Hacker-Software/opencrm
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Security-Hardening Runde 10: Security-Monitoring + Alerting

Browse Source 
Defense-in-Depth für alles, was in den ersten 9 Runden nicht durch Code
verhindert wurde: zumindest gesehen + alarmiert werden.

📊 SecurityEvent-Tabelle (Prisma)
- Type/Severity/IP/User/Endpoint + Indexen für Filter+Threshold-Detection
- Trennt sich vom AuditLog: AuditLog ist forensisch + hash-gekettet,
  SecurityEvent ist optimiert für Realtime-Alerting + Aggregation.

🪝 Hooks an kritischen Stellen
- Login (Success/Failed) – auth.controller
- Logout, Password-Reset (Request + Confirm) – auth.controller
- Rate-Limit-Hit – middleware/rateLimit
- IDOR-403 – utils/accessControl (canAccessCustomer / canAccessContract)
- SSRF-Block – emailProvider.controller (test-connection + test-mail-access)
- JWT-Reject (alg=none, expired, manipuliert) – middleware/auth

🚨 Threshold-Detection + Alerting (securityAlert.service.ts)
- Cron jede Minute: prüft Brute-Force-Patterns je IP
  - 10× LOGIN_FAILED in 60 min  → CRITICAL Brute-Force-Verdacht
  -  5× ACCESS_DENIED in 5 min  → CRITICAL IDOR-Probing-Verdacht
  -  3× SSRF_BLOCKED in 60 min  → CRITICAL SSRF-Probing
  -  3× TOKEN_REJECTED HIGH in 5 min → CRITICAL JWT-Manipulation
- CRITICAL-Events: Sofort-Alert per E-Mail (debounced)
- Cron stündlich: Digest mit HIGH+MEDIUM-Events (wenn aktiviert)
- Sofort-Alert + Digest laufen über System-E-Mail-Provider
  (gleicher Pfad wie Geburtstagsgrüße, Passwort-Reset)

🖥 Frontend: Settings → "Sicherheits-Monitoring"
- Alert-E-Mail-Adresse + Digest-Toggle
- Test-Alert-Button + Digest-jetzt-Button
- Stats-Cards pro Severity (CRITICAL/HIGH/MEDIUM/LOW/INFO)
- Filter (Type/Severity/Search/IP) + Pagination
- Auto-Refresh alle 30 s
- Verlinkt aus Settings-Übersicht (settings:read Permission)

🧪 Live-verifiziert
- Login-Fehlversuch → LOGIN_FAILED Event
- Portal probt 4× fremde Customer-IDs → 4× ACCESS_DENIED
- SSRF-Probe (169.254.169.254) → SSRF_BLOCKED Event
- 12× LOGIN_FAILED simuliert → Cron erzeugt CRITICAL nach ≤60s
- CRITICAL-Sofort-Alert binnen 30s zugestellt
- Test-Alert-Button: E-Mail zugestellt
- Hourly-Digest mit 5 Events: E-Mail mit Tabelle zugestellt

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
duffyduck
2026-05-01 09:25:47 +02:00
parent 45fe270a38
commit 0cf3dd6a7b
17 changed files with 1188 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/src/controllers/monitoring.controller.ts
+164
View File
@@ -0,0 +1,164 @@
import { Response } from 'express';
import prisma from '../lib/prisma.js';
import { AuthRequest, ApiResponse } from '../types/index.js';
import * as appSettingService from '../services/appSetting.service.js';
import { sendAlertEmail, sendDigest } from '../services/securityAlert.service.js';
import type { SecurityEventType, SecuritySeverity } from '@prisma/client';
/**
* GET /api/monitoring/events
* Liste der Security-Events mit Filter + Pagination.
*/
export async function listEvents(req: AuthRequest, res: Response): Promise<void> {
try {
const page = parseInt((req.query.page as string) || '1');
const limit = Math.min(parseInt((req.query.limit as string) || '50'), 200);
const type = req.query.type as SecurityEventType | undefined;
const severity = req.query.severity as SecuritySeverity | undefined;
const search = req.query.search as string | undefined;
const since = req.query.since as string | undefined;
const ip = req.query.ip as string | undefined;
const where: any = {};
if (type) where.type = type;
if (severity) where.severity = severity;
if (ip) where.ipAddress = ip;
if (since) where.createdAt = { gte: new Date(since) };
if (search) {
where.OR = [
{ message: { contains: search } },
{ userEmail: { contains: search } },
{ endpoint: { contains: search } },
];
}
const [events, total, byType, bySeverity] = await Promise.all([
prisma.securityEvent.findMany({
where,
orderBy: { createdAt: 'desc' },
take: limit,
skip: (page - 1) * limit,
}),
prisma.securityEvent.count({ where }),
prisma.securityEvent.groupBy({
by: ['type'],
where: since ? { createdAt: { gte: new Date(since) } } : {},
_count: true,
}),
prisma.securityEvent.groupBy({
by: ['severity'],
where: since ? { createdAt: { gte: new Date(since) } } : {},
_count: true,
}),
]);
res.json({
success: true,
data: events,
pagination: { page, limit, total, totalPages: Math.ceil(total / limit) },
stats: {
byType: Object.fromEntries(byType.map((r: any) => [r.type, r._count])),
bySeverity: Object.fromEntries(bySeverity.map((r: any) => [r.severity, r._count])),
},
} as any);
} catch (error) {
console.error('listEvents error:', error);
res.status(500).json({ success: false, error: 'Fehler beim Laden der Security-Events' } as ApiResponse);
}
}
/**
* GET /api/monitoring/settings
*/
export async function getMonitoringSettings(_req: AuthRequest, res: Response): Promise<void> {
try {
const alertEmail = await appSettingService.getSetting('monitoringAlertEmail');
const digestEnabled = await appSettingService.getSettingBool('monitoringDigestEnabled');
const lastDigest = await appSettingService.getSetting('monitoringLastDigestAt');
res.json({
success: true,
data: {
alertEmail: alertEmail || '',
digestEnabled,
lastDigestAt: lastDigest || null,
},
} as ApiResponse);
} catch (error) {
res.status(500).json({ success: false, error: 'Fehler beim Laden' } as ApiResponse);
}
}
/**
* PUT /api/monitoring/settings
*/
export async function updateMonitoringSettings(req: AuthRequest, res: Response): Promise<void> {
try {
const { alertEmail, digestEnabled } = req.body || {};
if (typeof alertEmail === 'string') {
// Email-Validierung minimal: muss @ enthalten oder leer sein
if (alertEmail !== '' && !alertEmail.includes('@')) {
res.status(400).json({ success: false, error: 'Ungültige E-Mail-Adresse' } as ApiResponse);
return;
}
await appSettingService.setSetting('monitoringAlertEmail', alertEmail);
}
if (typeof digestEnabled === 'boolean') {
await appSettingService.setSetting('monitoringDigestEnabled', digestEnabled ? 'true' : 'false');
}
res.json({ success: true, message: 'Einstellungen gespeichert' } as ApiResponse);
} catch (error) {
res.status(500).json({ success: false, error: 'Fehler beim Speichern' } as ApiResponse);
}
}
/**
* POST /api/monitoring/test-alert
* Versendet eine Test-Alert-Mail an die konfigurierte Adresse.
*/
export async function testAlert(_req: AuthRequest, res: Response): Promise<void> {
try {
const alertEmail = await appSettingService.getSetting('monitoringAlertEmail');
if (!alertEmail) {
res.status(400).json({
success: false,
error: 'Keine Alert-E-Mail konfiguriert',
} as ApiResponse);
return;
}
const result = await sendAlertEmail(alertEmail, {
subject: '[OpenCRM] Test-Alert',
events: [{
type: 'SUSPICIOUS' as any,
severity: 'INFO' as any,
message: 'Dies ist eine Test-Mail vom Monitoring-System. Alles in Ordnung.',
createdAt: new Date(),
} as any],
isDigest: false,
});
if (result.success) {
res.json({ success: true, message: `Test-Alert an ${alertEmail} versendet` } as ApiResponse);
} else {
res.status(500).json({ success: false, error: result.error || 'Versand fehlgeschlagen' } as ApiResponse);
}
} catch (error) {
res.status(500).json({
success: false,
error: error instanceof Error ? error.message : 'Test-Alert fehlgeschlagen',
} as ApiResponse);
}
}
/**
* POST /api/monitoring/run-digest (manueller Trigger für den Hourly-Digest)
*/
export async function runDigestNow(_req: AuthRequest, res: Response): Promise<void> {
try {
const result = await sendDigest({ force: true });
res.json({ success: true, data: result } as ApiResponse);
} catch (error) {
res.status(500).json({
success: false,
error: error instanceof Error ? error.message : 'Digest fehlgeschlagen',
} as ApiResponse);
}
}