Contrib.social

[Meta] Roadmap to version 2.0

Open on Drupal.org →
Created on 23 April 2025, about 1 month ago

Problem/Motivation

This issue collects child issues with details about new features that should go into the next major update of the CrowdSec module. This is following some great discussions we've had at DrupalDevDays in Leuven and together with the brains behind CrowdSec. There is so much more potential in that platform that we should certainly leverage.

Remaining tasks

  1. More Signals

    Version 1 sends signals about bad IPs to CrowdSec on 2 different scenarios: when a crawler causes too many 4xx responses in a short period of time, and when Drupal core bans an IP because of flood control, i.e. too many failed logins from the same IP or for the same user account. Additional signals should easily be possible, if we manage to get other modules to integrate with this CrowdSec module. Examples are:
    1. Spammers
    2. Failed captchas
    3. Security safeguards

    Let's find as many modules possible and motivate them to integrate with us here. The benefit would then also be, that CrowdSec would start a Drupal-specific block list if there are significant more signals received. In return, all Drupal users could benefit from this extra list by getting banned IPs sooner.

  2. Signal Context

    Drupal currently only reports a bad signal for a specific IP address together with the timestamp and the scenario, which is either drupal/core-ban, or drupal/auth-bruteforce, or drupal/4xx-scan. The latest SDK from CrowdSec also supports context to be sent together with the signal. That will help a lot to better justify the severity of the signal and if enough trusted signals are received, the Drupal-specific block list will then start protecting Drupal sites sooner again.

    CrowdSec will provide us with the specification of what and how context can be signalled.
  3. Reporting

    CrowdSec is about to provide reports for each "engine", i.e. Drupal site in our case. This will tell the site owner details about the numbers and the nature of blocked site requests.
  4. Documentation and Promotion

    Much more documentation about how CrowdSec works is required, as well as how to set it up and how to create free or paid accounts on the CrowdSec platform. We then need to also promote this module much more, because it can help Drupal DevOps so much, i.e. nowadays also to block AI/LLM bots, that more and more cause real trouble and cost for site owners. The more Drupal signals we send back to CrowdSec to better Drupal-specific attacks can be identified and mitigated.
🌱 Plan
Status

Active

Version

1.1

Component

Documentation

Created by

🇩🇪Germany jurgenhaas Gottmadingen

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @jurgenhaas
  • Comment 26 days ago
    🇫🇷France rr404

    Some additional details for the context:
    - For a given signal you can add the $property["context"] when you use Watcher::buildSignal
    - "context is an array of objects : "context":[{"key":"exampleKey1","value":"exampleValue1"}]
    - you can pass multiple similar keys, for example for a scan alert you can pass all the target_uri that were part of the detection of this alert if you have them:
    - context":[{"key":"target_uri","value":"adminroot.php"},{"key":"target_uri","value":"user/edit.php"}]

    Here are the context keys that would be very good to have in signals:
    - "target_uri":"the HTTP path of the requests that were part of the scan alert. Ideally all the ones involved in the alert"
    - "user_agent":"User agent of the attacker"
    - "method":"the HTTP verb used GET, POST..."
    - "status": "the HTTP status returned or that would have been returned"
    -"target_user":"in case of bruteforce, the user(s) on which the addempts were made by the attacker"

  • Comment 26 days ago
    🇫🇷France rr404

    Other feature taht would be very usefull to users is to see some metrics of what has been blocked in order to perceive the value of both the detection of the plugin and the preemptive protection from the community blocklist

    The count of remediation actions by origin (name of the list that contained the IP to block) is already handled by the SDK

  • Comment 20 days ago
    🇩🇪Germany jurgenhaas Gottmadingen

    The expected enhancements don't seem to require a new major release, a new minor is sufficient for that. So, I changed the target version to 1.2 and created child issues for each of the 3 feature requests that should be implemented.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024