IP banned, but I still receive alerts
An attacker keeps attacking one of my servers, his ip has been detected and banned by crowdsec but he can continue to attack. Why and how can I stop him from doing so? Scenario triggered : LePresidente/http-generic-403-bf
24 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
Which remediations components are you using?
so far I've received 40 alerts from the same ip
Okay and is the webserver installed on host or a container?
host
hmmm, and which backend are you using for the bouncer?
Good question, what do you mean by ‘backend’?
if it using iptables or nftables, you can find this by
grep mode /etc/crowdsec/bouncers/*.yamlooooooooh, ok. it uses iptables. I tried to create an iptables rule in shorewall, but it doesn't seem to change anything
okay can you run
iptables -Lye
what do you want me to do next ?
within the output of
iptables -L do you see the chain on INPUT to jump to our chains?no
hmm okay, can you run
systemctl restart crowdsec-firewall-bouncer
and then recheck the output of iptables -L afterwardsokay, a CROWDSEC_CHAIN has just appeared
Okay do you have any external software that is manipulating the iptables chains?
ahhh I guess
shorewall is flushing the chains when it manipulates them and this is removing our chainhmmmmmm, maybe ye
I use shorewall on a lot of servers and I don't have this kind of problem.
As in you use the firewall remediation and shorewall ?
but interesting, I'll try to explore a bit more the sorewall and crowdsec part and how it impacts crowdsec
yes
cause now since the jump is in place, it will start blocking the IP's that crowdsec detects but if the chain is flushed then this will obviously cause an issue since its gone. The firewall remediation only inserts the jump chain on startup and currently doesnt monitor if it gets removed by an external source (this is something we want to do at some point as it can be confusing if it disapeers and you start getting lots of alerts)
okay, for the moment it seems to be working, I'll check on other servers if I have the same problem