NoBrute 2.0.0
dotnet add package NoBrute --version 2.0.0
NuGet\Install-Package NoBrute -Version 2.0.0
<PackageReference Include="NoBrute" Version="2.0.0" />
paket add NoBrute --version 2.0.0
#r "nuget: NoBrute, 2.0.0"
// Install NoBrute as a Cake Addin #addin nuget:?package=NoBrute&version=2.0.0 // Install NoBrute as a Cake Tool #tool nuget:?package=NoBrute&version=2.0.0
NoBrute (by Malte)
Simple and light bruteforce protection for .NET 8 This Lib will protect defined actions in your controllers in making them inefficient to be bruteforced for simple soulutions. It will append request times in ms if a local cache entry on the server was found for the same request & request name & method and the hit count reaches an defined limit (so called here: greenrequests) in an amount of time.
Requirements
NoBrute will require at least one IMemoryCache or IDistributedCache to be regisrted in your application. (Since for obvious reasons storing the info the session wont work cause bots will never send coookies along them)
External Libraries This Library uses the following lib(s) fro archive its functionality:
Install
Using the nuget package manager:
Install-Package NoBrute
Using the dotnet cli:
dotnet add package NoBrute
Enable it in your application:
// Startup.cs
public IServiceProvider ConfigureServices(IServiceCollection services) {
// Use Memoory Cache:
services.AddMemoryCache();
// Or an distributed cache (NoBrute will prefer this if both registered)
services.AddStackExchangeRedisCache(x =>
{
x.Configuration = "... ";
}); // In this case we used for example redis
services.AddNoBrute();
}
Configuration
In order to use NoBrute there is no configuration required. Here is a JSON Example for your "appsettings.json" to configure NoBrute and what default values are used if the entry does not exists in you configuration:
{
"NoBrute": {
"Enabled": true,
"GreenRetries": 10,
"IncreaseRequestTime": 20,
"TimeUntilReset": 2,
"TimeUntilResetUnit": "H",
"StatusCodesForAutoProcess": [
200
]
}
}
Configuration Entries and their meanings
Configuration Entry Name | Description | Default Value | Type |
---|---|---|---|
Enabled | If true the NoBrute Service is enabled | true | Boolean |
GreenRetries | If this count of same requests is reached NoBrute will start appending request time by setting the thread to sleep for n ms | 10 | Integer |
IncreaseRequestTime | For each request that exceeds the GreenRetries entry number NoBrute will append n ms to the request | 20 | Integer |
TimeUntilReset | This in combination with TimeUntilResetUnit will declare the time when the saved request count for a user will be cleared so the user gets normal request times again | 2 | Integer |
TimeUntilResetUnit | This is the unit of time used for the value of TimeUntilReset. Possible values: Years = 'y', Days = 'd', Months = 'M', Hours = 'H', Minutes = 'i', Seconds = 's', Miliseconds = 'n' |
H (Hours) | String |
StatusCodesForAutoProcess | This is for autoprocessing requests. (More details see below "Usage"). You can declare here what status codes of an IHttpAction will removed saved request automatically | [ 200 ] | Integer[] |
Usage
The Action Filter Attribute (WebApi or MVC)
To protect an action you can use the "NoBruteAttribute". This is the simnple way.
Arguments:
Name | Description |
---|---|
string requestName | Gives an fixed name to the incoming request to better identify it. If null, empty nur not given NoBrute will use the RequestPath as name |
bool autoProcess | Indicated that the requests should be released / cleared when the configurated (See above) HTPPStatusCode is returned by the action. (Default: false) |
Examples
Generated Name
[NoBrute]
public IHttpActionResult Login() {
...
}
*Generated Name with auto release
[NoBrute(true)]
public IHttpActionResult Login() {
...
}
Fixed Name
[NoBrute("MyFixedName")]
public IHttpActionResult Login() {
...
}
Fixed Name with auto release
[NoBrute("MyFixedName", true)]
public IHttpActionResult Login() {
...
}
The Service
If you have a more complex design to decide when a request should be checked or not you can also use the Service.
Inject Service
private readonly INoBrute nobrute;
public MyController(INoBrute nobrute) {
this.nobrute = nobrute;
}
Use it in the method:
public IHttpActionResult MyAction() {
if (1 > 0) // or some if else logic
{
NoBruteRequestCheck check = this.nobrute.CheckRequest("MyActionRequestName");
// Some more logic
}
}
The "CheckRequest" Method will return an Object of type NoBruteRequestCheck. It will contain the flag "IsGreenRequest" and how much time to append to the request. Also some user infos like IP will be returned.
However you have to call the Thread.Sleep by yourself here. The Service will only release and check requests for you but never sleep the requests like the action attribute.
See more at /src/Domain/INoBrute.cs
and /src/Models/NoBruteRequestCheck.cs
in the Github Repository.
Contribute / Donations
If you got any Ideas to improve my projects feel free to send an pull request.
If you like my work and want to support me (or want to buy me a coffee/beer) paypal donation are more than appreciated.
Changelog
Version | Changes |
---|---|
2.0.0 | Upgraded to .net 8 |
1.2.1 | Fixed Bug with non-binary formatter and fixed cache bug |
1.2.0 | Migrated to .NET 6, Removed binary formatter |
1.1.0 | Migrated to .NET 5 |
1.0.1 | Updated Dependencies and added automated readme.md for nuget |
1.0.0 | Initial Release |
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 was computed. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. |
-
net8.0
- Microsoft.AspNetCore.Http (>= 2.2.2)
- Microsoft.AspNetCore.Mvc.Core (>= 2.2.5)
- Microsoft.Extensions.Caching.Abstractions (>= 8.0.0)
- Microsoft.Extensions.Configuration (>= 8.0.0)
- Microsoft.Extensions.Configuration.Binder (>= 8.0.2)
- Microsoft.Extensions.Configuration.FileExtensions (>= 8.0.1)
- Microsoft.Extensions.Configuration.Json (>= 8.0.1)
- Microsoft.Extensions.DependencyInjection (>= 8.0.1)
- Microsoft.Extensions.Logging.Abstractions (>= 8.0.2)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.
Upgraded to .NET 8.0 and updated dependencies