Hi all,
I try to create simple scenario in order to ban ssh root connection as soon as it fail.
This scenario is ok but a little bit direct :
type: trigger
name: local/ssh-root
description: "ban root connection"
filter: "evt.Meta.log_type == 'ssh_failed-auth'"
groupby: evt.Meta.source_ip
blackhole: 1m
#reprocess: true
labels:
service: ssh
type: bruteforce
remediation: true
It works. But i would like to make sure and change filter with :
filter: "evt.Meta.log_type == 'ssh_failed-auth' and evt.Parsed.message contains 'user=root'"
This last filter never match. Itβs my first scenario, is it possible to do that ?
Thanks a lot,
Stephane.
Yeah so checking our sshd parser you can see we set the failed user as a Meta property
https://hub.crowdsec.net/author/crowdsecurity/configurations/sshd-logs
So you should be able to set the filter too:
filter: "evt.Meta.log_type == 'ssh_failed-auth' and evt.Meta.target_user == 'root'"
1 Like
Hi @iiAmLoz
I tried this, but when i run command below, the evt.Meta.target_user is empty 
Log entry :
Oct 1 00:01:41 minipc1 sshd[538922]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=root
Explain :
sudo cscli explain -v --file /tmp/log2 --type=syslog ο 18s dugravot6@minipc1 ο 11:49:15
line: Oct 1 00:01:41 minipc1 sshd[538922]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=root
β s00-raw
| β π’ crowdsecurity/syslog-logs (+9 ~9)
| β update evt.ExpectMode : %!s(int=0) -> 1
| β update evt.Stage : -> s01-parse
| β update evt.Line.Raw : -> Oct 1 00:01:41 minipc1 sshd[538922]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=root
| β update evt.Line.Src : -> /tmp/log2
| β update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2023-10-02 09:49:20.136747444 +0000 UTC
| β create evt.Line.Labels.type : syslog
| β update evt.Line.Process : %!s(bool=false) -> true
| β update evt.Line.Module : -> file
| β create evt.Parsed.logsource : syslog
| β create evt.Parsed.message : pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=root
| β create evt.Parsed.pid : 538922
| β create evt.Parsed.priority :
| β create evt.Parsed.program : sshd
| β create evt.Parsed.timestamp : Oct 1 00:01:41
| β create evt.Parsed.timestamp8601 :
| β create evt.Parsed.facility :
| β update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2023-10-02 09:49:20.136802472 +0000 UTC
| β update evt.StrTime : -> Oct 1 00:01:41
β s01-parse
| β π΄ cowrie-logs
| β π΄ crowdsecurity/apache2-logs
| β π΄ crowdsecurity/dovecot-logs
| β π΄ crowdsecurity/iptables-logs
| β π΄ crowdsecurity/modsecurity
| β π΄ crowdsecurity/mysql-logs
| β π΄ crowdsecurity/nginx-logs
| β π΄ crowdsecurity/postfix-logs
| β π΄ crowdsecurity/postscreen-logs
| β π΄ crowdsecurity/smb-logs
| β π’ crowdsecurity/sshd-logs (+5 ~1)
| β update evt.Stage : s01-parse -> s02-enrich
| β create evt.Parsed.source_ip : 1.2.3.4
| β create evt.Parsed.sshd_invalid_user :
| β create evt.Meta.service : ssh
| β create evt.Meta.target_user :
| β create evt.Meta.log_type : ssh_failed-auth
β s02-enrich
| β π’ crowdsecurity/dateparse-enrich (+1 ~2)
| β create evt.Enriched.MarshaledTime : 2023-10-01T00:01:41Z
| β update evt.Time : 2023-10-02 09:49:20.136802472 +0000 UTC -> 2023-10-01 00:01:41 +0000 UTC
| β update evt.MarshaledTime : -> 2023-10-01T00:01:41Z
| β π΄ crowdsecurity/geoip-enrich
| β π΄ crowdsecurity/http-logs
| β π΄ crowdsecurity/naxsi-logs
| β π’ crowdsecurity/whitelists (unchanged)
β-------- parser success π’
β Scenarios
β π’ crowdsecurity/ssh-bf
β π’ crowdsecurity/ssh-bf_user-enum
β π’ crowdsecurity/ssh-slow-bf
β π’ crowdsecurity/ssh-slow-bf_user-enum
Any idea ?
Indeed, It seems that the ban is well done. Even if the evt.Meta.target_user is empty.
This works fine for me?
$ cscli explain --log 'Oct 1 00:01:41 minipc1 sshd[538922]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=root' --type syslog -v
line: Oct 1 00:01:41 minipc1 sshd[538922]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=root
β s00-raw
| β π’ crowdsecurity/syslog-logs (+12 ~9)
| β update evt.ExpectMode : %!s(int=0) -> 1
| β update evt.Stage : -> s01-parse
| β update evt.Line.Raw : -> Oct 1 00:01:41 minipc1 sshd[538922]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=root
| β update evt.Line.Src : -> /tmp/cscli_explain861569487/cscli_test_tmp.log
| β update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2023-10-02 10:06:53.538351249 +0000 UTC
| β create evt.Line.Labels.type : syslog
| β update evt.Line.Process : %!s(bool=false) -> true
| β update evt.Line.Module : -> file
| β create evt.Parsed.pid : 538922
| β create evt.Parsed.priority :
| β create evt.Parsed.program : sshd
| β create evt.Parsed.timestamp : Oct 1 00:01:41
| β create evt.Parsed.timestamp8601 :
| β create evt.Parsed.facility :
| β create evt.Parsed.logsource : syslog
| β create evt.Parsed.message : pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=root
| β update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2023-10-02 10:06:53.538395487 +0000 UTC
| β update evt.StrTime : -> Oct 1 00:01:41
| β create evt.Meta.machine : minipc1
| β create evt.Meta.datasource_path : /tmp/cscli_explain861569487/cscli_test_tmp.log
| β create evt.Meta.datasource_type : file
β s01-parse
| β π’ crowdsecurity/sshd-logs (+9 ~1)
| β update evt.Stage : s01-parse -> s02-enrich
| β create evt.Parsed.pam_type : unix
| β create evt.Parsed.sshd_invalid_user : root
| β create evt.Parsed.sshd_client_ip : 1.2.3.4
| β create evt.Parsed.uid : 0
| β create evt.Parsed.euid : 0
| β create evt.Meta.log_type : ssh_failed-auth
| β create evt.Meta.service : ssh
| β create evt.Meta.source_ip : 1.2.3.4
| β create evt.Meta.target_user : root
β s02-enrich
| β π’ crowdsecurity/dateparse-enrich (+2 ~2)
| β create evt.Enriched.MarshaledTime : 2023-10-01T00:01:41Z
| β update evt.Time : 2023-10-02 10:06:53.538395487 +0000 UTC -> 2023-10-01 00:01:41 +0000 UTC
| β update evt.MarshaledTime : -> 2023-10-01T00:01:41Z
| β create evt.Meta.timestamp : 2023-10-01T00:01:41Z
| β π’ crowdsecurity/geoip-enrich (+10)
| β create evt.Enriched.ASNumber : 0
| β create evt.Enriched.IsInEU : false
| β create evt.Enriched.IsoCode : AU
| β create evt.Enriched.Latitude : -33.494000
| β create evt.Enriched.Longitude : 143.210400
| β create evt.Enriched.ASNNumber : 0
| β create evt.Enriched.ASNOrg :
| β create evt.Meta.IsInEU : false
| β create evt.Meta.ASNNumber : 0
| β create evt.Meta.IsoCode : AU
β-------- parser success π’
β Scenarios
β π’ crowdsecurity/ssh-bf
β π’ crowdsecurity/ssh-bf_user-enum
β π’ crowdsecurity/ssh-slow-bf
β π’ crowdsecurity/ssh-slow-bf_user-enum
Can you ensure your parsers / version is up to date via:
cscli hub update
cscli hub upgrade
Yes, itβs up to date on this debian. I notice also that geoip failed.
It works well (as you) on 2 another virtual machines (one debian and one centos7).
I will try to reinstall crowdsec.
Thank for your help !
@iiAmLoz
After reinstall crowdsec (β¦) it works as expected !
1 Like