Ban-defcon-drop_range

Hello,

Very interesting items, but can we configure this to not ban a full range for some country ?
Like I don’t want to use that for French IP, but ok for the others, or only for China, Russia, USA, and some other country.

Hello,

First of all, sorry for the delay, we were busy polishing the 1.0 :wink:

Glad you found this one, I’m going to use this as an excuse to showcase the new profiles.yaml of the v1.0 (what we’re doing here can be done as well by patching the scenario, but it’s less cool !)

note: I did the demo from a test_env.sh of crowdsec-v1.0.0. I have installed the crowdsecurity/sshd collection and the crowdsecurity/ban-defcon-drop_range scenario. I added as well /tmp/test.log as a syslog source to my acquis.yaml

the ban range scenario looks like this :

type: leaky
name: crowdsecurity/ban-defcon-drop_range
description: "Ban a range if more than 5 ips from it are banned at a time"
filter: "evt.GetType() == 'overflow' && evt.Overflow.Alert.Remediation == true"
groupby: "evt.Overflow.Alert.Source.Range"
distinct: "evt.Overflow.Alert.Source.IP"
capacity: 5
leakspeed: "1m"
blackhole: 5m
labels:
 remediation: true
scope:
 type: Range

You can see here one of the additions of v1.X : you can specify the scope of a scenario (cf. the scope section at the end).

To make this scenario effective, let’s add a profile (/etc/crowdsec/profiles.yaml) :

name: default_ip_remediation
...
---
name: default_range_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Range" && Alert.Source.Cn in ["CN", "RO"]
decisions:
 - type: ban
   duration: 4h
on_success: break

The section we added is going to take care of decisions that should target a range, and deciding we’re only going to apply those that are targeting belonging to China or Romania (random countries).

Now, let’s try it :

#let's simulate ssh bruteforce from the range 39.100.227.0/13, which is in china
for x in `seq 1 6` ; do for i in `seq 1 10` ; do      
          echo `date '+%b %d %H:%M:%S '`'sd-126005 sshd[12422]: Invalid user netflix from 39.100.227.'$x' port 35424' >> /tmp/test.log
        done; done ;

Generates

time="07-12-2020 16:13:07" level=info msg="Ip 39.100.227.1 performed 'crowdsecurity/ssh-bf' (6 events over 753.781µs) at 2020-12-07 16:13:07.899477408 +0100 CET m=+46.432922178"
time="07-12-2020 16:13:07" level=info msg="Ip 39.100.227.2 performed 'crowdsecurity/ssh-bf' (6 events over 1.073436ms) at 2020-12-07 16:13:07.901680955 +0100 CET m=+46.435125722"
time="07-12-2020 16:13:07" level=info msg="Ip 39.100.227.3 performed 'crowdsecurity/ssh-bf' (6 events over 725.123µs) at 2020-12-07 16:13:07.903559472 +0100 CET m=+46.437004245"
time="07-12-2020 16:13:07" level=info msg="Ip 39.100.227.4 performed 'crowdsecurity/ssh-bf' (6 events over 764.167µs) at 2020-12-07 16:13:07.905421911 +0100 CET m=+46.438866703"
time="07-12-2020 16:13:07" level=info msg="Ip 39.100.227.5 performed 'crowdsecurity/ssh-bf' (6 events over 775.075µs) at 2020-12-07 16:13:07.907336983 +0100 CET m=+46.440781752"
time="07-12-2020 16:13:07" level=info msg="Ip 39.100.227.6 performed 'crowdsecurity/ssh-bf' (6 events over 723.759µs) at 2020-12-07 16:13:07.908984594 +0100 CET m=+46.442429363"
time="07-12-2020 16:13:07" level=info msg="Range 39.96.0.0/13 performed 'crowdsecurity/ban-defcon-drop_range' (6 events over 9.431486ms) at 2020-12-07 16:13:07.909146028 +0100 CET m=+46.442590795"
time="07-12-2020 16:13:08" level=info msg="(82929df7ee394b73b81252fe3b4e5020/crowdsec) crowdsecurity/ssh-bf by ip 39.100.227.1 (CN) : 4h ban on Ip 39.100.227.1"
time="07-12-2020 16:13:08" level=info msg="(82929df7ee394b73b81252fe3b4e5020/crowdsec) crowdsecurity/ssh-bf by ip 39.100.227.2 (CN) : 4h ban on Ip 39.100.227.2"
time="07-12-2020 16:13:08" level=info msg="(82929df7ee394b73b81252fe3b4e5020/crowdsec) crowdsecurity/ssh-bf by ip 39.100.227.3 (CN) : 4h ban on Ip 39.100.227.3"
time="07-12-2020 16:13:08" level=info msg="(82929df7ee394b73b81252fe3b4e5020/crowdsec) crowdsecurity/ssh-bf by ip 39.100.227.4 (CN) : 4h ban on Ip 39.100.227.4"
time="07-12-2020 16:13:08" level=info msg="(82929df7ee394b73b81252fe3b4e5020/crowdsec) crowdsecurity/ssh-bf by ip 39.100.227.5 (CN) : 4h ban on Ip 39.100.227.5"
time="07-12-2020 16:13:08" level=info msg="(82929df7ee394b73b81252fe3b4e5020/crowdsec) crowdsecurity/ssh-bf by ip 39.100.227.6 (CN) : 4h ban on Ip 39.100.227.6"
time="07-12-2020 16:13:08" level=info msg="(82929df7ee394b73b81252fe3b4e5020/crowdsec) crowdsecurity/ban-defcon-drop_range by range 39.96.0.0/13 (CN) : 4h ban on Range 39.96.0.0/13"

We can see individual bans triggered for IPs 39.100.227.1-6 by crowdsecurity/ssh-bf and then a ban on 39.96.0.0/13 by crowdsecurity/ban-defcon-drop_range

On the other hand, if we generate the same with french IPs :

#let's simulate ssh bruteforce from the range 213.44.0.0/16, which is in France
for x in `seq 1 6` ; do for i in `seq 1 10` ; do 
          echo `date '+%b %d %H:%M:%S '`'sd-126005 sshd[12422]: Invalid user netflix from 213.44.59.'$x' port 35424' >> /tmp/test.log
        done; done ;

Generates :

time="07-12-2020 16:32:00" level=info msg="Ip 213.44.59.1 performed 'crowdsecurity/ssh-bf' (6 events over 2.067666ms) at 2020-12-07 16:32:00.383926223 +0100 CET m=+13.422118991"
time="07-12-2020 16:32:00" level=info msg="Ip 213.44.59.2 performed 'crowdsecurity/ssh-bf' (6 events over 3.859859ms) at 2020-12-07 16:32:00.389144312 +0100 CET m=+13.427337109"
time="07-12-2020 16:32:00" level=info msg="Ip 213.44.59.3 performed 'crowdsecurity/ssh-bf' (6 events over 1.092822ms) at 2020-12-07 16:32:00.391572301 +0100 CET m=+13.429765068"
time="07-12-2020 16:32:00" level=info msg="Ip 213.44.59.4 performed 'crowdsecurity/ssh-bf' (6 events over 790.811µs) at 2020-12-07 16:32:00.393431827 +0100 CET m=+13.431624599"
time="07-12-2020 16:32:00" level=info msg="Ip 213.44.59.5 performed 'crowdsecurity/ssh-bf' (6 events over 916.5µs) at 2020-12-07 16:32:00.395493481 +0100 CET m=+13.433686249"
time="07-12-2020 16:32:00" level=info msg="(82929df7ee394b73b81252fe3b4e5020/crowdsec) crowdsecurity/ssh-bf by ip 213.44.59.1 (FR) : 4h ban on Ip 213.44.59.1"
time="07-12-2020 16:32:00" level=info msg="(82929df7ee394b73b81252fe3b4e5020/crowdsec) crowdsecurity/ssh-bf by ip 213.44.59.2 (FR) : 4h ban on Ip 213.44.59.2"
time="07-12-2020 16:32:00" level=info msg="(82929df7ee394b73b81252fe3b4e5020/crowdsec) crowdsecurity/ssh-bf by ip 213.44.59.3 (FR) : 4h ban on Ip 213.44.59.3"
time="07-12-2020 16:32:00" level=info msg="(82929df7ee394b73b81252fe3b4e5020/crowdsec) crowdsecurity/ssh-bf by ip 213.44.59.4 (FR) : 4h ban on Ip 213.44.59.4"
time="07-12-2020 16:32:00" level=info msg="(82929df7ee394b73b81252fe3b4e5020/crowdsec) crowdsecurity/ssh-bf by ip 213.44.59.5 (FR) : 4h ban on Ip 213.44.59.5"
time="07-12-2020 16:32:00" level=info msg="Ip 213.44.59.6 performed 'crowdsecurity/ssh-bf' (6 events over 1.722133ms) at 2020-12-07 16:32:00.645920971 +0100 CET m=+13.684113745"
time="07-12-2020 16:32:00" level=info msg="Range 213.44.0.0/16 performed 'crowdsecurity/ban-defcon-drop_range' (6 events over 363.361208ms) at 2020-12-07 16:32:00.747655415 +0100 CET m=+13.785848197"
time="07-12-2020 16:32:01" level=info msg="(82929df7ee394b73b81252fe3b4e5020/crowdsec) crowdsecurity/ssh-bf by ip 213.44.59.6 (FR) : 4h ban on Ip 213.44.59.6"
time="07-12-2020 16:32:01" level=info msg="(82929df7ee394b73b81252fe3b4e5020) alert : crowdsecurity/ban-defcon-drop_range by range 213.44.0.0/16 (FR)"
time="07-12-2020 16:32:16" level=info msg="Signal push: 7 signals to push"
time="07-12-2020 16:32:17" level=error msg="Error while sending final chunk to central API : while performing request: API error: Something went wrong."

Here we can see individual bans triggered on 213.44.59.1-6 by crowdsecurity/ssh-bf and even an alert being triggered by the range : Range 213.44.0.0/16 performed 'crowdsecurity/ban-defcon-drop_range'. However, there is no decisions on said range :

$ cscli decisions list         
+-----+----------+--------------------+-------------------------------------+--------+---------+--------------------------------+--------+--------------------+----------+
| ID  |  SOURCE  |    SCOPE:VALUE     |               REASON                | ACTION | COUNTRY |               AS               | EVENTS |     EXPIRATION     | ALERT ID |
+-----+----------+--------------------+-------------------------------------+--------+---------+--------------------------------+--------+--------------------+----------+
| 947 | crowdsec | Range:39.96.0.0/13 | crowdsecurity/ban-defcon-drop_range | ban    | CN      |  Hangzhou Alibaba Advertising  |      6 | 3h59m55.175199797s |       96 |
|     |          |                    |                                     |        |         | Co.,Ltd.                       |        |                    |          |
| 946 | crowdsec | Ip:39.100.227.6    | crowdsecurity/ssh-bf                | ban    | CN      |  Hangzhou Alibaba Advertising  |      6 | 3h59m55.174985529s |       95 |
|     |          |                    |                                     |        |         | Co.,Ltd.                       |        |                    |          |
| 945 | crowdsec | Ip:39.100.227.5    | crowdsecurity/ssh-bf                | ban    | CN      |  Hangzhou Alibaba Advertising  |      6 | 3h59m55.173350078s |       94 |
|     |          |                    |                                     |        |         | Co.,Ltd.                       |        |                    |          |
| 944 | crowdsec | Ip:39.100.227.4    | crowdsecurity/ssh-bf                | ban    | CN      |  Hangzhou Alibaba Advertising  |      6 | 3h59m55.171618236s |       93 |
|     |          |                    |                                     |        |         | Co.,Ltd.                       |        |                    |          |
| 943 | crowdsec | Ip:39.100.227.3    | crowdsecurity/ssh-bf                | ban    | CN      |  Hangzhou Alibaba Advertising  |      6 | 3h59m55.169628881s |       92 |
|     |          |                    |                                     |        |         | Co.,Ltd.                       |        |                    |          |
| 942 | crowdsec | Ip:39.100.227.2    | crowdsecurity/ssh-bf                | ban    | CN      |  Hangzhou Alibaba Advertising  |      6 | 3h59m55.167820176s |       91 |
|     |          |                    |                                     |        |         | Co.,Ltd.                       |        |                    |          |
| 941 | crowdsec | Ip:39.100.227.1    | crowdsecurity/ssh-bf                | ban    | CN      |  Hangzhou Alibaba Advertising  |      6 | 3h59m55.165196397s |       90 |
|     |          |                    |                                     |        |         | Co.,Ltd.                       |        |                    |          |
| 940 | crowdsec | Ip:213.44.59.6     | crowdsecurity/ssh-bf                | ban    | FR      |  Bouygues Telecom SA           |      6 | 3h59m47.673949846s |       88 |
| 939 | crowdsec | Ip:213.44.59.5     | crowdsecurity/ssh-bf                | ban    | FR      |  Bouygues Telecom SA           |      6 | 3h59m47.671960994s |       87 |
| 938 | crowdsec | Ip:213.44.59.4     | crowdsecurity/ssh-bf                | ban    | FR      |  Bouygues Telecom SA           |      6 | 3h59m47.670240336s |       86 |
| 937 | crowdsec | Ip:213.44.59.3     | crowdsecurity/ssh-bf                | ban    | FR      |  Bouygues Telecom SA           |      6 | 3h59m47.667795247s |       85 |
| 936 | crowdsec | Ip:213.44.59.2     | crowdsecurity/ssh-bf                | ban    | FR      |  Bouygues Telecom SA           |      6 | 3h59m47.665605373s |       84 |
| 935 | crowdsec | Ip:213.44.59.1     | crowdsecurity/ssh-bf                | ban    | FR      |  Bouygues Telecom SA           |      6 | 3h59m47.661823202s |       83 |
+-----+----------+--------------------+-------------------------------------+--------+---------+--------------------------------+--------+--------------------+----------+

Let me know :slight_smile:

2 Likes

Perfect,
This allow to reduce the number of entries in the banlist.
Do you plan to remove the IP banned in the netrange to reduce the number of entries ?
And do you have something similar with IPV6 to avoid banning thousand of IP ?

Actually in your config you have to choose wich country to ban, do you have the opposit ? To choose country to not ban ?

Yes, you can not in in the expression :slight_smile:
When it comes to ipv6 it’s in our plans as well !

1 Like