Signals features for Module

Created a separate task at #3329780: Signal buffering to implement the buffering of signals.

The signals we can implement into a first release of this module should be these:

• Flood control: when a number of failed login attempts failed from either an IP or a user account, Drupal blocks that IP for a period of time. Number of attempts and period of time are configurable by the admin of the Drupal site. Proposed scenario name: drupal/flood_control
• Ban: Drupal site administrators can manually ban IP addresses for unlimited period of time. Proposed scenario name: drupal/ban
• Whisper: this feature doesn't exist yet, but could be implemented as part of CrowdSec such that a number of requests that lead to 4xx responses in a period of time would lead to a block. Proposed scenario name: drupal/whisper
• others could be added later

All of the above scenarios will already lead to a block of the IP by local measures. But we make it configurable, which of those scenarios should send signals upstream.

Also, all 3 scenarios will be added to the list for subscription.

@rr404 could you please review the proposed scenario names so that we can start implementing them?

All 3 scenarios are now fully implemented and can be reviewed.

* flood : if i'm not mistaken this is authentication flood, and this would trigger when attempts threshold is reached
** If so we could call it drupal/auth-bruteforce

Good call.

* ban : Could be named drupal/manual-ban

That's correct by default. But I just discovered the Perimeter module as @madclu pointed out in #3330098: Integration with Perimeter module which automatically bans IP addresses if they detect suspicious behaviour. Their banning will be recognized by this module as well, although it's then not manual banning anymore.

* whisper : could be split in 4xx signal and 5xx signals. drupal/4xx-error drupal/5xx-error

I'm fine with drupal/4xx-error but I'm not sure we should deal with any 5xx errors here. The 4xx errors are clearly bad behaviour by a client, but 5xx is bad server behaviour and should not lead to a potential ban.

That wouldn't help much because the Ban module is part of Drupal core and their API doesn't allow more than "just" ban or unban of an IP address. So, while any module (e.g. Perimeter or others) use that Ban API, that's all we can get - and I think that's OK as it falls under the drupal/generic-ban scenario.

If modules later wanted to become more sophisticated, that's fine. But then it needs integration without using the Ban API from Drupal core. I'm sure, we'll see a lot of requests for that once the community recognizes the CrowdSec integration. For our first release, I don't think we need to encourage that.

Please let me know when the scenario names got finalized, because then it is time for the first beta release, I guess.

Shall we go for these 3 then?

• drupal/auth-bruteforce
• drupal/core-ban
• drupal/4xx-scan (I'd rather use "4xx-scan" or "4xx-response" instead of "4xx-error")

Do you have to create them at your end before we can use them, or can we just use these, and they will then be present automatically?

Updated the scenario names and marked the issue as fixed.