NoBrute 1.0.0

Simple and light bruteforce protection for .NET CORE 3.1+
This Lib will protect defined actions in your controllers in making them inefficient to be bruteforced for simple soulutions.
It will append request times in ms if a local cache entry on the server was found for the same request & request name & method and the hit count reaches an defined limit (so called here: greenrequests) in an amount of time.

Install-Package NoBrute -Version 1.0.0
dotnet add package NoBrute --version 1.0.0
<PackageReference Include="NoBrute" Version="1.0.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add NoBrute --version 1.0.0
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
#r "nuget: NoBrute, 1.0.0"
#r directive can be used in F# Interactive, C# scripting and .NET Interactive. Copy this into the interactive tool or source code of the script to reference the package.
// Install NoBrute as a Cake Addin
#addin nuget:?package=NoBrute&version=1.0.0

// Install NoBrute as a Cake Tool
#tool nuget:?package=NoBrute&version=1.0.0
The NuGet Team does not provide support for this client. Please contact its maintainers for support.

NoBrute (by Malte)

Nuget Downloads

Simple and light bruteforce protection for .NET CORE 3.1+
This Lib will protect defined actions in your controllers in making them inefficient to be bruteforced for simple soulutions.
It will append request times in ms if a local cache entry on the server was found for the same request & request name & method and the hit count reaches an defined limit (so called here: greenrequests) in an amount of time.

Requirements

NoBrute will require at least one IMemoryCache or IDistributedCache to be regisrted in your application. (Since for obvious reasons storing the info the session wont work cause bots will never send coookies along them)

Install

Using the nuget package manager:

Install-Package NoBrute

Using the dotnet cli:

dotnet add package NoBrute

Enable it in your application:

// Startup.cs

 public IServiceProvider ConfigureServices(IServiceCollection services) {
     
     // Use Memoory Cache:
    services.AddMemoryCache();
    // Or an distributed cache (NoBrute will prefer this if both registered)
     services.AddStackExchangeRedisCache(x =>
            {
                x.Configuration = "... ";
            }); // In this case we used for example redis

    services.AddNoBrute();
 }

Configuration

In order to use NoBrute there is no configuration required. Here is a JSON Example for your "appsettings.json" to configure NoBrute and what default values are used if the entry does not exists in you configuration:

{
"NoBrute": {
    "Enabled": true,
    "GreenRetries": 10,
    "IncreaseRequestTime": 20,
    "TimeUntilReset": 2,
    "TimeUntilResetUnit": "H",
    "StatusCodesForAutoProcess": [
      200
    ]
  }
}

Configuration Entries and their meanings

Configuration Entry Name Description Default Value Type
Enabled If true the NoBrute Service is enabled true Boolean
GreenRetries If this count of same requests is reached NoBrute will start appending request time by setting the thread to sleep for n ms 10 Integer
IncreaseRequestTime For each request that exceeds the GreenRetries entry number NoBrute will append n ms to the request 20 Integer
TimeUntilReset This in combination with TimeUntilResetUnit will declare the time when the saved request count for a user will be cleared so the user gets normal request times again 2 Integer
TimeUntilResetUnit This is the unit of time used for the value of TimeUntilReset. Possible values: Years = 'y', Days = 'd', Months = 'M', Hours = 'H', Minutes = 'i', Seconds = 's', Miliseconds = 'n' H (Hours) String
StatusCodesForAutoProcess This is for autoprocessing requests. (More details see below "Usage"). You can declare here what status codes of an IHttpAction will removed saved request automatically [ 200 ] Integer[]

Usage

The Action Filter Attribute (WebApi or MVC)

To protect an action you can use the "NoBruteAttribute".
This is the simnple way.

Arguments:
Name Description
string requestName Gives an fixed name to the incoming request to better identify it. If null, empty nur not given NoBrute will use the RequestPath as name
bool autoProcess Indicated that the requests should be released / cleared when the configurated (See above) HTPPStatusCode is returned by the action. (Default: false)
Examples

Generated Name

[NoBrute]
public IHttpActionResult Login() {
    ...
}

*Generated Name with auto release

[NoBrute(true)]
public IHttpActionResult Login() {
    ...
}

Fixed Name

[NoBrute("MyFixedName")]
public IHttpActionResult Login() {
    ...
}

Fixed Name with auto release

[NoBrute("MyFixedName", true)]
public IHttpActionResult Login() {
    ...
}

The Service

If you have a more complex design to decide when a request should be checked or not you can also use the Service.

Inject Service

private readonly INoBrute nobrute;

public MyController(INoBrute nobrute) {
    this.nobrute = nobrute;
}

Use it in the method:

public IHttpActionResult MyAction() {
    if (1 > 0)  // or some if else logic
    {
        NoBruteRequestCheck check = this.nobrute.CheckRequest("MyActionRequestName");

        // Some more logic
    }
}

The "CheckRequest" Method will return an Object of type NoBruteRequestCheck.
It will contain the flag "IsGreenRequest" and how much time to append to the request.
Also some user infos like IP will be returned.

However you have to call the Thread.Sleep by yourself here. The Service will only release and check requests for you but never sleep the requests like the action attribute.

See more at /src/Domain/INoBrute.cs and /src/Models/NoBruteRequestCheck.cs in the Github Repository.

Contribute

Feel free to use the issues page for feature reques / bug reports.
Also Pull Requests are connected to an issue always welcome.

Changelog

Version Changes
1.0 Initial Release

NoBrute (by Malte)

Nuget Downloads

Simple and light bruteforce protection for .NET CORE 3.1+
This Lib will protect defined actions in your controllers in making them inefficient to be bruteforced for simple soulutions.
It will append request times in ms if a local cache entry on the server was found for the same request & request name & method and the hit count reaches an defined limit (so called here: greenrequests) in an amount of time.

Requirements

NoBrute will require at least one IMemoryCache or IDistributedCache to be regisrted in your application. (Since for obvious reasons storing the info the session wont work cause bots will never send coookies along them)

Install

Using the nuget package manager:

Install-Package NoBrute

Using the dotnet cli:

dotnet add package NoBrute

Enable it in your application:

// Startup.cs

 public IServiceProvider ConfigureServices(IServiceCollection services) {
     
     // Use Memoory Cache:
    services.AddMemoryCache();
    // Or an distributed cache (NoBrute will prefer this if both registered)
     services.AddStackExchangeRedisCache(x =>
            {
                x.Configuration = "... ";
            }); // In this case we used for example redis

    services.AddNoBrute();
 }

Configuration

In order to use NoBrute there is no configuration required. Here is a JSON Example for your "appsettings.json" to configure NoBrute and what default values are used if the entry does not exists in you configuration:

{
"NoBrute": {
    "Enabled": true,
    "GreenRetries": 10,
    "IncreaseRequestTime": 20,
    "TimeUntilReset": 2,
    "TimeUntilResetUnit": "H",
    "StatusCodesForAutoProcess": [
      200
    ]
  }
}

Configuration Entries and their meanings

Configuration Entry Name Description Default Value Type
Enabled If true the NoBrute Service is enabled true Boolean
GreenRetries If this count of same requests is reached NoBrute will start appending request time by setting the thread to sleep for n ms 10 Integer
IncreaseRequestTime For each request that exceeds the GreenRetries entry number NoBrute will append n ms to the request 20 Integer
TimeUntilReset This in combination with TimeUntilResetUnit will declare the time when the saved request count for a user will be cleared so the user gets normal request times again 2 Integer
TimeUntilResetUnit This is the unit of time used for the value of TimeUntilReset. Possible values: Years = 'y', Days = 'd', Months = 'M', Hours = 'H', Minutes = 'i', Seconds = 's', Miliseconds = 'n' H (Hours) String
StatusCodesForAutoProcess This is for autoprocessing requests. (More details see below "Usage"). You can declare here what status codes of an IHttpAction will removed saved request automatically [ 200 ] Integer[]

Usage

The Action Filter Attribute (WebApi or MVC)

To protect an action you can use the "NoBruteAttribute".
This is the simnple way.

Arguments:
Name Description
string requestName Gives an fixed name to the incoming request to better identify it. If null, empty nur not given NoBrute will use the RequestPath as name
bool autoProcess Indicated that the requests should be released / cleared when the configurated (See above) HTPPStatusCode is returned by the action. (Default: false)
Examples

Generated Name

[NoBrute]
public IHttpActionResult Login() {
    ...
}

*Generated Name with auto release

[NoBrute(true)]
public IHttpActionResult Login() {
    ...
}

Fixed Name

[NoBrute("MyFixedName")]
public IHttpActionResult Login() {
    ...
}

Fixed Name with auto release

[NoBrute("MyFixedName", true)]
public IHttpActionResult Login() {
    ...
}

The Service

If you have a more complex design to decide when a request should be checked or not you can also use the Service.

Inject Service

private readonly INoBrute nobrute;

public MyController(INoBrute nobrute) {
    this.nobrute = nobrute;
}

Use it in the method:

public IHttpActionResult MyAction() {
    if (1 > 0)  // or some if else logic
    {
        NoBruteRequestCheck check = this.nobrute.CheckRequest("MyActionRequestName");

        // Some more logic
    }
}

The "CheckRequest" Method will return an Object of type NoBruteRequestCheck.
It will contain the flag "IsGreenRequest" and how much time to append to the request.
Also some user infos like IP will be returned.

However you have to call the Thread.Sleep by yourself here. The Service will only release and check requests for you but never sleep the requests like the action attribute.

See more at /src/Domain/INoBrute.cs and /src/Models/NoBruteRequestCheck.cs in the Github Repository.

Contribute

Feel free to use the issues page for feature reques / bug reports.
Also Pull Requests are connected to an issue always welcome.

Changelog

Version Changes
1.0 Initial Release

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version History

Version Downloads Last updated
1.0.0 129 1/16/2021