"Not a Pentest" Trust-Anker: Dieser Guide dient ausschließlich zur Implementierung von Bedrohungserkennungssystemen. Keine Angriffswerkzeuge, keine illegalen Aktivitäten.
Moltbot Threat Detection: Live Monitoring Setup
Echtzeit-Bedrohungserkennung für Moltbot — von Falco Runtime Security über Prometheus Alerting bis hin zur automatisierten Incident Response.
🦅 Falco Runtime Security Rules
# falco-rules-moltbot.yaml
- rule: Moltbot Unexpected Network Connection
desc: Moltbot container öffnet unerwartete Netzwerkverbindung
condition: >
evt.type = connect
and container.name = "moltbot"
and not (fd.sport in (80, 443, 3000, 5432))
output: >
Unerwartete Verbindung von Moltbot
(user=%user.name container=%container.name
sport=%fd.sport dport=%fd.dport)
priority: WARNING
tags: [network, moltbot]
- rule: Moltbot Privilege Escalation Attempt
desc: Erkenne Privilege-Escalation-Versuche im Moltbot-Container
condition: >
evt.type in (setuid, setgid)
and container.name = "moltbot"
and not proc.name in (node)
output: >
Privilege Escalation in Moltbot-Container
(proc=%proc.name user=%user.name)
priority: CRITICAL
tags: [privilege_escalation, moltbot]📊 Prometheus Alerting Rules
# prometheus/alerts/moltbot-security.yml
groups:
- name: moltbot-security
rules:
- alert: MoltbotHighAuthFailureRate
expr: |
rate(moltbot_auth_failures_total[5m]) > 10
for: 2m
labels:
severity: warning
annotations:
summary: "Hohe Authentifizierungsfehlerrate"
description: "{{ $value }} Fehlschläge/s – möglicher Brute-Force-Angriff"
- alert: MoltbotSuspiciousAPIActivity
expr: |
rate(moltbot_api_requests_total{status="429"}[1m]) > 50
for: 1m
labels:
severity: critical
annotations:
summary: "Verdächtige API-Aktivität erkannt"
description: "{{ $value }} Rate-Limited Requests/s"
- alert: MoltbotDatabaseQueryAnomaly
expr: |
histogram_quantile(0.99, rate(moltbot_db_query_duration_seconds_bucket[5m])) > 5
for: 3m
labels:
severity: warning
annotations:
summary: "Anomale Datenbankabfrage-Latenz"
description: "P99 Latenz: {{ $value }}s"}⚡ Automatisierte Incident Response
// moltbot/lib/incident-response.ts
import { Redis } from '@upstash/redis';
const redis = new Redis({ url: process.env.UPSTASH_REDIS_REST_URL!, token: process.env.UPSTASH_REDIS_REST_TOKEN! });
export async function handleSecurityIncident(incident: {
type: 'brute_force' | 'injection' | 'anomaly';
ip: string;
severity: 'low' | 'medium' | 'high' | 'critical';
details: Record<string, unknown>;
}) {
// 1. IP blockieren bei kritischen Incidents
if (incident.severity === 'critical' || incident.severity === 'high') {
await redis.setex(`block:${incident.ip}`, 3600, '1');
}
// 2. Incident loggen
await redis.lpush('incidents', JSON.stringify({
...incident,
timestamp: new Date().toISOString(),
}));
// 3. Alert senden
if (incident.severity === 'critical') {
await fetch(process.env.SLACK_WEBHOOK_URL!, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
text: `🚨 CRITICAL Security Incident: ${incident.type} from ${incident.ip}`,
}),
});
}
}