Question about notifications
Does crowdsec offer what domain is being targeted for its notifications? Using npmplus the logs are now combined into one access.log making it impossible too know what’s being targeted and causing the ban
51 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
Would it be
target_fqdnLooking at the npmplus parser (https://app.crowdsec.net/hub/author/ZoeyVid/log-parsers/npmplus-logs), the target domain will be stored in
evt.Meta.target_fqdn.
You can update your notification template to add this information with {{ GetMeta . "target_fqdn"}}CrowdSec Console
Hub configuration
Use CrowdSec Console to visualize security data, manage dynamic blocklists, and gain real-time intelligence on IPs. Enhance your threat response capabilities.
Templating helpers | CrowdSec
In order to simplify some operation in the templates, we provide some custom helpers.
I currently don’t use the crowdsec templates, I use notifiarr. Will this still be possible on there end?
I don't know how notifiarr works :/
How does it get the information from crowdsec ?
I cut out the api key of course
ok so you send everything, good
the FQDN will be in
events[].meta[]
It's a list of key and value, the key will value will be target_fqdn
It might be a bit awkward to extract thohow can i manually test if the notifications are getting the target_fqdn now?
i assume something like wont work would the reason need too be changed?
So my example notifications are currently showing target_fqdn as my wan ip is this normal for
http-bad-user-agent scenario?not normal no, what does
cscli alerts inspect -d <alert_id> shows ?
Also, you can replay a notification with cscli notifications reinject <alert_id>
There are 2 IPs in the alert:
- source_ip
- target_fqdn
Just to confirm, source_ip is your IP and target_fqdn is the IP of your webserver ?
Shows my wan ip where I marked out
(your IP or the IP of the client that made the requests)
I don’t recognize the source ip, I assumed that was where the attack came from, the target_fqdn is showing my public wan ip “why I marked it out”
Yeah the source ip is showing as sharktech “where the attack came from”
ok
so that could be normal, the client probably queried the IP directly, without setting any host header
I was confused when you said "WAN IP" (ie, the parser somehow got confused and took the client IP as the target fqdn)
So it didn’t target a specific host, and it targeted the whole ip?
How could I test it for a specific host too see if it’s getting the correct fqdn? Without waiting? I tried using my Authentik-bf by banning my phone with multiple login fails but that didn’t seem too give me a target fqdn either
if you want, you can trigger an alert yourself (careful, you will get banned, so maybe stop your bouncer first) with something like
curl https://<your_domain>/util/php/eval-stdin.phpWould it have to be curl or could I just type that into a search bar on my phone?
Authentik-bf works by reading the logs of authentik, so there's no domain information in it (the domain is extracted from the nginx logs)
you can do it from your phone
I will try that now then
Will doing
cscli decisions list show the ban so I can remove it like normal?yes
Thank you
That showed the target_fqdn as the domain name I used in the snippet you provided so I assume all is working correctly? If so this can be marked as closed
Yes so it will show when the key exists, by default its an empty string.
So by default if it’s not a host direct attack it’ll revert to the wan ip?
yes
basically, nginx will use the host header value as the target fqdn (it's not exactly that, but close enough 99% of the time)
Typically this only happens when a bot is crawling directly to your WAN, you should setup a
server_name _; which is the default which should either redirect to your fqdn or deny them.I’m not sure I follow? Is this something I missed in my setup? Is this in the docs?
This is nginx configuration im talking about not crowdsec. maybe I just presumed you was using nginx.
ahh npmplus
I’m using npmPLUS
Is this still achievable?
there should be an option in npm that sets the default if no host is found
its in the gui somewhere
I’ve never seen it. I guess I can ask the dev
But what goes into there? I thought that was just a landing page?
Yeah but most likely you will want to do
404 or redirect as typically you dont expect someone to go directly to your WANSo just set that as a 404 page?
Yes
Hmm NPMplus has a new option
drop connection
Well either option is fine, I believe both will still end up in the log files so either way it will still trigger a notification with the WAN in if they go directly to it
So now it’ll show my npm fqdn instead of the wan ip for the target_fqdn? Or am I still not following
it will show as long as they go to your FQDN, if they go directly to your WAN then there nothing you can really do about it
Ok thanks Loz while I got u here, I know it’s not a thread for it, but is there any updates on UniFi working?
The syslog acquisition "fix" got merged for
1.6.6 then once that is released, I can then move my attention to the parser itselfSo likely the release after
The hub updates can happen at any time so it not dependant on the CS release, it just to get the syslog acqusition to work we had to add an option to disable the magic parsers
Ok nice I’ll note the current version and keep an update. Is there an option on the hub to be notified when there’s an update?
If you follow the issue I will tag it when any fixes are being worked on or merged you get a notification from GH
#940
Yep
Resolving Question about notifications
This has now been resolved. If you think this is a mistake please run
/unresolve