NoBrute 2.1.0

.NET 9.0 This package targets .NET 9.0. The package is compatible with this framework or higher. 
dotnet add package NoBrute --version 2.1.0
                    


                    

                
NuGet\Install-Package NoBrute -Version 2.1.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="NoBrute" Version="2.1.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="NoBrute" Version="2.1.0" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="NoBrute" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add NoBrute --version 2.1.0
                    


                    

                
#r "nuget: NoBrute, 2.1.0"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#addin nuget:?package=NoBrute&version=2.1.0
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=NoBrute&version=2.1.0
                    


                            Install as a Cake Tool

Nuget Downloads Paypal Donate Pull Request Check

NoBrute (by Malte)

Simple and lightweight brute-force protection for .NET 8.
This library will protect defined actions in your controllers by making them inefficient to brute-force.
It will append request times in milliseconds if a local cache entry on the server is found for the same request & request name & method, and the hit count reaches a defined limit (referred to here as "green requests") within a specific time frame.

Requirements

NoBrute requires at least one IMemoryCache or IDistributedCache to be registered in your application. (For obvious reasons, storing the information in the session won't work because bots will never send cookies along with their requests.)

External Libraries
This library uses the following library to achieve its functionality:

Install

Using the NuGet package manager:

Install-Package NoBrute

Using the .NET CLI:

dotnet add package NoBrute

Enable it in your application:

// Startup.cs

public IServiceProvider ConfigureServices(IServiceCollection services) {
     
    // Use Memory Cache:
    services.AddMemoryCache();
    // Or a distributed cache (NoBrute will prefer this if both are registered)
    services.AddStackExchangeRedisCache(x =>
    {
        x.Configuration = "... ";
    }); // In this case, we used Redis as an example

    services.AddNoBrute();
}

Configuration

No configuration is required to use NoBrute. Here is a JSON example for your appsettings.json to configure NoBrute and the default values used if the entry does not exist in your configuration:

{
  "NoBrute": {
    "Enabled": true,
    "GreenRetries": 10,
    "IncreaseRequestTime": 20,
    "TimeUntilReset": 2,
    "TimeUntilResetUnit": "H",
    "StatusCodesForAutoProcess": [
      200
    ]
  }
}

Configuration Entries and Their Meanings

Configuration Entry Name Description Default Value Type
Enabled If true, the NoBrute service is enabled true Boolean
GreenRetries If this count of the same requests is reached, NoBrute will start appending request time by setting the thread to sleep for n ms 10 Integer
IncreaseRequestTime For each request that exceeds the GreenRetries entry number, NoBrute will append n ms to the request 20 Integer
TimeUntilReset This, in combination with TimeUntilResetUnit, declares the time when the saved request count for a user will be cleared so the user gets normal request times again 2 Integer
TimeUntilResetUnit This is the unit of time used for the value of TimeUntilReset. Possible values: Years = 'y', Days = 'd', Months = 'M', Hours = 'H', Minutes = 'i', Seconds = 's', Milliseconds = 'n' H (Hours) String
StatusCodesForAutoProcess This is for auto-processing requests. (More details in the "Usage" section below.) You can declare here which status codes of an IHttpAction will remove saved requests automatically [200] Integer[]

Usage

The Action Filter Attribute (Web API or MVC)

To protect an action, you can use the NoBruteAttribute.
This is the simple way.

Arguments:
Name Description
string requestName Assigns a fixed name to the incoming request for better identification. If null, empty, or not given, NoBrute will use the RequestPath as the name.
bool autoProcess Indicates that the requests should be released/cleared when the configured (see above) HTTP status code is returned by the action. (Default: false)
Examples

Generated Name

[NoBrute]
public IHttpActionResult Login() {
    ...
}

Generated Name with Auto Release

[NoBrute(true)]
public IHttpActionResult Login() {
    ...
}

Fixed Name

[NoBrute("MyFixedName")]
public IHttpActionResult Login() {
    ...
}

Fixed Name with Auto Release

[NoBrute("MyFixedName", true)]
public IHttpActionResult Login() {
    ...
}

The Service

If you have a more complex design to decide when a request should be checked or not, you can also use the service.

Inject Service

private readonly INoBrute nobrute;

public MyController(INoBrute nobrute) {
    this.nobrute = nobrute;
}

Use it in the Method:

public IHttpActionResult MyAction() {
    if (1 > 0)  // or some if-else logic
    {
        NoBruteRequestCheck check = this.nobrute.CheckRequest("MyActionRequestName");

        // Some more logic
    }
}

The CheckRequest method will return an object of type NoBruteRequestCheck.
It will contain the flag IsGreenRequest and how much time to append to the request.
Additionally, some user information like IP will be returned.

However, you have to call Thread.Sleep yourself here. The service will only release and check requests for you but never sleep the requests like the action attribute.

See more at /src/Domain/INoBrute.cs and /src/Models/NoBruteRequestCheck.cs in the GitHub repository.

Contribute / Donations

If you have any ideas to improve my projects, feel free to send a pull request.

If you like my work and want to support me (or want to buy me a coffee/beer), PayPal donations are more than appreciated.

Paypal DonateNuget](https://www.nuget.org/packages/NoBrute/)

Product Compatible and additional computed target framework versions.
.NET net9.0 is compatible.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 was computed.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

* Updated to .NET 9.0
     * Cleaned up code and removed unnecessary dependencies
     * Added more detailed documentation and examples
     * Improved nullability annotations
     * Changed packages to be compatible with .NET 9.0