-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
generic http brute force detection #50
Comments
Thinking more about it I believe the "client denied by server configuration" errors should belong to the Crowdsec could benefit from #51 to detect a login/password brute force with specific error log messages. |
Hello @ririsoft A PR has been opened and is in work in progress about this issue which add/fix the following things:
Note: Once the PR will be merged, those change will only be available for the crowdsec >= v1 which is currently in pre-release. About the Last thing, i think that if the I hope i answered your question, |
@AlteredCoder Are there plans to link those to a scenario? As of now it gets detected but not remediated because sub_type "permission_denied" is not linked to a scenario afaik. |
Hello,
Similar to ssh brute force detection (
ssh-bf
plugin) and wordpress brute force detection (http-bf-wordpress_bf
plugin) I believe it would be really great to have a generic http brute force detection (similar to fail2ban apache-auth).My user story : I have a web server hosting several websites protected by different login/password forms. I wan to protect all of them from password brute force bots. A bot which fails to authenticate after several attempts during a given time window should be banned for a small period of time. several, small, time window should be up to users to define, but Crowsec should provide reasonable default.
Here are the offending access logs coming from a given bad guy IP (I hope I won't be sued posting his private bad activities ...):
Here are the related error logs:
What we see here is a bad guy scanning for vulnerable software installed on my server, but the URLs are protected URL and he gets a
403 Forbidden
error code. This might not be a good example because this guy should have been caugh bycrowdsecurity/http-backdoors-attempts
or similar scenarios. What is interesting here is that the traffic continues despite the403 Forbidden
status code. A threashold (bucket leak) could be the scenario here.Another better example is a true login failed attempt.
access logs:
error logs:
So here we have 2 schenarios:
What do you think ?
Cheers.
The text was updated successfully, but these errors were encountered: