Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSH successful collection #824

Open
2 of 3 tasks
LaurenceJJones opened this issue Sep 6, 2023 · 7 comments
Open
2 of 3 tasks

SSH successful collection #824

LaurenceJJones opened this issue Sep 6, 2023 · 7 comments

Comments

@LaurenceJJones
Copy link
Contributor

LaurenceJJones commented Sep 6, 2023
edited
Loading

After https://www.crowdsec.net/blog/detecting-successful-ssh-brute-force we should package up a collection that can detect successful ssh logins and can generate an alert and decisions on the last IP

(Note I will inform this is not a silver bullet unless they also temporary ban the user as they can switch IP and just relogin)

  • Create successful ssh collection
  • Include details about notifications and that it bans the last IP
  • Write a blog article about using custom bouncer to temporary block users
@LaurenceJJones
Copy link
Contributor Author

Link to #825

@Eirikr70
Copy link

Hello, with Debian Bookworm abandoning auth.log for ssh connexions, will Crowdsec provide a solution for securing ssh ?

@LaurenceJJones
Copy link
Contributor Author

Hello, with Debian Bookworm abandoning auth.log for ssh connexions, will Crowdsec provide a solution for securing ssh ?

Yes we support journald output, documentation where you can see the current ssh example for debian 12

@Eirikr70
Copy link

How can Crowdsec, installed in a Docker container, read the syslog of the host ?

@LaurenceJJones
Copy link
Contributor Author

LaurenceJJones commented Jan 19, 2024
edited
Loading

How can Crowdsec, installed in a Docker container, read the syslog of the host ?

Mount the journal files from the host into the container, and then setup acquisition to find the files via journald. You need to use the debian flavour tag as that one that has journalctl binary

Here an example of acquisition https://github.com/crowdsecurity/home-assistant-addons/blob/234549b74260ae698c5f6462a19ad5f27f7b5b5f/crowdsec/config.yaml#L23-L28

Also we have an example via our docker-compose repository https://github.com/crowdsecurity/example-docker-compose/blob/main/journald/docker-compose.yml

@Eirikr70
Copy link

Eirikr70 commented Jan 19, 2024
edited
Loading

I get this fatal error

crowdsec  | time="19-01-2024 19:00:02" level=info msg="initiating plugin broker"
crowdsec  | time="19-01-2024 19:00:02" level=fatal msg="api server init: unable to run plugin broker: while loading plugin: while getting process attributes: group: unknown group nobody"
crowdsec  | time="19-01-2024 19:00:02" level=fatal msg="api server init: unable to run plugin broker: while loading plugin: while getting process attributes: group: unknown group nobody"

I have tried to change the user in the config.yaml, with no success

@LaurenceJJones
Copy link
Contributor Author

LaurenceJJones commented Jan 19, 2024
edited
Loading

I get this fatal error

crowdsec  | time="19-01-2024 19:00:02" level=info msg="initiating plugin broker"
crowdsec  | time="19-01-2024 19:00:02" level=fatal msg="api server init: unable to run plugin broker: while loading plugin: while getting process attributes: group: unknown group nobody"
crowdsec  | time="19-01-2024 19:00:02" level=fatal msg="api server init: unable to run plugin broker: while loading plugin: while getting process attributes: group: unknown group nobody"

I have tried to change the user in the config.yaml, with no success

crowdsecurity/crowdsec#2711

So for debian the valid confguration is

plugin_config:
  user: nobody
  group: nogroup

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LaurenceJJones @Eirikr70