how to ban those
hi, sorry im newbie from crowdsec may i ask how to ban those inject?
20 Replies
These seems to be just malformed HTTP requests which the webserver responds 400 to, it will be picked up by our default probing scenario but they seem quite sparse, so you can craft your own scenario which can filter for status
400any idea how to create senarios?
Best place is to look at the scenarios we already have like https://app.crowdsec.net/hub/author/crowdsecurity/scenarios/http-probing then change the filter and name to match what you want and then decide if you want the capacity to be I advised to keep leaky but set capacity to
1 or 2 depending if you expect 400 status to be commonWe also have docs for scenario https://docs.crowdsec.net/docs/next/log_processor/scenarios/format
Academy course https://academy.crowdsec.net/course/writing-parsers-and-scenarios
Format | CrowdSec
Scenario configuration example
CrowdSec Academy
CrowdSec Academy | Writing Parsers and Scenarios
The Writing Parsers and Scenarios course shows how to build parsers and behavior detection scenarios for the CrowdSec Security Engine.
thanks alot for help.
i ask npmplus they ask me to ask crowdsec. it normal?
This has nothing to do with crowdsec, but it looks like a healthcheck imposed by a container?
i have no idea..haha its ok at least not risk
Hi, may i ask why sometime got duplicate ban for single ip after update to latest?
Not only trigger 1 decision? It trigger both decision for latest version😅
@EP if your only using NPMPlus as your only remediation remember that the packet is not fully blocked, and NPMPlus still responds with the ban status code so there a chance it can retrigger scenarios over and over.
Any chance to fix that?
You cant really fix it as that is the designed behaviour, if you want to fully block packets you need to install the firewall remediation and configured the
DOCKER-USER chain, however, this only works if you dont use an upstream proxy like cloudflare. If you use cloudflare then there no way to workaround this.using firewall bouncer right?
but may i ask if firewall added decision the ban user still can access the ban page?
the secend image.
But as stated are you using cloudflare or any CDN infront?
some proxy yes some no.
Yes so the ones with "proxy" enabled cannot be 100% blocked since Cloudflare is proxying them, on the firewall layer all it can see is cloudflares ip address (as that is how reverse proxies work), the ones with proxy no should be blocking
noted. thanks for help.
Resolving how to ban those
This has now been resolved. If you think this is a mistake please run
/unresolve