Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Audiobookshelf collection #1153

Merged
merged 4 commits into from
Nov 14, 2024
Merged

Add Audiobookshelf collection #1153

merged 4 commits into from
Nov 14, 2024

Conversation

plague-doctor
Copy link
Contributor

A collection to defend Audiobookshelf self hosted deployments against common attacks.

  • Add Audiobookshelf parser
  • Add Audiobookshelf scenario to detect brute force attacks

@LaurenceJJones
Copy link
Contributor

LaurenceJJones commented Nov 13, 2024
edited
Loading

Hey 👋🏻

Thank you for the PR, do you have any log lines we can add to some tests to ensure the parser works plus it will help us keep compatibility moving forward incase anything changes to crowdsec / patterns. You can redact any PII data (IP address, usernames) and provide a place holder EG: <ipaddress> and I can insert some fake data there.

Edit: plus a crowdsec team member is currently running this inside a homelab and seem you might have JSON logs? is this the default or a custom setting you have enabled?

@plague-doctor
Copy link
Contributor Author

Sure. Here you are:

{"timestamp":"2024-11-13 11:03:31.784","source":"Auth.js:888","message":"[Auth] Failed login attempt for username \"<username>\" from ip <ipaddress> (Invalid password)","levelName":"ERROR","level":4}
{"timestamp":"2024-11-13 09:07:05.896","source":"Auth.js:888","message":"[Auth] Failed login attempt for username \"Hfhh\" from ip <ipaddress> (User not found)","levelName":"ERROR","level":4}
{"timestamp":"2024-11-13 09:07:17.741","source":"Auth.js:888","message":"[Auth] Failed login attempt for username \"Hfhh\" from ip <ipaddress> (User not found)","levelName":"ERROR","level":4}
{"timestamp":"2024-11-13 11:03:31.784","source":"Auth.js:888","message":"[Auth] Failed login attempt for username \"<username>\" from ip <ipaddress> (Invalid password)","levelName":"ERROR","level":4}

Yes, this is a JSON log by default. There is no option to change the format.

@blotus
Copy link
Member

blotus commented Nov 14, 2024

Hey @plague-doctor,

How is audiobookshelf deployed ? I have an instance running in docker, and my logs are not in JSON (AFAIK, it's using a default configuration, and should be on the latest version):

[2024-11-13 09:54:35.882] ERROR: [Auth] Failed login attempt for username "fooobar" from ip 2a01:e0a:5b5:5cf1:f4b2:8900:482:39de (User not found) (Auth.js:888)

@LaurenceJJones
Copy link
Contributor

Hey 👋🏻

I extended the parser a little to support non-json logs as per @blotus has, added some tests (positive failed auths and postive authentication requests).

Can you take a look over my changes and if you are happy we can proceed.

@LaurenceJJones
Copy link
Contributor

Helps users with advplyr/audiobookshelf#2579

LaurenceJJones
LaurenceJJones approved these changes Nov 14, 2024
View reviewed changes
Copy link
Contributor

@LaurenceJJones LaurenceJJones left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but is like signing my own homework, I let others approve from the team also

@LaurenceJJones LaurenceJJones merged commit 238067b into crowdsecurity:master Nov 14, 2024
2 checks passed
@LaurenceJJones
Copy link
Contributor

I merged since we added tests and all should be working.

Thank you @plague-doctor for creating the PR and your first contribution to the crowdsec hub.

You can now download the collection by running

sudo cscli collections install PlagueDoctor/audiobookshelf

if you get a not found you may need to run

sudo cscli hub update

before hand! I linked an issue from audiobookshelf, hopefully we be able to bring some light to this new collection and introduce new user to CrowdSec because of it 🎆

@LaurenceJJones
Copy link
Contributor

We are investigating an issue on our side, you changes are published, however, there currently issue downloading them remotely.

I will update this PR once we have it resolved.

@plague-doctor
Copy link
Contributor Author

plague-doctor commented Nov 14, 2024
edited
Loading

@blotus I run this in docker. As per this information: https://www.audiobookshelf.org/guides/server_logs#server-logs the logs are JSON. I vaguely remember they were a plain text a while ago, but it has changed.

By default, server log levels are set to Info. The 3 log levels in order of increasing information are Warn, Info, and Debug. Logs can be viewed in the web browser, but all logs are stored in /metadata/logs as JSON files.

@LaurenceJJones Thanks for taking care of quirks of grok configuration. Thanks a lot!

I am still unable to install with

cscli collections install PlagueDoctor/audiobookshelf

even after

cscli hub update

I get:

Failed to install collections/PlagueDoctor/audiobookshelf, running hub update before retrying
level=info msg="hub index is up to date"
level=fatal msg="can't find 'PlagueDoctor/audiobookshelf' in collections"

9968cf27da03:/# cscli hub update
INFO hub index is up to date                      
9968cf27da03:/# cscli collections install PlagueDoctor/audiobookshelf
FATA can't find 'PlagueDoctor/audiobookshelf' in collections 
9968cf27da03:/#

I have also noticed that https://app.crowdsec.net/hub/author/PlagueDoctor/collections/audiobookshelf
is pointing to a different GitHub user. This is obviously my mistake, as I have used PlagueDoctor instead the handler plague-doctor :-(
Sorry for that mistake. Will fix with another PR.

@LaurenceJJones
Copy link
Contributor

@blotus I run this in docker. As per this information: https://www.audiobookshelf.org/guides/server_logs#server-logs the logs are JSON. I vaguely remember they were a plain text a while ago, but it has changed.

By default, server log levels are set to Info. The 3 log levels in order of increasing information are Warn, Info, and Debug. Logs can be viewed in the web browser, but all logs are stored in /metadata/logs as JSON files.

@LaurenceJJones Thanks for taking care of quirks of grok configuration. Thanks a lot!

I am still unable to install with

cscli collections install PlagueDoctor/audiobookshelf

even after

cscli hub update

I get:

Failed to install collections/PlagueDoctor/audiobookshelf, running hub update before retrying
level=info msg="hub index is up to date"
level=fatal msg="can't find 'PlagueDoctor/audiobookshelf' in collections"

9968cf27da03:/# cscli hub update
INFO hub index is up to date                      
9968cf27da03:/# cscli collections install PlagueDoctor/audiobookshelf
FATA can't find 'PlagueDoctor/audiobookshelf' in collections 
9968cf27da03:/#

I have also noticed that https://app.crowdsec.net/hub/author/PlagueDoctor/collections/audiobookshelf is pointing to a different GitHub user. This is obviously my mistake, as I have used PlagueDoctor instead the handler plague-doctor :-( Sorry for that mistake. Will fix with another PR.

Yes this should all be resolved now via

https://app.crowdsec.net/hub/author/plague-doctor/collections/audiobookshelf

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LaurenceJJones LaurenceJJones LaurenceJJones approved these changes

@buixor buixor buixor approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@plague-doctor @LaurenceJJones @blotus @buixor