Intrusion Detection
The intrusion detection feature monitors authentication failures by source IP address and raises alerts when suspicious patterns are detected.
Intrusion detection is configured under
strongbox authentication intrusion-detection.
How it works
Failed authentication attempts — userpass login, JWT authentication, and invalid
token use — are counted per source IP within a configurable sliding time window.
When the count exceeds the configured threshold, an alert is published to the
system:alerts Volga topic.
Three alert types are defined:
failed-userpass-attempts— repeated failed password logins from the same IP address across multiple usernames; may indicate credential stuffing or password sprayingfailed-jwt-attempts— repeated failed JWT authentications from the same IP address; may indicate a brute-force attackfailed-token-attempts— repeated use of invalid tokens from the same IP address; may indicate token guessing
Enabling intrusion detection
Intrusion detection is enabled by default. To explicitly configure it:
supctl merge strongbox authentication intrusion-detection <<EOF
enabled: true
failure-window: 5m
alert-threshold: 10
EOF
This configuration raises an alert after 10 failed attempts from the same source IP address within any 5-minute window.
Note: In a multi-host cluster, each host tracks failures independently. The effective cluster-wide threshold is approximately
alert-thresholdmultiplied by the number of hosts.
Viewing alerts
Intrusion detection alerts are published to the system:alerts topic:
supctl do volga topics system:alerts consume --data-only
An example alert looks like:
{
"alert": "failed-userpass-attempts",
"attempts": 12,
"peer-ip": "198.51.100.42"
}
Rate limiting
To reject excessive requests from a single IP address with HTTP 429 before authentication is even attempted:
supctl merge strongbox authentication intrusion-detection <<EOF
rate-limit-enabled: true
rate-limit-threshold: 30
EOF
This limits each source IP address to 30 requests per failure-window. Requests
beyond that threshold receive HTTP 429 until the window expires.
Inspecting current state
To see which IP addresses are currently being tracked:
supctl show strongbox authentication intrusion-detection
Example output:
enabled: true
failure-window: 5m
alert-threshold: 10
rate-limit-enabled: false
rate-limit-threshold: 30
status:
total-alerts-generated: 3
tracked-ip-address-count: 1
tracked-ip-addresses:
- ip: 198.51.100.42
alert-type: failed-userpass-attempts
failure-count: 7
The status container reflects the state on the current host and resets on
restart.
Configuration reference
| Setting | Default | Description |
|---|---|---|
enabled | true | Enable or disable intrusion detection |
failure-window | 5m | Sliding window over which failures are counted |
alert-threshold | 10 | Failures per IP address before an alert is raised |
rate-limit-enabled | false | Reject excess requests with HTTP 429 |
rate-limit-threshold | 30 | Max requests per IP address per failure-window |