PumbaLP/adguardhome-dot

CrowdSec collection to detect and block DoT (DNS-over-TLS, port 853) scanners targeting AdGuard Home instances.

Installation

cscli collections install PumbaLP/adguardhome-dot

Then add to your acquisition config (e.g. acquis.yaml):

source: docker
container_name:
  - adguardhome
labels:
  type: adguardhome

What it detects

Port scanners and probers that connect to port 853 (DoT) without completing a proper TLS handshake. These appear as repeated connection reset by peer errors in AdGuard Home logs.

What it does NOT detect

DoQ (port 8853 or 853/udp) – no remote IP in logs
Direct DoH (port 443) – no remote IP in logs
DoH via Nginx reverse proxy – use crowdsecurity/nginx-logs instead

Tested against

AdGuard Home v0.107.x – confirmed working in production.

Components

Component	Type	Description
`PumbaLP/adguardhome-dot-errors`	Parser	Extracts remote IP from DoT connection reset errors
`PumbaLP/adguardhome-dot-scan`	Scenario	Bans after 5 resets in 10 minutes

Name		Name	Last commit message	Last commit date
Latest commit History 12 Commits
.tests/adguardhome-dot-errors		.tests/adguardhome-dot-errors
collections/PumbaLP		collections/PumbaLP
parsers/s01-parse/PumbaLP		parsers/s01-parse/PumbaLP
scenarios/PumbaLP		scenarios/PumbaLP
LICENSE		LICENSE
README.md		README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

PumbaLP/adguardhome-dot

Installation

What it detects

What it does NOT detect

Tested against

Components

About

Uh oh!

Releases 1

Packages

Uh oh!

Contributors

Uh oh!

Folders and files

Latest commit

History

Repository files navigation

PumbaLP/adguardhome-dot

Installation

What it detects

What it does NOT detect

Tested against

Components

About

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases 1

Packages 0

Uh oh!

Contributors

Uh oh!

Packages