Ban-defcon-drop_range

Hello,

First of all, sorry for the delay, we were busy polishing the 1.0 :wink:

Glad you found this one, I’m going to use this as an excuse to showcase the new profiles.yaml of the v1.0 (what we’re doing here can be done as well by patching the scenario, but it’s less cool !)

note: I did the demo from a test_env.sh of crowdsec-v1.0.0. I have installed the crowdsecurity/sshd collection and the crowdsecurity/ban-defcon-drop_range scenario. I added as well /tmp/test.log as a syslog source to my acquis.yaml

the ban range scenario looks like this :

type: leaky
name: crowdsecurity/ban-defcon-drop_range
description: "Ban a range if more than 5 ips from it are banned at a time"
filter: "evt.GetType() == 'overflow' && evt.Overflow.Alert.Remediation == true"
groupby: "evt.Overflow.Alert.Source.Range"
distinct: "evt.Overflow.Alert.Source.IP"
capacity: 5
leakspeed: "1m"
blackhole: 5m
labels:
 remediation: true
scope:
 type: Range

You can see here one of the additions of v1.X : you can specify the scope of a scenario (cf. the scope section at the end).

To make this scenario effective, let’s add a profile (/etc/crowdsec/profiles.yaml) :

name: default_ip_remediation
...
---
name: default_range_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Range" && Alert.Source.Cn in ["CN", "RO"]
decisions:
 - type: ban
   duration: 4h
on_success: break

The section we added is going to take care of decisions that should target a range, and deciding we’re only going to apply those that are targeting belonging to China or Romania (random countries).

Now, let’s try it :

#let's simulate ssh bruteforce from the range 39.100.227.0/13, which is in china
for x in `seq 1 6` ; do for i in `seq 1 10` ; do      
          echo `date '+%b %d %H:%M:%S '`'sd-126005 sshd[12422]: Invalid user netflix from 39.100.227.'$x' port 35424' >> /tmp/test.log
        done; done ;

Generates

time="07-12-2020 16:13:07" level=info msg="Ip 39.100.227.1 performed 'crowdsecurity/ssh-bf' (6 events over 753.781µs) at 2020-12-07 16:13:07.899477408 +0100 CET m=+46.432922178"
time="07-12-2020 16:13:07" level=info msg="Ip 39.100.227.2 performed 'crowdsecurity/ssh-bf' (6 events over 1.073436ms) at 2020-12-07 16:13:07.901680955 +0100 CET m=+46.435125722"
time="07-12-2020 16:13:07" level=info msg="Ip 39.100.227.3 performed 'crowdsecurity/ssh-bf' (6 events over 725.123µs) at 2020-12-07 16:13:07.903559472 +0100 CET m=+46.437004245"
time="07-12-2020 16:13:07" level=info msg="Ip 39.100.227.4 performed 'crowdsecurity/ssh-bf' (6 events over 764.167µs) at 2020-12-07 16:13:07.905421911 +0100 CET m=+46.438866703"
time="07-12-2020 16:13:07" level=info msg="Ip 39.100.227.5 performed 'crowdsecurity/ssh-bf' (6 events over 775.075µs) at 2020-12-07 16:13:07.907336983 +0100 CET m=+46.440781752"
time="07-12-2020 16:13:07" level=info msg="Ip 39.100.227.6 performed 'crowdsecurity/ssh-bf' (6 events over 723.759µs) at 2020-12-07 16:13:07.908984594 +0100 CET m=+46.442429363"
time="07-12-2020 16:13:07" level=info msg="Range 39.96.0.0/13 performed 'crowdsecurity/ban-defcon-drop_range' (6 events over 9.431486ms) at 2020-12-07 16:13:07.909146028 +0100 CET m=+46.442590795"
time="07-12-2020 16:13:08" level=info msg="(82929df7ee394b73b81252fe3b4e5020/crowdsec) crowdsecurity/ssh-bf by ip 39.100.227.1 (CN) : 4h ban on Ip 39.100.227.1"
time="07-12-2020 16:13:08" level=info msg="(82929df7ee394b73b81252fe3b4e5020/crowdsec) crowdsecurity/ssh-bf by ip 39.100.227.2 (CN) : 4h ban on Ip 39.100.227.2"
time="07-12-2020 16:13:08" level=info msg="(82929df7ee394b73b81252fe3b4e5020/crowdsec) crowdsecurity/ssh-bf by ip 39.100.227.3 (CN) : 4h ban on Ip 39.100.227.3"
time="07-12-2020 16:13:08" level=info msg="(82929df7ee394b73b81252fe3b4e5020/crowdsec) crowdsecurity/ssh-bf by ip 39.100.227.4 (CN) : 4h ban on Ip 39.100.227.4"
time="07-12-2020 16:13:08" level=info msg="(82929df7ee394b73b81252fe3b4e5020/crowdsec) crowdsecurity/ssh-bf by ip 39.100.227.5 (CN) : 4h ban on Ip 39.100.227.5"
time="07-12-2020 16:13:08" level=info msg="(82929df7ee394b73b81252fe3b4e5020/crowdsec) crowdsecurity/ssh-bf by ip 39.100.227.6 (CN) : 4h ban on Ip 39.100.227.6"
time="07-12-2020 16:13:08" level=info msg="(82929df7ee394b73b81252fe3b4e5020/crowdsec) crowdsecurity/ban-defcon-drop_range by range 39.96.0.0/13 (CN) : 4h ban on Range 39.96.0.0/13"

We can see individual bans triggered for IPs 39.100.227.1-6 by crowdsecurity/ssh-bf and then a ban on 39.96.0.0/13 by crowdsecurity/ban-defcon-drop_range

On the other hand, if we generate the same with french IPs :

#let's simulate ssh bruteforce from the range 213.44.0.0/16, which is in France
for x in `seq 1 6` ; do for i in `seq 1 10` ; do 
          echo `date '+%b %d %H:%M:%S '`'sd-126005 sshd[12422]: Invalid user netflix from 213.44.59.'$x' port 35424' >> /tmp/test.log
        done; done ;

Generates :

time="07-12-2020 16:32:00" level=info msg="Ip 213.44.59.1 performed 'crowdsecurity/ssh-bf' (6 events over 2.067666ms) at 2020-12-07 16:32:00.383926223 +0100 CET m=+13.422118991"
time="07-12-2020 16:32:00" level=info msg="Ip 213.44.59.2 performed 'crowdsecurity/ssh-bf' (6 events over 3.859859ms) at 2020-12-07 16:32:00.389144312 +0100 CET m=+13.427337109"
time="07-12-2020 16:32:00" level=info msg="Ip 213.44.59.3 performed 'crowdsecurity/ssh-bf' (6 events over 1.092822ms) at 2020-12-07 16:32:00.391572301 +0100 CET m=+13.429765068"
time="07-12-2020 16:32:00" level=info msg="Ip 213.44.59.4 performed 'crowdsecurity/ssh-bf' (6 events over 790.811µs) at 2020-12-07 16:32:00.393431827 +0100 CET m=+13.431624599"
time="07-12-2020 16:32:00" level=info msg="Ip 213.44.59.5 performed 'crowdsecurity/ssh-bf' (6 events over 916.5µs) at 2020-12-07 16:32:00.395493481 +0100 CET m=+13.433686249"
time="07-12-2020 16:32:00" level=info msg="(82929df7ee394b73b81252fe3b4e5020/crowdsec) crowdsecurity/ssh-bf by ip 213.44.59.1 (FR) : 4h ban on Ip 213.44.59.1"
time="07-12-2020 16:32:00" level=info msg="(82929df7ee394b73b81252fe3b4e5020/crowdsec) crowdsecurity/ssh-bf by ip 213.44.59.2 (FR) : 4h ban on Ip 213.44.59.2"
time="07-12-2020 16:32:00" level=info msg="(82929df7ee394b73b81252fe3b4e5020/crowdsec) crowdsecurity/ssh-bf by ip 213.44.59.3 (FR) : 4h ban on Ip 213.44.59.3"
time="07-12-2020 16:32:00" level=info msg="(82929df7ee394b73b81252fe3b4e5020/crowdsec) crowdsecurity/ssh-bf by ip 213.44.59.4 (FR) : 4h ban on Ip 213.44.59.4"
time="07-12-2020 16:32:00" level=info msg="(82929df7ee394b73b81252fe3b4e5020/crowdsec) crowdsecurity/ssh-bf by ip 213.44.59.5 (FR) : 4h ban on Ip 213.44.59.5"
time="07-12-2020 16:32:00" level=info msg="Ip 213.44.59.6 performed 'crowdsecurity/ssh-bf' (6 events over 1.722133ms) at 2020-12-07 16:32:00.645920971 +0100 CET m=+13.684113745"
time="07-12-2020 16:32:00" level=info msg="Range 213.44.0.0/16 performed 'crowdsecurity/ban-defcon-drop_range' (6 events over 363.361208ms) at 2020-12-07 16:32:00.747655415 +0100 CET m=+13.785848197"
time="07-12-2020 16:32:01" level=info msg="(82929df7ee394b73b81252fe3b4e5020/crowdsec) crowdsecurity/ssh-bf by ip 213.44.59.6 (FR) : 4h ban on Ip 213.44.59.6"
time="07-12-2020 16:32:01" level=info msg="(82929df7ee394b73b81252fe3b4e5020) alert : crowdsecurity/ban-defcon-drop_range by range 213.44.0.0/16 (FR)"
time="07-12-2020 16:32:16" level=info msg="Signal push: 7 signals to push"
time="07-12-2020 16:32:17" level=error msg="Error while sending final chunk to central API : while performing request: API error: Something went wrong."

Here we can see individual bans triggered on 213.44.59.1-6 by crowdsecurity/ssh-bf and even an alert being triggered by the range : Range 213.44.0.0/16 performed 'crowdsecurity/ban-defcon-drop_range'. However, there is no decisions on said range :

$ cscli decisions list         
+-----+----------+--------------------+-------------------------------------+--------+---------+--------------------------------+--------+--------------------+----------+
| ID  |  SOURCE  |    SCOPE:VALUE     |               REASON                | ACTION | COUNTRY |               AS               | EVENTS |     EXPIRATION     | ALERT ID |
+-----+----------+--------------------+-------------------------------------+--------+---------+--------------------------------+--------+--------------------+----------+
| 947 | crowdsec | Range:39.96.0.0/13 | crowdsecurity/ban-defcon-drop_range | ban    | CN      |  Hangzhou Alibaba Advertising  |      6 | 3h59m55.175199797s |       96 |
|     |          |                    |                                     |        |         | Co.,Ltd.                       |        |                    |          |
| 946 | crowdsec | Ip:39.100.227.6    | crowdsecurity/ssh-bf                | ban    | CN      |  Hangzhou Alibaba Advertising  |      6 | 3h59m55.174985529s |       95 |
|     |          |                    |                                     |        |         | Co.,Ltd.                       |        |                    |          |
| 945 | crowdsec | Ip:39.100.227.5    | crowdsecurity/ssh-bf                | ban    | CN      |  Hangzhou Alibaba Advertising  |      6 | 3h59m55.173350078s |       94 |
|     |          |                    |                                     |        |         | Co.,Ltd.                       |        |                    |          |
| 944 | crowdsec | Ip:39.100.227.4    | crowdsecurity/ssh-bf                | ban    | CN      |  Hangzhou Alibaba Advertising  |      6 | 3h59m55.171618236s |       93 |
|     |          |                    |                                     |        |         | Co.,Ltd.                       |        |                    |          |
| 943 | crowdsec | Ip:39.100.227.3    | crowdsecurity/ssh-bf                | ban    | CN      |  Hangzhou Alibaba Advertising  |      6 | 3h59m55.169628881s |       92 |
|     |          |                    |                                     |        |         | Co.,Ltd.                       |        |                    |          |
| 942 | crowdsec | Ip:39.100.227.2    | crowdsecurity/ssh-bf                | ban    | CN      |  Hangzhou Alibaba Advertising  |      6 | 3h59m55.167820176s |       91 |
|     |          |                    |                                     |        |         | Co.,Ltd.                       |        |                    |          |
| 941 | crowdsec | Ip:39.100.227.1    | crowdsecurity/ssh-bf                | ban    | CN      |  Hangzhou Alibaba Advertising  |      6 | 3h59m55.165196397s |       90 |
|     |          |                    |                                     |        |         | Co.,Ltd.                       |        |                    |          |
| 940 | crowdsec | Ip:213.44.59.6     | crowdsecurity/ssh-bf                | ban    | FR      |  Bouygues Telecom SA           |      6 | 3h59m47.673949846s |       88 |
| 939 | crowdsec | Ip:213.44.59.5     | crowdsecurity/ssh-bf                | ban    | FR      |  Bouygues Telecom SA           |      6 | 3h59m47.671960994s |       87 |
| 938 | crowdsec | Ip:213.44.59.4     | crowdsecurity/ssh-bf                | ban    | FR      |  Bouygues Telecom SA           |      6 | 3h59m47.670240336s |       86 |
| 937 | crowdsec | Ip:213.44.59.3     | crowdsecurity/ssh-bf                | ban    | FR      |  Bouygues Telecom SA           |      6 | 3h59m47.667795247s |       85 |
| 936 | crowdsec | Ip:213.44.59.2     | crowdsecurity/ssh-bf                | ban    | FR      |  Bouygues Telecom SA           |      6 | 3h59m47.665605373s |       84 |
| 935 | crowdsec | Ip:213.44.59.1     | crowdsecurity/ssh-bf                | ban    | FR      |  Bouygues Telecom SA           |      6 | 3h59m47.661823202s |       83 |
+-----+----------+--------------------+-------------------------------------+--------+---------+--------------------------------+--------+--------------------+----------+

Let me know :slight_smile:

2 Likes