{"id":48789462,"url":"https://github.com/zeljkovranjes/brute","last_synced_at":"2026-04-13T19:03:18.892Z","repository":{"id":251251696,"uuid":"834560671","full_name":"zeljkovranjes/brute","owner":"zeljkovranjes","description":"Brute an application that monitors authentication attempts on your server that uses OpenSSH or any protocol. May not be practical, but it is cool.","archived":false,"fork":false,"pushed_at":"2026-03-13T22:14:34.000Z","size":3441,"stargazers_count":9,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-03-14T02:41:56.603Z","etag":null,"topics":["application","bruteforce-logger","data","data-tracking","honeypot","ipinfo","rest-api","rust"],"latest_commit_sha":null,"homepage":"https://brute-web.zeljko.me","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zeljkovranjes.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-07-27T16:34:50.000Z","updated_at":"2026-03-13T22:14:38.000Z","dependencies_parsed_at":"2024-08-11T23:52:58.132Z","dependency_job_id":null,"html_url":"https://github.com/zeljkovranjes/brute","commit_stats":null,"previous_names":["notpointless/brute","chomnr/brute","zeljkovranjes/brute"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/zeljkovranjes/brute","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zeljkovranjes%2Fbrute","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zeljkovranjes%2Fbrute/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zeljkovranjes%2Fbrute/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zeljkovranjes%2Fbrute/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zeljkovranjes","download_url":"https://codeload.github.com/zeljkovranjes/brute/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zeljkovranjes%2Fbrute/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31766486,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-13T15:25:13.801Z","status":"ssl_error","status_checked_at":"2026-04-13T15:25:09.162Z","response_time":93,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["application","bruteforce-logger","data","data-tracking","honeypot","ipinfo","rest-api","rust"],"created_at":"2026-04-13T19:03:17.141Z","updated_at":"2026-04-13T19:03:18.879Z","avatar_url":"https://github.com/zeljkovranjes.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Brute\n[\u003cimg alt=\"github\" src=\"https://img.shields.io/badge/%20GitHub-chomnr%2Fbrute-orange\" height=\"20\"\u003e](https://github.com/chomnr/brute)\n[\u003cimg alt=\"os\" src=\"https://img.shields.io/badge/%20OS-Linux,%20Windows,%20MacOS-blue\" height=\"20\"\u003e](/)\n[\u003cimg alt=\"version\" src=\"https://img.shields.io/badge/%20Release-v2.0.0-green\" height=\"20\"\u003e](https://github.com/chomnr/brute/releases)\n\nBrute is a project for monitoring authentication attempts on servers using OpenSSH. It tracks and records each attempt and provides detailed information about the source of the attempt.\n\nCurrently, this project must use a specific version of OpenSSH. Unfortunately, the changes made may compromise the security of your server, so use with **caution**.\n\n- **Straightforward** — Simply call the endpoint `/brute/attack/add`, and Brute will log, analyze, and store the credentials for you.\n\n- **Extendable Metrics** — Brute allows developers to easily add or remove metrics as needed.\n\n- **Location Information** — In standalone mode, information is retrieved via the [IPinfo](https://ipinfo.io/) API. In Cloudflare Workers mode, geo data is read directly from the Cloudflare `cf` request object — no external API token required.\n\n- **WebSocket Support** — Brute supports WebSocket connections for real-time streaming. In standalone mode this uses actix-web-actors. In Workers mode this uses a hibernatable WebSocket Durable Object.\n\n- **Dual Deployment Mode** — Run as a standalone Tokio/Actix server backed by PostgreSQL, or deploy to Cloudflare Workers with D1 (SQLite) and Analytics Engine.\n\n\u003cdiv align=\"center\"\u003e \u003cimg src=\"./docs/img/in_action2.png\"\u003e \u003c/div\u003e\n\n---\n\n## Architecture\n\n```\nbrute/\n├── brute-core/       # Shared data models, validation, and trait definitions\n├── brute-http/       # Standalone server (Tokio + Actix, PostgreSQL, IPinfo)\n├── brute-worker/     # Cloudflare Workers (D1 + Analytics Engine + Durable Objects)\n├── brute-daemon/     # Traffic source daemon (SSH, FTP)\n└── migrations/\n    ├── postgres/     # PostgreSQL migration files (used by brute-http)\n    └── d1/           # SQLite schema files (used by brute-worker via wrangler)\n```\n\n### Crates\n\n| Crate | Purpose |\n|---|---|\n| `brute-core` | Shared models (`Individual`, `ProcessedIndividual`, all `Top*` structs), validation logic, and `BruteDb` / `BruteAnalytics` / `GeoProvider` trait definitions |\n| `brute-http` | Standalone HTTP server. Implements `BruteDb` via `PostgresDb` (sqlx), `GeoProvider` via `IpInfoProvider`, and `BruteAnalytics` via `PostgresAnalytics` (top_* tables) |\n| `brute-worker` | Cloudflare Worker. Implements `BruteDb` via `D1Db` (workers-rs D1 binding), `GeoProvider` via `CfGeoProvider` (cf request object), and `BruteAnalytics` via `AnalyticsEngine` |\n\n### Backend Comparison\n\n| Feature | brute-http (standalone) | brute-worker (Cloudflare) |\n|---|---|---|\n| Database | PostgreSQL (sqlx) | Cloudflare D1 (SQLite) |\n| Geo lookup | IPinfo.io HTTP API (token required) | Cloudflare `cf` object (free, built-in) |\n| Analytics | Aggregated `top_*` tables in PostgreSQL | Cloudflare Analytics Engine data points |\n| WebSocket | actix-web-actors (actor model) | Hibernatable WebSocket Durable Object |\n| Deployment | Docker / systemd / bare metal | `wrangler deploy` |\n| TLS | Managed via rustls + cert.pem/key.pem | Managed by Cloudflare automatically |\n\n---\n\n## Installation — Standalone (brute-http)\n\nThis installs `brute-http`, the standalone HTTP server that collects traffic from dummy servers.\n\n```sh\n# Download rustup\ncurl https://sh.rustup.rs -sSf | sh\n\n# Add Rust to PATH (restart shell or run:)\nsource \"$HOME/.cargo/env\"\n\n# Verify the installation\nrustc -V\n```\n\n### Non-Docker\n\n\u003cdetails\u003e\u003csummary\u003e\u003cb\u003eShow instructions\u003c/b\u003e\u003c/summary\u003e\n\n1. Clone the repository:\n\n    ```sh\n    git clone https://github.com/chomnr/brute\n    ```\n\n2. Go into the `brute-http` directory:\n\n    ```sh\n    cd brute/brute-http\n    ```\n\n3. Set the following environment variables:\n\n    ```env\n    DATABASE_URL=postgresql://postgres:{password}@{host}/{database}\n    BEARER_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n    IPINFO_TOKEN=xxxxxxxxxxxxxx\n    RUST_LOG=trace\n    RUST_LOG_STYLE=always\n    LISTEN_ADDRESS=0.0.0.0:7000\n    LISTEN_ADDRESS_TLS=0.0.0.0:7443\n    RUNNING_IN_DOCKER=false\n    # Optional — enables AbuseIPDB reputation scoring\n    ABUSEIPDB_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n    ```\n\n4. Add your `cert.pem` and `key.pem` to the `/certs` folder inside `brute-http/`:\n\n    ```\n    Generate one from Cloudflare, Let's Encrypt, or OpenSSL.\n    If you don't want TLS, remove serve_tls() from main.rs.\n    ```\n\n5. Build and run:\n\n    ```sh\n    cargo build --release -p brute-http\n    # then run the executable, or:\n    cargo run -p brute-http\n    ```\n\n\u003c/details\u003e\n\n### Docker\n\n\u003cdetails\u003e\u003csummary\u003e\u003cb\u003eShow instructions\u003c/b\u003e\u003c/summary\u003e\n\n1. Clone the repository:\n\n    ```sh\n    git clone https://github.com/chomnr/brute\n    ```\n\n2. Open the `DockerFile` and edit the environment variables:\n\n    ```env\n    ENV DATABASE_URL=postgresql://postgres:{password}@{host}:{port}/brute\n    ENV BEARER_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n    ENV IPINFO_TOKEN=xxxxxxxxxxxxxx\n    ENV RUST_LOG=trace\n    ENV RUST_LOG_STYLE=always\n    ENV LISTEN_ADDRESS=0.0.0.0:7000\n    ENV LISTEN_ADDRESS_TLS=0.0.0.0:7443\n    ENV RUNNING_IN_DOCKER=true\n    ```\n\n3. (Optional) Copy your `cert.pem` and `key.pem` into `brute-http/`:\n\n    ```\n    Required only if you want to run with TLS.\n    ```\n\n4. Build the image from the project root:\n\n    ```sh\n    docker build --pull --rm -f \"DockerFile\" -t brute:latest \".\"\n    ```\n\n5. Run the container:\n\n    ```sh\n    docker run --name brute -p 7000:7000 -p 7443:7443 --restart unless-stopped -d brute\n    # sqlx will apply migrations automatically on startup.\n    ```\n\n\u003c/details\u003e\n\n### Standalone Environment Variables\n\n| Variable | Required | Description |\n|---|---|---|\n| `DATABASE_URL` | Yes | PostgreSQL connection string |\n| `BEARER_TOKEN` | Yes | Secret token for API authentication |\n| `IPINFO_TOKEN` | Yes | IPinfo.io API token for geo lookup |\n| `LISTEN_ADDRESS` | Yes | HTTP bind address, e.g. `0.0.0.0:7000` |\n| `LISTEN_ADDRESS_TLS` | Yes | HTTPS bind address, e.g. `0.0.0.0:7443` |\n| `RUNNING_IN_DOCKER` | Yes | Set to `true` when running inside Docker |\n| `ABUSEIPDB_KEY` | No | AbuseIPDB API key — enables IP reputation scoring |\n| `RUST_LOG` | No | Log level (`trace`, `debug`, `info`, `warn`, `error`) |\n\n---\n\n## Installation — Cloudflare Workers (brute-worker)\n\n`brute-worker` deploys to the Cloudflare Workers edge network. It uses D1 for storage, Analytics Engine for aggregated event data, and a Durable Object for WebSocket broadcasting.\n\n### Prerequisites\n\n```sh\nnpm install -g wrangler\n# or use npx wrangler\n```\n\n### Setup\n\n1. Create a D1 database:\n\n    ```sh\n    wrangler d1 create worker_brute_d1\n    ```\n\n    Copy the `database_id` from the output and paste it into `brute-worker/wrangler.toml`:\n\n    ```toml\n    [[d1_databases]]\n    binding = \"worker_brute_d1\"\n    database_name = \"worker_brute_d1\"\n    database_id = \"YOUR_D1_DATABASE_ID\"   # \u003c-- paste here\n    ```\n\n2. Apply the D1 schema:\n\n    ```sh\n    wrangler d1 execute worker_brute_d1 --file=../migrations/d1/0001_initial_schema.sql\n    ```\n\n3. Set the bearer token secret:\n\n    ```sh\n    wrangler secret put BEARER_TOKEN\n    ```\n\n4. Deploy:\n\n    ```sh\n    cd brute-worker\n    npm run deploy\n    # or: wrangler deploy\n    ```\n\n### Workers Environment Variables / Bindings\n\n| Binding / Variable | Type | Description |\n|---|---|---|\n| `DB` | D1 binding | SQLite database via Cloudflare D1 |\n| `ANALYTICS` | Analytics Engine binding | Writes attack event data points |\n| `WS_BROADCASTER` | Durable Object binding | Manages WebSocket connections |\n| `BEARER_TOKEN` | Secret (var) | API authentication token |\n\nNo `IPINFO_TOKEN` is needed — geo data comes from the Cloudflare `cf` request object for free.\n\n### Local Development\n\n```sh\ncd brute-worker\nwrangler dev\n```\n\n---\n\n## API Endpoints\n\nBoth `brute-http` and `brute-worker` expose the same REST API.\n\nAll POST endpoints require a `Authorization: Bearer \u003cBEARER_TOKEN\u003e` header.\n\n### POST\n\n| Endpoint | Description |\n|---|---|\n| `POST /brute/attack/add` | Record an authentication attempt |\n| `POST /brute/protocol/increment` | Increment a protocol counter directly |\n\n### GET — Stats\n\n| Endpoint | Description |\n|---|---|\n| `GET /brute/stats/attack` | Recent processed attacks |\n| `GET /brute/stats/username` | Top usernames |\n| `GET /brute/stats/password` | Top passwords |\n| `GET /brute/stats/ip` | Top IPs |\n| `GET /brute/stats/protocol` | Top protocols |\n| `GET /brute/stats/country` | Top countries |\n| `GET /brute/stats/city` | Top cities |\n| `GET /brute/stats/region` | Top regions |\n| `GET /brute/stats/timezone` | Top timezones |\n| `GET /brute/stats/org` | Top organizations |\n| `GET /brute/stats/postal` | Top postal codes |\n| `GET /brute/stats/loc` | Top lat/lon locations |\n| `GET /brute/stats/combo` | Top username/password combinations |\n| `GET /brute/stats/combo/protocol` | Top combos filtered by protocol |\n| `GET /brute/stats/hourly` | Hourly attack counts |\n| `GET /brute/stats/daily` | Daily attack counts |\n| `GET /brute/stats/weekly` | Weekly attack counts |\n| `GET /brute/stats/yearly` | Yearly attack counts |\n| `GET /brute/stats/heatmap` | Attack heatmap (day × hour) |\n| `GET /brute/stats/subnet` | Top /24 subnets |\n| `GET /brute/stats/velocity` | Attack velocity (per minute, last hour) |\n| `GET /brute/stats/ip/seen` | IP first/last seen times |\n| `GET /brute/stats/ip/abuse` | AbuseIPDB scores |\n| `GET /brute/stats/summary` | Rolling stats summary |\n\n### GET — Export\n\n| Endpoint | Description |\n|---|---|\n| `GET /brute/export/blocklist` | Export top IPs as a blocklist. `?format=plain\\|iptables\\|nginx\\|fail2ban` |\n\n### WebSocket\n\n| Endpoint | Description |\n|---|---|\n| `GET /ws` | Connect to the real-time broadcast stream |\n\n---\n\n## Installation for Traffic Sources\n\nBefore installing, identify where you want to source your traffic. Two supported sources:\n\n- **OpenSSH** — patched version that calls Brute on each auth attempt\n- **Daemon** — custom daemon that listens on SSH, FTP, and other ports\n\n### Daemon\n\nSupports SSH and FTP. You can integrate any protocol by calling `/brute/attack/add` and specifying the protocol in the payload. Use this on a dummy server only.\n\nhttps://github.com/chomnr/brute-daemon\n\n\u003cdetails\u003e\u003csummary\u003e\u003cb\u003eShow instructions\u003c/b\u003e\u003c/summary\u003e\n\n1. Clone:\n\n    ```sh\n    git clone https://github.com/chomnr/brute-daemon\n    cd brute-daemon\n    ```\n\n2. Build:\n\n    ```sh\n    cargo build --release\n    mv ~/brute-daemon/target/release/brute-daemon /usr/local/bin/brute-daemon\n    ```\n\n3. Create a systemd service:\n\n    ```sh\n    nano /etc/systemd/system/brute-daemon.service\n    ```\n\n    ```ini\n    [Unit]\n    Description=Brute Daemon\n    After=network.target\n\n    [Service]\n    ExecStart=/usr/local/bin/brute-daemon\n    Restart=always\n    User=root\n    WorkingDirectory=/usr/local/bin\n    StandardOutput=append:/var/log/brute-daemon.log\n    StandardError=append:/var/log/brute-daemon_error.log\n    Environment=\"ADD_ATTACK_ENDPOINT=https://example.com/brute/attack/add\"\n    Environment=\"BEARER_TOKEN=my-secret-token\"\n\n    [Install]\n    WantedBy=multi-user.target\n    ```\n\n4. Enable and start:\n\n    ```sh\n    systemctl daemon-reload\n    systemctl enable brute-daemon\n    systemctl start brute-daemon\n    systemctl status brute-daemon\n    ```\n\n\u003c/details\u003e\n\n### OpenSSH\n\n\u003cdetails\u003e\u003csummary\u003e\u003cb\u003eShow instructions\u003c/b\u003e\u003c/summary\u003e\n\n1. Install build dependencies:\n\n    ```sh\n    sudo apt update \u0026\u0026 sudo apt upgrade\n    sudo apt install build-essential zlib1g-dev libssl-dev libpq-dev pkg-config\n    sudo apt install libcurl4-openssl-dev libpam0g-dev autoconf\n    ```\n\n2. Clone and build the patched OpenSSH:\n\n    ```sh\n    git clone https://github.com/chomnr/openssh-9.8-patched\n    cd openssh-9.8-patched\n    autoreconf\n    ./configure --with-pam --with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh\n    make \u0026\u0026 make install\n    ```\n\n3. Replace the system SSH in `/lib/systemd/system/ssh.service`:\n\n    ```diff\n    -  ExecStartPre=/usr/sbin/sshd -t\n    -  ExecStart=/usr/sbin/sshd -D $SSHD_OPTS\n    -  ExecReload=/usr/sbin/sshd -t\n    +  ExecStartPre=/usr/local/sbin/sshd -t\n    +  ExecStart=/usr/local/sbin/sshd -D $SSHD_OPTS\n    +  ExecReload=/usr/local/sbin/sshd -t\n    ```\n\n4. Verify: `ssh -V` should output `(Brute) OpenSSH_9.8...`\n\n5. Build and install the PAM module:\n\n    ```sh\n    git clone https://github.com/chomnr/brute_pam\n    cd brute_pam\n    cmake . \u0026\u0026 make\n    cp lib/brute_pam.so /lib/x86_64-linux-gnu/security/\n    ```\n\n6. Add to `/etc/pam.d/common-auth`:\n\n    ```diff\n    - auth    [success=1 default=ignore]      pam_unix.so nullok\n    + auth    [success=2 default=ignore]      pam_unix.so nullok\n    + auth    optional                        pam_brute.so\n    ```\n\n\u003c/details\u003e\n\n---\n\n## License\n\nThe MIT License (MIT) 2024 - Zeljko Vranjes. Please have a look at the [LICENSE.md](https://github.com/chomnr/brute/blob/main/LICENSE.md) for more details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzeljkovranjes%2Fbrute","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzeljkovranjes%2Fbrute","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzeljkovranjes%2Fbrute/lists"}