C
CrowdSec7mo ago
PintjesBier

Whitelist not working?

Hi all, it seems like I've been getting my own IP banned even though I have a whitelist in place... My whitelist is placed in postoverflows is that still ok? As I don't see it popping up in the metrics of my LAPI. I also have the whitelist installed on all servers in the distributed server setup, is that needed? Thanks! 
name: me/FQDN-whitelists
description: "Dynamic whitelist using FQDN"
whitelist:
  reason: "Dynamic whitelist using FQDN"
  expression:
    - evt.Overflow.Alert.Source.IP in LookupHost("domain.com")
name: me/FQDN-whitelists
description: "Dynamic whitelist using FQDN"
whitelist:
  reason: "Dynamic whitelist using FQDN"
  expression:
    - evt.Overflow.Alert.Source.IP in LookupHost("domain.com")
22 Replies
CrowdSec
CrowdSec7mo ago
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.
Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
iiamloz
iiamloz7mo ago
So if you run host <domain.com> you see the ip address you want to whitelist?
PintjesBier
PintjesBierOP7mo ago
Is 'host' a command? It's not found in the docker. But... the notification I'm getting does contain the correct IP, so it seems to resolve correctly. Though I also must say that even though I've been getting spammed with notifications that I've been banned. I'm still able to access everything like normal?
iiamloz
iiamloz7mo ago
host is a unix command, but if your running windows its the same as nslookup
the notification I'm getting does contain the correct IP, so it seems to resolve correctly.
What do you mean by this?
PintjesBier
PintjesBierOP7mo ago
You wnated to know if domain.com resolves to the correct IP, no? That it does, I've been getting spammed with notifications from crowdsec (upon banning an IP, mine in this case) with the correct IP.
iiamloz
iiamloz7mo ago
So a domain resolution in notifications doesnt mean its the correct IP if it was the correct IP you would be whitelisted So again if you run host or nslookup on the domain do you see the ip you want to be whitelisted?
PintjesBier
PintjesBierOP7mo ago
I actually did not, I'm guessing due to Cloudflare proxying, I turned that off now
iiamloz
iiamloz7mo ago
Yeah having cloudflare proxy turned on means it doesnt get the real IP, we outline the warnings on when using this function https://docs.crowdsec.net/docs/next/expr/ip_helpers/#lookuphosthost-string-string
IP helpers | CrowdSec
IP Helpers
PintjesBier
PintjesBierOP7mo ago
I guess I must've turned it on without thinking it through. I've had everything running fine for over a year.... So is it needed to have the whitelist on all servers? Or is just the LAPI fine?
iiamloz
iiamloz7mo ago
For postoverflow it has to be on all servers.
iiamloz
iiamloz7mo ago
Or if you wish you can just create a "profile" whitelist as a hacky work around https://docs.crowdsec.net/docs/next/log_processor/whitelist/create_lapi
LAPI | CrowdSec
LAPI based whitelist are not your traditional whitelists, as in they wont prevent an overflow from happening, but they will prevent a decision being made by the LAPI this means log processors that forward alerts to the LAPI will not need to be configured individually to ignore certain conditions.
iiamloz
iiamloz7mo ago
since its a expression you can do the same lookuphost in the profile
PintjesBier
PintjesBierOP7mo ago
Ah it's fine, only got 3 servers. Not like it's a lot of work to change, and also once they're set, they're set... Gonna test if it's working now If I manually ban myself now using cscli decision add --ip x.x.x. will that actually ban me? Of will I still be whitelisted? I banned myself that way and can still access everything just fine...
iiamloz
iiamloz7mo ago
cscli decisions doesnt get influence by whitelist so will still add a decision, so what bouncer / remediation are you using?
PintjesBier
PintjesBierOP7mo ago
nftables on my nginx reverse proxy VM
PintjesBier
PintjesBierOP7mo ago
It is still connected
No description
iiamloz
iiamloz7mo ago
and is the domain you going too proxied by cloudflare?
PintjesBier
PintjesBierOP7mo ago
Yes
iiamloz
iiamloz7mo ago
if so nftables cant see the real IP it can only see cloudflare address
PintjesBier
PintjesBierOP7mo ago
But has the 'real IP headers' thingy in nginx
iiamloz
iiamloz7mo ago
yeah but nginx is layer 7 nftables is layer 3 it doesnt see them so either you have to install a layer 7 rememdiation like nginx one or disable cloudflare proxy status
PintjesBier
PintjesBierOP7mo ago
well rip, so I've been unsecure for months lmao Makes sense now that u say it though

Did you find this page helpful?