Nextcloud, false positive, blocks users
Hello, I have two clients whose IP addresses are being blocked while performing legitimate tasks. I was wondering if it would be possible to set up a captcha or something similar to prevent this from blocking the users. I will provide the details of the two alerts.
41 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
So I would say that id
146008 is probably because they were banned and the client still attempted to request the resources. So we should focus on the GET / DELETE 404 stuff.
Can you see in the log file that actual requests that result in 404 responses?
also some of your requests may contain usernames fyii have this
I think the goal would just be to set up a captcha so as not to block users.
however, if the user are using apps like nextcloud app it wont be able to show captcha
question, do you already have the nextcloud whitelist installed?
As I see this should be covered by
CrowdSec Console
Hub configuration
Use CrowdSec Console to visualize security data, manage dynamic blocklists, and gain real-time intelligence on IPs. Enhance your threat response capabilities.
yes, we installed the nextcloud collection and put the log file in acquis.yaml
the log lines provided are from which log? as the alert shown above should be from a webserver like a reverse proxy or something.
it comes from a server on which several other nextclouds are hosted
The first one is really weird and I encountered it myself. why Nextcloud is returning a 401 for external is beyond me, but it's Nextcloud and it does a ton of weird stuff.
Anyways, here's the fix I used for it (Slightly modified so it can work for you)
- evt.Meta.http_status == '401' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path == '/apps/external/icons/[a-z0-9\\%]+.ico'
The first one is from the smartphone app loading external URLs, the other is for CardDavshould
.ico be static files?aah your right, completely skipped my mind
yes it's true, it's really weird, I thought the same thing.
nextcloud.log
I just saw that OP doesn't have the
.ico file extension
this one should work:
- evt.Meta.http_status == '401' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path startsWith '/apps/external/icons/'
@iiamloz Would it introduce an bypass if the 401-bf scenario ignored static files?
I can't think of any application that handles authentication on a static filethis situation is completely crazy serious 😂
Nextcloud is honestly pretty jank
you'll quickly learn that when you add any kind of security tool to protect Nextcloud
also i dunno if its the same plugin but they issues an update to fix
404 on photos
https://github.com/nextcloud/contacts/issues/3021GitHub
Lot of 404 errors / CrowdSec ban me · Issue #3021 · nextcloud/conta...
Describe the bug I also have a lot of 404 errors. I think it's related to the lost avatar of my contact CrowdSec banned me because of this Steps to reproduce Go to Contacts App Scroll Contacts ...
GitHub
GitHub - nextcloud/external: 🌐 Embed external sites in your Nextclo...
🌐 Embed external sites in your Nextcloud. Contribute to nextcloud/external development by creating an account on GitHub.
and I wouldn't expect a timely fix on Nextcloud's part, so imo it's best if CrowdSec updates the 401-bf scenario to ignore static files. I can open a PR if you want
the external website appears in the Nextcloud framewoah, hopefully its pretty secure 😄
Nextcloud has CSP so it actually might be safe
It reassures me that the problem doesn't come from our CrowdSec installation. Because when I inspected the logs, I was like "wtf, CrowdSec is just doing its job, what are the users doing to get banned like this?"
well yes and no, the root of the problem here is that Nextcloud isn't properly returning the correct status codes.
No need to conform to web standards :kappa:
what are web standards? /s
for people who follow rules.... we break rules here
for alert 17435, this should work?
- evt.Meta.http_status == '404' && evt.Meta.http_verb == 'DELETE' && evt.Meta.http_path startsWith '/remote.php/dav/addressbooks/users/'it should be covered by the Nextcloud whitelist, do you have it installed?
CrowdSec Console
Hub configuration
Use CrowdSec Console to visualize security data, manage dynamic blocklists, and gain real-time intelligence on IPs. Enhance your threat response capabilities.
ye
ok so how does your server setup look like, do you have a reverse proxy, or just a web server?
simply the web server
hm... strange what do you get when you run this?
sudo cscli hub list | grep nextcloudthe only thing I can think of is that you forgot to reload CrowdSec when you installed it. try reloading it and if you still have issues come back here
by the way, you asked aboud captcha, what web server are you running?
oh wait I think I see it there, apache right?
ye
are you saying this because there are these lines?
because I've just deleted the scenario in question until I find a solution.
there's no captcha support for Apache right now, but a bouncer is being worked on for Apache so maybe soon™️
I mean
sudo systemctl reload crowdsecYes, I have been informed of this information.
You shouldn't handle false positives by deleting scenarios, you'll taint the collection and won't receive automatic updates for the collection, it's better if you:
1. Whitelist the false positive event (Like I showed above)
2. Enable simulation mode and then disable it once your confident you don't have any more false positive
okay, thanks for the tips
I've just had another false positive, this time from the calendar sync. It's crazy!
if it happens to anyone else, I've whitelisted it :
- evt.Meta.http_status == '401' && evt.Meta.http_verb in ['PUT', 'POST'] && evt.Meta.http_path startsWith '/remote.php/dav/calendars/'