vi /opt/docker/crowdsec/config/parsers/s01-parse/docker_tls_handshake.yaml name: perrycox007/docker-tls-handshake description: "Docker daemon TLS handshake error parser" filter: "evt.Parsed.program == 'dockerd'" onsuccess: next_stage nodes: - grok: pattern: 'http: TLS handshake error from \[%{IP:source_ip}\]:%{INT:source_port}: %{GREEDYDATA:error_message}' apply_on: message statics: - meta: log_type value: docker_tls_attack - meta: service value: docker - meta: source_ip expression: evt.Parsed.source_ip - grok: pattern: 'http: TLS handshake error from %{IP:source_ip}:%{INT:source_port}: %{GREEDYDATA:error_message}' apply_on: message statics: - meta: log_type value: docker_tls_attack - meta: service value: docker - meta: source_ip expression: evt.Parsed.source_ip vi /opt/docker/crowdsec/config/scenarios/docker_tls_handshake_failures.yaml type: leaky name: perrycox007/docker-tls-bf description: "Detect Docker TLS handshake brute force attacks" filter: "evt.Meta.log_type == 'docker_tls_attack'" leakspeed: "5m" capacity: 5 groupby: evt.Meta.source_ip blackhole: 1h reprocess: true labels: service: docker type: bruteforce remediation: true vi /opt/docker/crowdsec/config/acquis.d/host-docker.yaml source: journalctl journalctl_filter: - "-D" - "/var/log/host/journal" - "_SYSTEMD_UNIT=docker.service" labels: type: syslog journalctl -u docker --since today | grep -i tls Oct 09 00:55:03 server.fqdn.io dockerd[573847]: 2025/10/09 00:55:03 http: TLS handshake error from 20.168.109.236:44442: EOF Oct 09 00:55:04 server.fqdn.io dockerd[573847]: 2025/10/09 00:55:04 http: TLS handshake error from 20.168.109.236:45096: tls: first record does not look like a TLS handshake Oct 09 05:23:30 server.fqdn.io dockerd[573847]: 2025/10/09 05:23:30 http: TLS handshake error from 167.94.145.103:42608: read tcp 188.245.xxx.xxx:2376->167.94.145.103:42608: read: connection reset by peer Oct 09 05:23:30 server.fqdn.io dockerd[573847]: 2025/10/09 05:23:30 http: TLS handshake error from 167.94.145.103:42624: tls: client didn't provide a certificate Oct 09 05:23:30 server.fqdn.io dockerd[573847]: 2025/10/09 05:23:30 http: TLS handshake error from 167.94.145.103:42638: tls: client didn't provide a certificate Oct 09 05:23:33 server.fqdn.io dockerd[573847]: 2025/10/09 05:23:33 http: TLS handshake error from 167.94.145.103:42650: client sent an HTTP request to an HTTPS server Oct 09 05:23:36 server.fqdn.io dockerd[573847]: 2025/10/09 05:23:36 http: TLS handshake error from 167.94.145.103:50292: client sent an HTTP request to an HTTPS server Oct 09 05:23:36 server.fqdn.io dockerd[573847]: 2025/10/09 05:23:36 http: TLS handshake error from 167.94.145.103:50294: tls: first record does not look like a TLS handshake Oct 09 05:23:39 server.fqdn.io dockerd[573847]: 2025/10/09 05:23:39 http: TLS handshake error from 167.94.145.103:50392: tls: client didn't provide a certificate Oct 09 05:23:41 server.fqdn.io dockerd[573847]: 2025/10/09 05:23:41 http: TLS handshake error from 167.94.145.103:50400: tls: client didn't provide a certificate Oct 09 05:23:42 server.fqdn.io dockerd[573847]: 2025/10/09 05:23:42 http: TLS handshake error from 167.94.145.103:55276: tls: client offered only unsupported versions: [302 301] Oct 09 05:23:43 server.fqdn.io dockerd[573847]: 2025/10/09 05:23:43 http: TLS handshake error from 167.94.145.103:55288: tls: client offered only unsupported versions: [301] Oct 09 05:23:45 server.fqdn.io dockerd[573847]: 2025/10/09 05:23:45 http: TLS handshake error from 167.94.145.103:55300: tls: client offered only unsupported versions: [] Oct 09 05:28:51 server.fqdn.io dockerd[573847]: 2025/10/09 05:28:51 http: TLS handshake error from 147.185.133.94:56029: read tcp 188.245.xxx.xxx:2376->147.185.133.94:56029: read: connection reset by peer Oct 09 05:29:57 server.fqdn.io dockerd[573847]: 2025/10/09 05:29:57 http: TLS handshake error from 147.185.133.94:63718: tls: client didn't provide a certificate Oct 09 05:55:22 server.fqdn.io dockerd[573847]: 2025/10/09 05:55:22 http: TLS handshake error from 3.134.100.58:46348: EOF Oct 09 06:45:37 server.fqdn.io dockerd[573847]: 2025/10/09 06:45:37 http: TLS handshake error from 162.216.149.185:61954: tls: client didn't provide a certificate Oct 09 10:10:19 server.fqdn.io dockerd[573847]: 2025/10/09 10:10:19 http: TLS handshake error from 51.159.234.118:38676: tls: client offered only unsupported versions: [] Oct 09 17:44:44 server.fqdn.io dockerd[573847]: 2025/10/09 17:44:44 http: TLS handshake error from 147.185.133.66:59424: tls: client didn't provide a certificate Oct 09 18:21:07 server.fqdn.io dockerd[573847]: 2025/10/09 18:21:07 http: TLS handshake error from 35.203.211.153:51876: read tcp 188.245.xxx.xxx:2376->35.203.211.153:51876: read: connection reset by peer Oct 09 18:22:51 server.fqdn.io dockerd[573847]: 2025/10/09 18:22:51 http: TLS handshake error from 35.203.211.153:63910: tls: client didn't provide a certificate Oct 09 19:31:46 server.fqdn.io dockerd[573847]: 2025/10/09 19:31:46 http: TLS handshake error from 20.168.7.129:48394: tls: first record does not look like a TLS handshake docker exec crowdsec cscli explain --type syslog --verbose --log 'Oct 09 00:55:04 server.fqdn.io dockerd[573847]: 2025/10/09 00:55:04 http: TLS handshake error from 20.168.109.236:45096: tls: first record does not look like a TLS handshake' docker exec crowdsec cscli explain --type syslog --verbose --log "Oct 09 05:23:39 server.fqdn.io dockerd[573847]: 2025/10/09 05:23:39 http: TLS handshake error from 167.94.145.103:50392: tls: client didn't provide a certificate" docker exec crowdsec cscli explain --type syslog --verbose --log 'Oct 09 05:28:51 server.fqdn.io dockerd[573847]: 2025/10/09 05:28:51 http: TLS handshake error from 147.185.133.94:56029: read tcp 188.245.xxx.xxx:2376->147.185.133.94:56029: read: connection reset by peer' docker exec crowdsec cscli explain --type syslog --verbose --log 'Oct 09 10:10:19 server.fqdn.io dockerd[573847]: 2025/10/09 10:10:19 http: TLS handshake error from 51.159.234.118:38676: tls: client offered only unsupported versions: []' docker exec crowdsec cscli explain --type syslog --verbose --log 'Oct 08 10:40:45 server.fqdn.io dockerd[573847]: 2025/10/08 10:40:45 http: TLS handshake error from [2a06:4882:9000::aa]:58605: EOF' docker exec crowdsec cscli explain --type syslog --verbose --log 'Oct 08 10:36:54 server.fqdn.io dockerd[573847]: 2025/10/08 10:36:54 http: TLS handshake error from [2a06:4882:9000::a5]:38487: tls: no cipher suite supported by both client and server' # # Test # 10x $ telnet server.fqdn.io 2376 ENTER ENTER ENTER ENTER docker exec crowdsec cscli alerts list -l 18 | 11278 | Ip:84.165.xxx.xx | perrycox007/docker-tls-bf | DE | 3320 Deutsche Telekom AG | ban:1 | 2025-10-09T20:08:38Z | docker exec crowdsec cscli decisions delete -i 84.165.xxx.xx