Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Audiobookshelf collection #1153

Merged
merged 4 commits into from
Nov 14, 2024

Conversation

plague-doctor
Copy link
Contributor

A collection to defend Audiobookshelf self hosted deployments against common attacks.

  • Add Audiobookshelf parser
  • Add Audiobookshelf scenario to detect brute force attacks

@LaurenceJJones
Copy link
Contributor

LaurenceJJones commented Nov 13, 2024

Hey 👋🏻

Thank you for the PR, do you have any log lines we can add to some tests to ensure the parser works plus it will help us keep compatibility moving forward incase anything changes to crowdsec / patterns. You can redact any PII data (IP address, usernames) and provide a place holder EG: <ipaddress> and I can insert some fake data there.

Edit: plus a crowdsec team member is currently running this inside a homelab and seem you might have JSON logs? is this the default or a custom setting you have enabled?

@plague-doctor
Copy link
Contributor Author

Sure. Here you are:

{"timestamp":"2024-11-13 11:03:31.784","source":"Auth.js:888","message":"[Auth] Failed login attempt for username \"<username>\" from ip <ipaddress> (Invalid password)","levelName":"ERROR","level":4}
{"timestamp":"2024-11-13 09:07:05.896","source":"Auth.js:888","message":"[Auth] Failed login attempt for username \"Hfhh\" from ip <ipaddress> (User not found)","levelName":"ERROR","level":4}
{"timestamp":"2024-11-13 09:07:17.741","source":"Auth.js:888","message":"[Auth] Failed login attempt for username \"Hfhh\" from ip <ipaddress> (User not found)","levelName":"ERROR","level":4}
{"timestamp":"2024-11-13 11:03:31.784","source":"Auth.js:888","message":"[Auth] Failed login attempt for username \"<username>\" from ip <ipaddress> (Invalid password)","levelName":"ERROR","level":4}

Yes, this is a JSON log by default. There is no option to change the format.

@blotus
Copy link
Member

blotus commented Nov 14, 2024

Hey @plague-doctor,

How is audiobookshelf deployed ? I have an instance running in docker, and my logs are not in JSON (AFAIK, it's using a default configuration, and should be on the latest version):

[2024-11-13 09:54:35.882] ERROR: [Auth] Failed login attempt for username "fooobar" from ip 2a01:e0a:5b5:5cf1:f4b2:8900:482:39de (User not found) (Auth.js:888)

@LaurenceJJones
Copy link
Contributor

Hey 👋🏻

I extended the parser a little to support non-json logs as per @blotus has, added some tests (positive failed auths and postive authentication requests).

Can you take a look over my changes and if you are happy we can proceed.

@LaurenceJJones
Copy link
Contributor

Helps users with advplyr/audiobookshelf#2579

Copy link
Contributor

@LaurenceJJones LaurenceJJones left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but is like signing my own homework, I let others approve from the team also

@LaurenceJJones LaurenceJJones merged commit 238067b into crowdsecurity:master Nov 14, 2024
2 checks passed
@LaurenceJJones
Copy link
Contributor

I merged since we added tests and all should be working.

Thank you @plague-doctor for creating the PR and your first contribution to the crowdsec hub.

You can now download the collection by running

sudo cscli collections install PlagueDoctor/audiobookshelf

if you get a not found you may need to run

sudo cscli hub update

before hand! I linked an issue from audiobookshelf, hopefully we be able to bring some light to this new collection and introduce new user to CrowdSec because of it 🎆

@LaurenceJJones
Copy link
Contributor

We are investigating an issue on our side, you changes are published, however, there currently issue downloading them remotely.

I will update this PR once we have it resolved.

@plague-doctor
Copy link
Contributor Author

plague-doctor commented Nov 14, 2024

@blotus I run this in docker. As per this information: https://www.audiobookshelf.org/guides/server_logs#server-logs the logs are JSON. I vaguely remember they were a plain text a while ago, but it has changed.

By default, server log levels are set to Info. The 3 log levels in order of increasing information are Warn, Info, and Debug. Logs can be viewed in the web browser, but all logs are stored in /metadata/logs as JSON files.

@LaurenceJJones Thanks for taking care of quirks of grok configuration. Thanks a lot!

I am still unable to install with

cscli collections install PlagueDoctor/audiobookshelf

even after

cscli hub update

I get:

Failed to install collections/PlagueDoctor/audiobookshelf, running hub update before retrying
level=info msg="hub index is up to date"
level=fatal msg="can't find 'PlagueDoctor/audiobookshelf' in collections"
9968cf27da03:/# cscli hub update
INFO hub index is up to date                      
9968cf27da03:/# cscli collections install PlagueDoctor/audiobookshelf
FATA can't find 'PlagueDoctor/audiobookshelf' in collections 
9968cf27da03:/# 

I have also noticed that https://app.crowdsec.net/hub/author/PlagueDoctor/collections/audiobookshelf
is pointing to a different GitHub user. This is obviously my mistake, as I have used PlagueDoctor instead the handler plague-doctor :-(
Sorry for that mistake. Will fix with another PR.

@LaurenceJJones
Copy link
Contributor

@blotus I run this in docker. As per this information: https://www.audiobookshelf.org/guides/server_logs#server-logs the logs are JSON. I vaguely remember they were a plain text a while ago, but it has changed.

By default, server log levels are set to Info. The 3 log levels in order of increasing information are Warn, Info, and Debug. Logs can be viewed in the web browser, but all logs are stored in /metadata/logs as JSON files.

@LaurenceJJones Thanks for taking care of quirks of grok configuration. Thanks a lot!

I am still unable to install with

cscli collections install PlagueDoctor/audiobookshelf

even after

cscli hub update

I get:

Failed to install collections/PlagueDoctor/audiobookshelf, running hub update before retrying
level=info msg="hub index is up to date"
level=fatal msg="can't find 'PlagueDoctor/audiobookshelf' in collections"
9968cf27da03:/# cscli hub update
INFO hub index is up to date                      
9968cf27da03:/# cscli collections install PlagueDoctor/audiobookshelf
FATA can't find 'PlagueDoctor/audiobookshelf' in collections 
9968cf27da03:/# 

I have also noticed that https://app.crowdsec.net/hub/author/PlagueDoctor/collections/audiobookshelf is pointing to a different GitHub user. This is obviously my mistake, as I have used PlagueDoctor instead the handler plague-doctor :-( Sorry for that mistake. Will fix with another PR.

Yes this should all be resolved now via

https://app.crowdsec.net/hub/author/plague-doctor/collections/audiobookshelf

Dewwi pushed a commit that referenced this pull request Nov 29, 2024
* Add Audiobookshelf collection

* enhance: Add tests and extend parser to support non json output also

* enhance: Since we are parsing the application logs we can be more restrictive on failed attempts

* chore: run index workflow manually

---------

Co-authored-by: Laurence <[email protected]>
Dewwi pushed a commit that referenced this pull request Dec 4, 2024
* Add Audiobookshelf collection

* enhance: Add tests and extend parser to support non json output also

* enhance: Since we are parsing the application logs we can be more restrictive on failed attempts

* chore: run index workflow manually

---------

Co-authored-by: Laurence <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants