Server Protection monitors various system resources to detect brute force login attempts. The purpose of this project is to block such attempts to prevent unauthorized access.
It's using a plug-in architecture and can be extended to support various 3rd party tools.
The current builds are focusing on Windows (Server) where ideally it should get installed to run as a Windows service.
To support a wide range of machines the api project is split up between 2 projects. Only one of these has to be installed. They both come with a matching plug-in.
The SP.Api.Https project uses the REST protocol and can be hosted through IIS or other webservers that can host .NET Core. It contains all the api calls required for the project to work and is responsible for storing and exposing the data.
The SP.Api.gRPC project uses the gRPC protocol and can be hosted through IIS or other webservers that can host .NET Core, but also as a Windows Service. It contains all the api calls required for the project to work and is responsible for storing and exposing the data.
It's recommended to use the SP.Api.gRPC instead of the SP.Api.Https.
This project contains various individual components which are set up to work together. They are divided between SP.Core, Api's and Plug-ins.
The base of Server Protection is the SP.Core project.
The Core is considered the base program and loads all enabled plug-ins. It should ideally be run as a service.
Contains all data models used by the project.
Server Protection comes with the following plugins:
Communicates with the SP.Api.Https when enabled.
Communicates with the SP.Api.gRPC when enabled.
Windows Only: Connects to the Event Log of Windows server (requires Administrative permissions) and fires an AccessAttempt event when it detects that a login failure occured of type 4625.
Windows Only: Connects to the Event Log of Windows server (requires Administrative permissions) and fires an AccessAttempt and BlockEvent event when it detects that a visitor requests specific paths through the web server.
Sets up a TCP listener on configured ports and fires an AccessAttempt and BlockEvent event when it detects that a visitor attempted a connection on that port.
Reports the hacking attempt to www.abuseipdb.com
Reports the hacking attempt to the SP.Overview site that's part of this solution
Windows Only: Connects to the Windows Firewall and handles IP blocks/unblocks.
Simplified stress testing that will simulate login failures in a very high rate.
To provide diagnostics and offer central reporting, this project comes with an overview page that displays various statistics.
Provides an overview of the login attempts made on this server. It includes live data (if the LiveReport.SignalR plug-in is enabled) and various statistics related to the login attempts.
Contains the datasource for the SP.Overview project and exposes various statistics related to the login attempts, blocks, ISPs and more.
Uses DocFX to create all documentation of this project.
Shield icon taken from http://www.iconarchive.com/show/small-n-flat-icons-by-paomedia/shield-icon.html
https://www.serverprotection.dev
https://documentation.serverprotection.dev
- To support attacks on a complete server park, Server Protection communicates through the SP.API project. This allows system administrators to protect multiple servers simultanously when an attack is detected.
- Better support for Linux and Mac (by adding plug-ins specifically for these platforms)
- Look into https://otx.alienvault.com/