Setting up captcha once per x time
Hello everyone,
Until now I’ve been banning everything that triggers crowdsec for 24 hours. However I’ve come to the conclusion that http crawl and http non static get triggered a lot, most of the time false. Disabling them feels like something I shouldn’t do. But I also want to make sure my users don’t get banned from loading my webpages. (Tips are welcome)
I was thinking of configuring crowdsec in such a way to utilise captchas via cloudflare for these specific filters, instead of issuing a ban. But, I want it to only trigger once per x time, I think…
I could use your guys two cents on the one.
Making use of crowdsec within a docker container with the nginx plug-in.
17 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
Anyone an idea?
Hey we have an example via the documentation that shows you how you can trigger X captcha decisions per X timeframe:
https://docs.crowdsec.net/docs/next/local_api/profiles/captcha_profile
its the second code block on the page
Captcha | CrowdSec
Here is an example of a profile that provides users with a captcha challenge when they trigger a HTTP scenario.
Thanks for that Loz! Do you guys have recommendations on what would make most sense? I was thinking putting up the captcha (1 time) and if it happens again a ban.
Hi @iiamloz I am a bit confused if my setup is still correct. I've been using crowdsec with SWAG reverse proxy for the longest time now. Decisions are getting through, people are getting banned and also shown the blocked page. However, I want to connect turnstile on my instance. Within the quick start guide: https://docs.crowdsec.net/u/bouncers/nginx it mentions that I need to edit (also create?) a file
crowdsec-nginx-bouncer.conf. I do not have this file currently, how are my decisions still coming through, is this different in swag?To give a bit more context, I am running the latest version of crowdsec, both crowdsec and swag RP are ran from docker. I use to have this captcha setup on the cloudflare bouncer, when it was still being used.
I am very whether my setup is even completely functional still, or setup correctly. I use to also have a rule defined before that everything was an incremental ban, but I cannot seem to find this anymore.
I did read through the docs, but I'm just a bit overwhelmed.
I think I am referring to the default remediation? I use to have an issue where http-crawl and non-static would cause a lot of false positives, it has come back recently, so I wish to introduce a captcha for those. But looking at what is all new, I am very overwhelmed.
Yeah so that file does exist within the swag container. I forget does swag persist some data? If not it might be something that needs to be asked to lsio team.
Yes it does
oh man I wonder where then
Running a find command in the directory and grep crowdsec might find it
So firstly we can edit profiles as per the docs I linked. This will start issuing captcha remediations.
However for swag to actually enforce these captcha we need to find that conf file.
Let me have a look
found it!
I do think it mayb be slightly outdated, so I need to update that.
My current file is:
Alright, so I changed the config, I should now have turnstile setup. I am whether this needs to be filled in?
Besides that, I am going to try and setup a remediation. However, I could use your 2 cents on this.
From what I had in the past is that a lot of my websites I host (overseerr, immich and the like) trigger a non-static and http crawl, which would ban the users. I've gone out of my way to spend a long time working on regular expressions to filter. However, all of my applications are protected by authentik, which is served as a subdomain infront for authentication. Realistically, would I need to act on these two in particular?
I've got BF protection setup, and it bans when triggered 5 times. It would be an issue for the cpatcha to be presented in this case, and my filters are pretty good so it never really triggers. But, I've had a few occacions where the immich app would trigger the http-non-static or crawl, and it will block my app. Do you have sugestions on how I could potentially best handle this?
My setup is a bit dated perhaps, so I want to make sure I do it right.
Also, I am having a little issue understanding where the remediations are supposed to be created in the config? (https://docs.crowdsec.net/docs/next/local_api/profiles/captcha_profile/). Did this move over the past updates?
Documentation | CrowdSec
CrowdSec, the open-source & participative IPS
@iiamloz? :)
I am still confused by the above, could you help me out if you have the time? :)
Could you help me @iiamloz ? Or anyone else?
Hey I don't have much time lately, have you tried reading the docs. Can you give me a clear and short setence about what is confusing if you cannot find it in said docs.
That's for CrowdSec's AppSec WAF and is not relevant to what your trying to setup
if you've added a profile for showing a captcha for http_probing and http_crawl and configured your bouncer to use Cloudflare turnstile then everything should be working fine.
I’ll have a look.
My main issue though is how do I deal with captchas within something like Immich. If a captcha is presented, a user will not know..
That’s my main issue perhaps
This is a technical limitation of using an app rather than the web browser, there not much we can do about it other than you dont ban based on the useragent sent by the immich client.
hi, what provider are you guy using?