ssh: improve bruteforce detection and add time-based-bf scenario #1566
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Reduce ssh-bf capacity from 5 to 3 for faster detection - Reduce ssh-slow-bf capacity from 10 to 5 to reduce overlap - Add new crowdsecurity/ssh-slowest-bf conditional scenario - Detects 3 failed logins over 2-30 minute intervals using MedianInterval helper - Catches attackers who deliberately slow their attempts to evade rate limiting - Also includes user-enum variant for detecting slow user enumeration - Add slowest-bf scenario to sshd collection - Update all documentation This provides comprehensive SSH bruteforce coverage: - ssh-bf: 3 failures within ~30 seconds - ssh-slow-bf: 5 failures within ~5 minutes - ssh-slowest-bf: 3 failures over 2-30 minutes
…city changes - Add new test for crowdsecurity/ssh-slowest-bf scenario - Tests 3 failed logins over 3-40 minute intervals - Verifies MedianInterval detection logic works correctly - Tests both standard and user-enum variants - Update ssh-bf assertions for reduced capacity (5->3) - Now triggers after 3 failures instead of 5 - Update ssh-slow-bf assertions for reduced capacity (10->5) - Now triggers after 5 failures instead of 10
- Renamed scenario from ssh-slowest-bf to ssh-time-based-bf - Better conveys the detection mechanism (time-pattern-based vs rate-based) - Updated all labels from 'Slowest' to 'Time-Based' - Updated documentation to clarify distinction: - ssh-bf: rate-based (fast attacks) - ssh-slow-bf: rate-based (moderate attacks) - ssh-time-based-bf: time-pattern-based (slow evasive attacks) - Renamed test directory and regenerated assertions - All tests passing
- Remove upper bound from MedianInterval check (leakspeed naturally caps it) - Change lower bound from 2m to 5m to eliminate overlap with ssh-slow-bf - Update test logs to use 6-minute intervals (>5m threshold) - Update documentation to clarify no overlap between scenarios: - ssh-bf: <30s (rate-based) - ssh-slow-bf: ~5min (rate-based) - ssh-time-based-bf: >5min (time-pattern-based) - All tests passing
LaurenceJJones
changed the title
- Regenerate assertions for sshd-invalid-bf test (6->4 events) - Regenerate assertions for sshd_banner_exchange test (6->4 events) - Regenerate assertions for opnsense-sshd test (6->4 events) - All tests now expect 4 events to match new capacity of 3 - All tests passing
- Add cancel_on to destroy bucket if user successfully authenticates - Prevents 'forgot password' scenarios from triggering alerts - Only cancels for same IP + username combination (due to distinct) - Attackers trying multiple usernames won't be excused by one success - Add sshd-success-logs parser to collection for cancel_on functionality - Remove standard variant, keep only user-enum variant for better precision - Update test to verify cancel_on works (10.0.0.102 cancelled after jenkins success) - All tests passing
- Add standard variant (grouped by IP only) per colleague request - Keep user-enum variant (distinct on username) for precision - Both variants include cancel_on for false positive reduction - Standard: cancels on ANY successful login from same IP - User-enum: cancels only for same IP + username combination - Add sshd-success-logs parser to collection for cancel_on functionality - Update test to verify both variants work correctly - Test includes successful login verification (10.0.0.102 cancelled) - All tests passing
CRITICAL: auth_success is a generic log type used by many services (ssh, authelia, sftpgo, grafana, etc.) - Add service == 'ssh' filter to both time-based-bf variants - Prevents scenarios from being cancelled by auth_success from other services - Without this, SSH bruteforce could be cancelled by Authelia/Grafana logins - Regenerate test assertions with service filter - All tests passing
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This provides comprehensive SSH bruteforce coverage:
Checklist