NoBrute 1.1.0

There is a newer version of this package available.
See the version list below for details.
dotnet add package NoBrute --version 1.1.0                
NuGet\Install-Package NoBrute -Version 1.1.0                
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="NoBrute" Version="1.1.0" />                
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add NoBrute --version 1.1.0                
#r "nuget: NoBrute, 1.1.0"                
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
// Install NoBrute as a Cake Addin
#addin nuget:?package=NoBrute&version=1.1.0

// Install NoBrute as a Cake Tool
#tool nuget:?package=NoBrute&version=1.1.0                

Nuget Downloads Paypal Donate Github

NoBrute (by Malte)

Simple and light bruteforce protection for .NET CORE 3.1+ This Lib will protect defined actions in your controllers in making them inefficient to be bruteforced for simple soulutions. It will append request times in ms if a local cache entry on the server was found for the same request & request name & method and the hit count reaches an defined limit (so called here: greenrequests) in an amount of time.

Requirements

NoBrute will require at least one IMemoryCache or IDistributedCache to be regisrted in your application. (Since for obvious reasons storing the info the session wont work cause bots will never send coookies along them)

Install

Using the nuget package manager:

Install-Package NoBrute

Using the dotnet cli:

dotnet add package NoBrute

Enable it in your application:

// Startup.cs

 public IServiceProvider ConfigureServices(IServiceCollection services) {
     
     // Use Memoory Cache:
    services.AddMemoryCache();
    // Or an distributed cache (NoBrute will prefer this if both registered)
     services.AddStackExchangeRedisCache(x =>
            {
                x.Configuration = "... ";
            }); // In this case we used for example redis

    services.AddNoBrute();
 }

Configuration

In order to use NoBrute there is no configuration required. Here is a JSON Example for your "appsettings.json" to configure NoBrute and what default values are used if the entry does not exists in you configuration:

{
"NoBrute": {
    "Enabled": true,
    "GreenRetries": 10,
    "IncreaseRequestTime": 20,
    "TimeUntilReset": 2,
    "TimeUntilResetUnit": "H",
    "StatusCodesForAutoProcess": [
      200
    ]
  }
}

Configuration Entries and their meanings

Configuration Entry Name Description Default Value Type
Enabled If true the NoBrute Service is enabled true Boolean
GreenRetries If this count of same requests is reached NoBrute will start appending request time by setting the thread to sleep for n ms 10 Integer
IncreaseRequestTime For each request that exceeds the GreenRetries entry number NoBrute will append n ms to the request 20 Integer
TimeUntilReset This in combination with TimeUntilResetUnit will declare the time when the saved request count for a user will be cleared so the user gets normal request times again 2 Integer
TimeUntilResetUnit This is the unit of time used for the value of TimeUntilReset. Possible values: Years = 'y', Days = 'd', Months = 'M', Hours = 'H', Minutes = 'i', Seconds = 's', Miliseconds = 'n' H (Hours) String
StatusCodesForAutoProcess This is for autoprocessing requests. (More details see below "Usage"). You can declare here what status codes of an IHttpAction will removed saved request automatically [ 200 ] Integer[]

Usage

The Action Filter Attribute (WebApi or MVC)

To protect an action you can use the "NoBruteAttribute". This is the simnple way.

Arguments:
Name Description
string requestName Gives an fixed name to the incoming request to better identify it. If null, empty nur not given NoBrute will use the RequestPath as name
bool autoProcess Indicated that the requests should be released / cleared when the configurated (See above) HTPPStatusCode is returned by the action. (Default: false)
Examples

Generated Name

[NoBrute]
public IHttpActionResult Login() {
    ...
}

*Generated Name with auto release

[NoBrute(true)]
public IHttpActionResult Login() {
    ...
}

Fixed Name

[NoBrute("MyFixedName")]
public IHttpActionResult Login() {
    ...
}

Fixed Name with auto release

[NoBrute("MyFixedName", true)]
public IHttpActionResult Login() {
    ...
}

The Service

If you have a more complex design to decide when a request should be checked or not you can also use the Service.

Inject Service

private readonly INoBrute nobrute;

public MyController(INoBrute nobrute) {
    this.nobrute = nobrute;
}

Use it in the method:

public IHttpActionResult MyAction() {
    if (1 > 0)  // or some if else logic
    {
        NoBruteRequestCheck check = this.nobrute.CheckRequest("MyActionRequestName");

        // Some more logic
    }
}

The "CheckRequest" Method will return an Object of type NoBruteRequestCheck. It will contain the flag "IsGreenRequest" and how much time to append to the request. Also some user infos like IP will be returned.

However you have to call the Thread.Sleep by yourself here. The Service will only release and check requests for you but never sleep the requests like the action attribute.

See more at /src/Domain/INoBrute.cs and /src/Models/NoBruteRequestCheck.cs in the Github Repository.

Contribute / Donations

If you got any Ideas to improve my projects feel free to send an pull request.

If you like my work and want to support me (or want to buy me a coffee/beer) paypal donation are more than appreciated.

Paypal Donate

Changelog

Version Changes
1.0.1 Updated Dependencies and added automated readme.md for nuget
1.0.0 Initial Release
Product Compatible and additional computed target framework versions.
.NET net5.0 is compatible.  net5.0-windows was computed.  net6.0 was computed.  net6.0-android was computed.  net6.0-ios was computed.  net6.0-maccatalyst was computed.  net6.0-macos was computed.  net6.0-tvos was computed.  net6.0-windows was computed.  net7.0 was computed.  net7.0-android was computed.  net7.0-ios was computed.  net7.0-maccatalyst was computed.  net7.0-macos was computed.  net7.0-tvos was computed.  net7.0-windows was computed.  net8.0 was computed.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

* Upgraded to .NET 5