding in — thousands of requests per second from unknown IPs. How do you detect it? How do you stop it automatically? That's exactly the challenge I tackled as a DevSecOps Engineer. I built a real-time anomaly detection engine in Python that watches all incoming HTTP traffic, learns what "normal" looks like, and automatically blocks attackers using iptables — no Fail2Ban, no rate-limiting libraries, just raw Python and math. The Architecture The system runs as a Docker stack with four components: Nginx — reverse proxy in front of Nextcloud, writing JSON access logs Nextcloud — the cloud storage platform we're protecting PostgreSQL — database for Nextcloud Detector Daemon — my Python tool that monitors, detects, and blocks Nginx writes every request to a JSON log file.…