Skip to content

Comments

feat: add SSH slow brute-force detection scenarios (very-slow, ultra-slow, glacial)#1694

Open
Etilem wants to merge 1 commit intocrowdsecurity:masterfrom
Etilem:feat/ssh-slow-bf
Open

feat: add SSH slow brute-force detection scenarios (very-slow, ultra-slow, glacial)#1694
Etilem wants to merge 1 commit intocrowdsecurity:masterfrom
Etilem:feat/ssh-slow-bf

Conversation

@Etilem
Copy link

@Etilem Etilem commented Feb 21, 2026

Summary

Add a tiered set of SSH brute-force detection scenarios that catch evasive attackers spacing login attempts from 1 hour to 8+ hours apart. These scenarios extend the existing detection chain beyond what crowdsecurity/ssh-time-based-bf covers (~2h effective window).

Developed and battle-tested on a production mail/web server processing ~5000 SSH log entries per day, where they detected previously undetected multi-day slow brute-force attacks.

Problem

Current CrowdSec SSH detection chain:

Existing Scenario Approach Effective Window
crowdsecurity/ssh-bf Leaky bucket 1s ~seconds
crowdsecurity/ssh-slow-bf Leaky bucket 60s ~11 minutes
crowdsecurity/ssh-time-based-bf Conditional (MedianInterval > 10min), leakspeed 2h ~2 hours

Gap beyond ~2 hours: Attackers spacing attempts 3+ hours apart evade all existing scenarios because events leak out of ssh-time-based-bf before accumulating. Real-world examples observed:

  • Bots doing micro-bursts of 3 attempts every 9 hours over 5 days
  • Targeted attacks with 1 attempt every ~8 hours over 3 days

Scenarios (extending the detection chain)

These scenarios pick up where crowdsecurity/ssh-time-based-bf leaves off:

Scenario Leakspeed Capacity Window Use Case
crowdsecurity/ssh-time-based-bf 2h -1 ~2h Existing: > 10min spacing
melite/ssh-very-slow-bf 4h 5 24h 1-3h spacing (extends time-based-bf)
melite/ssh-ultra-slow-bf 12h 9 5 days Multi-day micro-bursts (9h+ intervals)
melite/ssh-glacial-bf 18h 3 72h ~1 attempt per 8 hours

Each scenario includes a _user-enum variant (using distinct on target_user).

Why not just tune ssh-time-based-bf? The ssh-time-based-bf approach (conditional with MedianInterval) is fundamentally different from leaky bucket. It requires events to accumulate within its 2h leakspeed window. For attacks spanning days, a pure leaky bucket with a very slow leak rate is more appropriate — it tracks a single counter per IP that slowly decays, using minimal memory.

Parser

melite/sshd-preauth-disconnect (s01-parse): Catches Received disconnect from IP port N:11: [preauth] lines that crowdsecurity/sshd-logs misses. Each SSH key-scanning attempt generates two log lines, but only one was previously parsed. This parser doubles the event count for all SSH scenarios, making detection faster.

Testing

cscli hubtest run ssh-very-slow-bf --save-results
cscli hubtest run ssh-ultra-slow-bf --save-results
cscli hubtest run ssh-glacial-bf --save-results
cscli hubtest run sshd-preauth-disconnect --save-results

Dependencies

  • crowdsecurity/syslog-logs
  • crowdsecurity/sshd-logs
  • crowdsecurity/dateparse-enrich

feat: add SSH slow brute-force detection scenarios (melite)
c4a9025 
Add tiered SSH brute-force detection scenarios that catch evasive attackers
spacing login attempts from 1 hour to 8+ hours apart:
- melite/ssh-very-slow-bf (leakspeed 4h, capacity 5)
- melite/ssh-ultra-slow-bf (leakspeed 12h, capacity 9)
- melite/ssh-glacial-bf (leakspeed 18h, capacity 3)

Includes parser melite/sshd-preauth-disconnect (s01-parse) and hub tests.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Etilem