SSHD detection not working?

crowdsec
22

We can see that 10 overflows ssh-bf scenarios happened.

You couldn’t find your IP address in the cscli alerts list nor cscli decisions list ?

23

Yes, I used an American ip and there are no entries for that country/ip and I can still try to login to my server with that specific IP via SSH. Other ips get blocked now it seems like since I don’t get double or triple alerts from the same ip anymore.

24

Ok, I retried my bf test and it took 12 login attempts to block the IP which means it works now. Now I would like to know how I can reduce the attempt to 3 or 5 and increase the ban time to something else.

Edit: Is it possible to change the leakspeed and capacity of the ssh-bf scenarios?

25

Hello, currently crowdsec should emit an alert if you did 6 failed authentication in less than 10secondes. Was it the case ?

For the ban duration, it is configured in the profiles (cf. Format | CrowdSec).

You can edit the existing profile ban duration from 4h to something else for all the scenario, or you can add a new profile at the begining of the file that will ban for example IP triggering ssh bruteforce for 24h:

name: default_ip_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() == "crowdsecurity/ssh-bf"
decisions:
 - type: ban
   duration: 24h
notifications:
  - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
on_success: break

Edit: Is it possible to change the leakspeed and capacity of the ssh-bf scenarios?

Yes it is possible, but your scenarios will then be considered as tainted and will not be updated when there will be a new update on the hub for this scenario.

1 Like
26

Since I don’t have any real bf tools on my current machine, i just used ssh and spammed a random password as fast as possible. Maybe in combination with high latency of the VPN it might have been over 10 seconds but I’m not sure about that. Change the profile sounds like a good option to me. Is it possible to “untaint” the scenario in an easy way or do I have to reset the config by hand?

27

If you have modified the scenario, maybe running cscli scenarios upgrade <your_scenario> --force can untaint it.

1 Like
28

Perfect! Thank you so much for helping me out. I love this project and will use crowdsec instead of good old fail2ban.

29

Thanks you very much! Don’t hesite to reach us on Gitter also if you face any problems :slight_smile:

1 Like