Introduction:
At ODOO4Projects, we recently encountered a persistent issue with attackers exploiting our services. These malicious actors used the sign-up and password reset forms to send spam emails, jeopardizing the reputation of our email domain. To counter this, we leveraged CrowdSec's powerful detection capabilities to create a custom scenario that detects these attacks by monitoring suspicious URL patterns in our logs.
Here's a step-by-step guide to implementing the solution.
The Attack Pattern:
Through log analysis, we identified the attack's starting point:
- The attacker scanned URLs containing our email address in patterns such as @odoo4projects.com or its encoded variant %40odoo4projects.com.
- These patterns appeared in access and error logs (http_access-log and http_error-log).
By focusing on this behavior, we could detect and block attackers early in their process.
To create this scenario just add the following yaml into the crowsecs scenarion directory: /etc/crowdsec/config/scenarios
type: trigger
format: 2.0
#debug: true
name: my/detect-odoo-4-projects-email-in-url
description: "Detect suspicious access to URLs containing Odoo4Projects email patterns."
filter: |
evt.Meta.log_type in ["http_access-log", "http_error-log"] and
(Lower(evt.Meta.http_path) contains "@odoo4projects.com" || Lower(evt.Meta.http_path) contains "%40odoo4projects.com")
groupby: "evt.Meta.source_ip"
blackhole: 2m
labels:
remediation: true
Explanation of Key Parameters:
- type: trigger: Defines this as a trigger scenario, activating upon detection of matching patterns.
- filter: Focuses on log events (http_access-log and http_error-log) where the HTTP path contains @odoo4projects.com or %40odoo4projects.com (case-insensitive).
- groupby: Groups events by source IP to identify attackers.
- blackhole: 2m: Bans detected IPs for 2 minutes, preventing repeated access.
- labels: Includes a remediation label to mark this as actionable.#
After restarting your crowdsec instance, you can check, if the scenario has been added with
cscli scenarios list
Conclusion:
Thanks to CrowdSec and a bit of custom configuration, we’ve successfully neutralized attempts to abuse our services by detecting and blocking attackers early in their workflow. This simple YAML-based approach has significantly improved the security of our Odoo instance.
If you're managing similar threats, adapting this scenario for your environment could save you time, protect your domain’s reputation, and secure your infrastructure.
Pro Tip: Regularly monitor and refine your scenarios as attack patterns evolve. CrowdSec’s flexibility and active community make it an invaluable tool for staying ahead of malicious actors.