-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[EPIC] Crowdsec integration to James #4874
Comments
@thanhbv200585 please research the topic and make a proposal about the list of tasks (could think more or less than the above tasks if needed) with basic ticket details first. |
|
Task proposal:
|
Not only SMTP, IMAP/POP also
|
Basic details for each task, and are there any possible tasks? |
Two distincts plugins:
|
I didn't have time to really have a look myself tbh, but I would think you would need first to implement a client to communicate with crowdsec, which would force you to implement a docker extension for testing too |
Do you suggest letting CrowdSec access the James logs, or we let James push directly alerts/decisions via CrowdSec HTTP API? |
It's easy to write the first plugin: Lemonldap-NG plugin as example |
I succeeded to report IP via HTTP API directly |
This one eliminate the need to plug James logs to crowdsec and might save headaches with fluentbit / loki... |
Rene:
You mean implement the magic on our side about if we should ban an IP or not and just report to crowdsec? I feel it would be more of an headache than just letting crowdsec scraping our logs and doing the magic itself that he is supposed to know to do well already, no? It would mean you need to track all failed attempts (like with Redis?) I would be more interested to know if we can just report via HTTP API to crowdsec IPs that are failing to login and if crowdsec is able to detect many reports of failed attempts from a same IP from us and act in consequence?
Can we have more detail on that? I'm not sure if it means we do the magic implementation of determining ourselves which IPs to ban, or if we just tell crowdsec this IP failed to login and let crowdsec take the decision after a couple of similar reports... (joins my previous point) Looks confusing to me (and the team) |
Propose other tasks: |
For @thanhbv200585 trying to parse James' logs and build a CrowdSec attack scenario - would need to write a log parser https://docs.crowdsec.net/docs/concepts#parsers to parse James' logs. Seems not easy to me, but let's try :) |
FYI, CrowdSec supports
Missing SMTP though. |
Why not James? |
CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network, based on AI behaviour refinement.
Develop a third-party plugin in James for questionning CrowdSec:
rf: https://issues.apache.org/jira/browse/JAMES-3897, linagora/tmail-backend#803
cc @guimard @chibenwa
The text was updated successfully, but these errors were encountered: