generic http brute force detection

[ririsoft]

Hello,

Similar to ssh brute force detection (ssh-bf plugin) and wordpress brute force detection (http-bf-wordpress_bf plugin) I believe it would be really great to have a generic http brute force detection (similar to fail2ban apache-auth).

My user story : I have a web server hosting several websites protected by different login/password forms. I wan to protect all of them from password brute force bots. A bot which fails to authenticate after several attempts during a given time window should be banned for a small period of time. several, small, time window should be up to users to define, but Crowsec should provide reasonable default.

Here are the offending access logs coming from a given bad guy IP (I hope I won't be sued posting his private bad activities ...):

127.0.0.1:443 91.241.19.84 - - [12/Nov/2020:04:41:20 +0100] "POST /api/jsonws/invoke HTTP/1.1" 403 4741 628 412 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3
904.108 Safari/537.36"
127.0.0.1:443 91.241.19.84 - - [12/Nov/2020:04:41:22 +0100] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 403 4741 648 376 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (
KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
127.0.0.1:443 91.241.19.84 - - [12/Nov/2020:04:41:22 +0100] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 403 4741 698 349 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
127.0.0.1:443 91.241.19.84 - - [12/Nov/2020:04:41:23 +0100] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 403 4741 589 400 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) C
hrome/78.0.3904.108 Safari/537.36"
127.0.0.1:443 91.241.19.84 - - [12/Nov/2020:04:41:23 +0100] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 403 4741 671 395 "-"
 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
127.0.0.1:80 91.241.19.84 - - [12/Nov/2020:10:00:28 +0100] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 403 531 326 354 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH
TML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
127.0.0.1:80 91.241.19.84 - - [12/Nov/2020:10:00:28 +0100] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 403 531 376 323 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K
HTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
127.0.0.1:80 91.241.19.84 - - [12/Nov/2020:10:00:29 +0100] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 403 531 349 337 "-" "
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
127.0.0.1:80 91.241.19.84 - - [12/Nov/2020:10:00:29 +0100] "POST /api/jsonws/invoke HTTP/1.1" 403 531 306 330 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.390
4.108 Safari/537.36"
127.0.0.1:80 91.241.19.84 - - [12/Nov/2020:10:00:29 +0100] "GET /solr/admin/info/system?wt=json HTTP/1.1" 403 531 267 448 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chr
ome/78.0.3904.108 Safari/537.36"
127.0.0.1:80 91.241.19.84 - - [12/Nov/2020:10:00:29 +0100] "GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1" 403 531 321 308 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (
KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
127.0.0.1:443 91.241.19.84 - - [12/Nov/2020:16:16:24 +0100] "POST /api/jsonws/invoke HTTP/1.1" 403 4741 628 432 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3
904.108 Safari/537.36"
127.0.0.1:443 91.241.19.84 - - [12/Nov/2020:16:16:25 +0100] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 403 4741 698 324 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
127.0.0.1:443 91.241.19.84 - - [12/Nov/2020:16:16:27 +0100] "GET /wp-content/plugins/wp-file-manager/readme.txt HTTP/1.1" 403 4741 604 401 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML
, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
127.0.0.1:443 91.241.19.84 - - [12/Nov/2020:16:16:27 +0100] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 403 4741 589 171 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) C
hrome/78.0.3904.108 Safari/537.36"
127.0.0.1:443 91.241.19.84 - - [12/Nov/2020:16:16:32 +0100] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 403 4741 648 434 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (
KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
127.0.0.1:80 91.241.19.84 - - [12/Nov/2020:21:58:25 +0100] "POST /api/jsonws/invoke HTTP/1.1" 403 531 306 299 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.390
4.108 Safari/537.36"
127.0.0.1:80 91.241.19.84 - - [12/Nov/2020:21:58:25 +0100] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 403 531 326 384 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH
TML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
127.0.0.1:80 91.241.19.84 - - [12/Nov/2020:21:58:26 +0100] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 403 531 349 350 "-" "
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
127.0.0.1:80 91.241.19.84 - - [12/Nov/2020:21:58:26 +0100] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 403 531 376 380 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K
HTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
127.0.0.1:80 91.241.19.84 - - [12/Nov/2020:21:58:26 +0100] "GET /wp-content/plugins/wp-file-manager/readme.txt HTTP/1.1" 403 531 282 377 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/78.0.3904.108 Safari/537.36"
127.0.0.1:80 91.241.19.84 - - [12/Nov/2020:21:58:26 +0100] "GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1" 403 531 321 361 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (
KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
127.0.0.1:80 91.241.19.84 - - [12/Nov/2020:21:58:26 +0100] "GET /solr/admin/info/system?wt=json HTTP/1.1" 403 531 267 355 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chr
ome/78.0.3904.108 Safari/537.36"

Here are the related error logs:

[Thu Nov 12 04:41:20.235933 2020] [authz_core:error] [pid 31390:tid 140346445002496] [client 91.241.19.84:37984] AH01630: client denied by server configuration: /var/www/default/api
[Thu Nov 12 04:41:22.380018 2020] [authz_core:error] [pid 31391:tid 140347272451840] [client 91.241.19.84:58894] AH01630: client denied by server configuration: /var/www/default/vendor
[Thu Nov 12 04:41:22.418966 2020] [authz_core:error] [pid 31390:tid 140346411431680] [client 91.241.19.84:37976] AH01630: client denied by server configuration: /var/www/default/vendor
[Thu Nov 12 04:41:23.691671 2020] [authz_core:error] [pid 31390:tid 140346285606656] [client 91.241.19.84:58572] AH01630: client denied by server configuration: /var/www/default/
[Thu Nov 12 04:41:23.736691 2020] [authz_core:error] [pid 31390:tid 140346277213952] [client 91.241.19.84:57116] AH01630: client denied by server configuration: /var/www/default/index.php
[Thu Nov 12 10:00:28.979981 2020] [authz_core:error] [pid 31391:tid 140346906371840] [client 91.241.19.84:58862] AH01630: client denied by server configuration: /var/www/default/vendor
[Thu Nov 12 10:00:28.984748 2020] [authz_core:error] [pid 31391:tid 140346872801024] [client 91.241.19.84:58852] AH01630: client denied by server configuration: /var/www/default/vendor
[Thu Nov 12 10:00:29.524109 2020] [authz_core:error] [pid 31391:tid 140346881193728] [client 91.241.19.84:52162] AH01630: client denied by server configuration: /var/www/default/index.php
[Thu Nov 12 10:00:29.532327 2020] [authz_core:error] [pid 31391:tid 140345824237312] [client 91.241.19.84:50856] AH01630: client denied by server configuration: /var/www/default/api
[Thu Nov 12 10:00:29.892464 2020] [authz_core:error] [pid 31391:tid 140345799059200] [client 91.241.19.84:58486] AH01630: client denied by server configuration: /var/www/default/solr
[Thu Nov 12 10:00:29.919051 2020] [authz_core:error] [pid 31391:tid 140345706804992] [client 91.241.19.84:60096] AH01630: client denied by server configuration: /var/www/default/
[Thu Nov 12 16:16:24.932891 2020] [authz_core:error] [pid 31391:tid 140347007018752] [client 91.241.19.84:43182] AH01630: client denied by server configuration: /var/www/default/api
[Thu Nov 12 16:16:25.046709 2020] [authz_core:error] [pid 31391:tid 140346914764544] [client 91.241.19.84:43026] AH01630: client denied by server configuration: /var/www/default/vendor
[Thu Nov 12 16:16:27.253420 2020] [authz_core:error] [pid 31390:tid 140346403038976] [client 91.241.19.84:46032] AH01630: client denied by server configuration: /var/www/default/wp-content
[Thu Nov 12 16:16:27.382592 2020] [authz_core:error] [pid 31390:tid 140347289253632] [client 91.241.19.84:44040] AH01630: client denied by server configuration: /var/www/default/
[Thu Nov 12 16:16:32.152530 2020] [authz_core:error] [pid 31391:tid 140346881193728] [client 91.241.19.84:50990] AH01630: client denied by server configuration: /var/www/default/vendor
[Thu Nov 12 21:58:25.648238 2020] [authz_core:error] [pid 31390:tid 140346302392064] [client 91.241.19.84:59430] AH01630: client denied by server configuration: /var/www/default/api
[Thu Nov 12 21:58:25.973277 2020] [authz_core:error] [pid 31390:tid 140346436609792] [client 91.241.19.84:59394] AH01630: client denied by server configuration: /var/www/default/vendor
[Thu Nov 12 21:58:26.215790 2020] [authz_core:error] [pid 31390:tid 140346428217088] [client 91.241.19.84:57748] AH01630: client denied by server configuration: /var/www/default/index.php
[Thu Nov 12 21:58:26.363833 2020] [authz_core:error] [pid 31390:tid 140346310784768] [client 91.241.19.84:59448] AH01630: client denied by server configuration: /var/www/default/vendor
[Thu Nov 12 21:58:26.443328 2020] [authz_core:error] [pid 31390:tid 140346445002496] [client 91.241.19.84:53068] AH01630: client denied by server configuration: /var/www/default/wp-content
[Thu Nov 12 21:58:26.720264 2020] [authz_core:error] [pid 31390:tid 140346260428544] [client 91.241.19.84:39296] AH01630: client denied by server configuration: /var/www/default/
[Thu Nov 12 21:58:26.735341 2020] [authz_core:error] [pid 31390:tid 140347264050944] [client 91.241.19.84:39314] AH01630: client denied by server configuration: /var/www/default/solr

What we see here is a bad guy scanning for vulnerable software installed on my server, but the URLs are protected URL and he gets a 403 Forbidden error code. This might not be a good example because this guy should have been caugh by crowdsecurity/http-backdoors-attempts or similar scenarios. What is interesting here is that the traffic continues despite the 403 Forbidden status code. A threashold (bucket leak) could be the scenario here.

Another better example is a true login failed attempt.
access logs:

foo.bar.com:443 192.168.1.1 - toto [13/Nov/2020:12:51:38 +0100] "GET /backup/ HTTP/2.0" 401 614 73 1488 "-" "curl/7.64.0"
foo.bar.com:443 192.168.1.1 - toto [13/Nov/2020:12:51:45 +0100] "GET /backup/ HTTP/2.0" 401 614 73 960 "-" "curl/7.64.0"

error logs:

[Fri Nov 13 12:51:38.825807 2020] [auth_basic:error] [pid 14509:tid 140347289204480] [client 192.168.1.1:43454] AH01617: user toto: authentication failure for "/backup/": Password Mismatch
[Fri Nov 13 12:51:45.361104 2020] [auth_basic:error] [pid 14508:tid 140347289204480] [client 192.168.1.1:43456] AH01617: user toto: authentication failure for "/backup/": Password Mismatch

So here we have 2 schenarios:

1. regular access to protected URLs (403 status code): Here a simple bucket leak algorithm should do.
2. Password Mismatch with 401 status code: Here again a simple bucket leak algorithm feets, but we could be more clever, grouping by user (not sure this is very usefull).

What do you think ?
Cheers.

[ririsoft]

Thinking more about it I believe the "client denied by server configuration" errors should belong to the crowdsecurity/http-crawl-non_statics or crowdsecurity/http-probing. Fail2ban does not make the distinction and catch them with apache-auth plugin.

Crowdsec could benefit from #51 to detect a login/password brute force with specific error log messages.

[AlteredCoder]

Hello @ririsoft
Thanks for you feedback!

A PR has been opened and is in work in progress about this issue which add/fix the following things:

• apache2 errors log support
• add a generic http brute force detection scenario

Note: Once the PR will be merged, those change will only be available for the crowdsec >= v1 which is currently in pre-release.

About the access.log that you shared, it is normal that the IP has not been detected by crowdsec.
Indeed, we can see that the attacker only try to access to 5 files, and then come back hours later.
As we can see in the crowdsecurity/http-probing configuration, the bucket capacity is 10, so it can't overflow .

Last thing, i think that if the http_probing scenario is not triggered, it's because your access.log are not parsed. I can help you to parse them in #52

I hope i answered your question,

[andreasbrett]

@AlteredCoder Are there plans to link those to a scenario? As of now it gets detected but not remediated because sub_type "permission_denied" is not linked to a scenario afaik.