cpanel-bf-attempt Configuration

« cpanel-bf-attempt »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:cpanelspoofable:0MITRE:T1110confidence:1

Detect bruteforce attempt on cpanel login

Installation

cscli scenarios install crowdsecurity/cpanel-bf-attempt

Description

Trigger alerts when this line is matched:

FAILED LOGIN cpaneld: brute force attempt (user cscpanel) has locked out IP 1.2.3.4

YAML Configuration

1type: trigger
2name: crowdsecurity/cpanel-bf-attempt
3description: "Detect bruteforce attempt on cpanel login"
4filter: "evt.Meta.log_type == 'auth_bf_attempt'"
5groupby: evt.Meta.source_ip
6blackhole: 5m
7labels:
8  confidence: 1
9  spoofable: 0
10  classification:
11   - attack.T1110
12  behavior: "http:bruteforce"
13  label: "cPanel Bruteforce"
14  service: cpanel
15  remediation: true

Hub configuration

« cpanel-bf-attempt »v0.3 by crowdsecurityAttack scenarioremediation:trueservice:cpanelspoofable:0MITRE:T1110confidence:1

« cpanel-bf-attempt »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:cpanelspoofable:0MITRE:T1110confidence:1