Detecting Suspicious IP Behavior and Impossible Travel
In this installment, we’ll demonstrate how you can leverage the same feature to detect impossible travel — aka an account connecting from two different locations, far from each other, in a short amount of time. We will use the SSHD service again as an example for this article, but this feature can be used for any service logging authentication. Requirements Setup the acquisition (optional) Same as in part one, in this article,we running the CrowdSec Security Engine in replay mode . If you want to use service mode, you need to set up the acquisition. #/etc/crowdsec/acquis.yaml --- filenames: - /var/log/auth.log labels: type: syslog --- Install the SSHD collection You can find the collection here . sudo cscli collections install crowdsecurity/sshd Parse successful authentication As already seen in part one, this is the parser node to parse successful SSH authentication: #/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml --- - grok: pattern: 'Accept...