brutedet - Simple bruteforce detection tool.

brutedet – Simple bruteforce detection tool.

Synopsis
On this page you’ll find a simple, drop-in bruteforce detection program. brutedet it’s a very lightweight implementation in portable C and it doesn’t require any external dependencies besides a standard C library. It should run under all modern POSIX-like systems (Linux, *BSD etc). The actual program doesn’t know anything about IP addressess or the structure of the data that’s being fed into it. One simply feeds textual lines of data to its standard input. This data is then fed into a counting Bloom filter for three specific time buckets. There’s a time bucket for a 10 second period, a 60 second period and a 10 minute period. The tresholds for each bucket are user configurable and once a treshold is reached a bruteforce attempt is detected and a supplied command will be executed. One can then for example add a firewall rule to block a certain IP address.

brutedet

The tool is just quick proof of concept but it might be useful when one doesn’t have the time and resources to add integrated bruteforce detection to a possibly very complex web application stack. It’s easy to filter for, say, very CPU-intensive URL’s and set specific tresholds for those URL’s. Two examples of usage of the tool are provided below; one in which a webserver is protected and another example in which TCP SYN scans are detected.

Dependencies:
+ All Linux Platform and Cmake
+ fail2ban http://www.fail2ban.org/

Usage:

Source: https://github.com/gvb84