C
CrowdSecβ€’3mo ago
TornaxO7

Check if decision has been succesfully taken?

I'm really unsure if I've configured crowdsec fully functional now or not. So journalctl -u sshd -e contains messages like this: 
Jun 03 02:47:01 server sshd-session[1760286]: Connection reset by authenticating user root 45.140.17.124 port 33492 [preauth]
Jun 03 02:47:01 server sshd-session[1760286]: Connection reset by authenticating user root 45.140.17.124 port 33492 [preauth]
cscli explain --log <the log entry> --type syslog gives me this: 
line: Jun 03 02:47:01 server sshd-session[1760286]: Connection reset by authenticating user root 45.140.17.124 port 33492 [preauth]
        β”œ s00-raw
        |       β”œ πŸ”΄ crowdsecurity/cri-logs
        |       β”œ πŸ”΄ crowdsecurity/docker-logs
        |       β”” 🟒 crowdsecurity/syslog-logs (+12 ~9)
        β”œ s01-parse
        |       β”œ πŸ”΄ LePresidente/authelia-logs
        |       β”œ πŸ”΄ LePresidente/grafana-logs
        |       β”” 🟒 crowdsecurity/sshd-logs (+6 ~1)
        β”œ s02-enrich
        |       β”œ 🟒 crowdsecurity/dateparse-enrich (+2 ~2)
        |       β”œ 🟒 crowdsecurity/geoip-enrich (+13)
        |       β”œ πŸ”΄ crowdsecurity/http-logs
        |       β”” 🟒 crowdsecurity/whitelists (unchanged)
        β”œ-------- parser success 🟒
        β”œ Scenarios
                β”œ 🟒 crowdsecurity/ssh-bf
                β”œ 🟒 crowdsecurity/ssh-bf_user-enum
                β”œ 🟒 crowdsecurity/ssh-slow-bf
                β”” 🟒 crowdsecurity/ssh-slow-bf_user-enum
line: Jun 03 02:47:01 server sshd-session[1760286]: Connection reset by authenticating user root 45.140.17.124 port 33492 [preauth]
        β”œ s00-raw
        |       β”œ πŸ”΄ crowdsecurity/cri-logs
        |       β”œ πŸ”΄ crowdsecurity/docker-logs
        |       β”” 🟒 crowdsecurity/syslog-logs (+12 ~9)
        β”œ s01-parse
        |       β”œ πŸ”΄ LePresidente/authelia-logs
        |       β”œ πŸ”΄ LePresidente/grafana-logs
        |       β”” 🟒 crowdsecurity/sshd-logs (+6 ~1)
        β”œ s02-enrich
        |       β”œ 🟒 crowdsecurity/dateparse-enrich (+2 ~2)
        |       β”œ 🟒 crowdsecurity/geoip-enrich (+13)
        |       β”œ πŸ”΄ crowdsecurity/http-logs
        |       β”” 🟒 crowdsecurity/whitelists (unchanged)
        β”œ-------- parser success 🟒
        β”œ Scenarios
                β”œ 🟒 crowdsecurity/ssh-bf
                β”œ 🟒 crowdsecurity/ssh-bf_user-enum
                β”œ 🟒 crowdsecurity/ssh-slow-bf
                β”” 🟒 crowdsecurity/ssh-slow-bf_user-enum
so the parses seem to detect (if I'm interpreting the output right) that this is an attack. However, if I do nft list ruleset | grep '45.140.17.124 I can't find an entry of it. Also I can't find a new alert entry in cscli alerts list. What could I've been doing wrong?
6 Replies
CrowdSec
CrowdSecβ€’3mo ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❀️
iiamloz
iiamlozβ€’3mo ago
So most of our scenarios are a leaky bucket meaning there must be multiple attempts to login before a alert/decision is made, a single event does not mean bad behaviour (this is contextual to yourself as you may be the sole person logging in so you may want to be more aggressive). Our scenarios are designed to be minimal false positive as possible which may not fit your threat model so you can change the capacity of the scenarios to reduce the attempts before a decisions is made.
TornaxO7
TornaxO7OPβ€’3mo ago
Fair enough. Thank you
CrowdSec
CrowdSecβ€’3mo ago
Resolving Check if decision has been succesfully taken? This has now been resolved. If you think this is a mistake please run /unresolve
TornaxO7
TornaxO7OPβ€’3mo ago
may I ask how I can be more aggressive? Would I have to write my own decisions? I can't see a way to "configure" the current available decisions btw. thank you for answering my questions. I appreciate it.
iiamloz
iiamlozβ€’3mo ago
You would have to edit the scenario directly, each one has a capacity and a leakspeed you can think of the capacity as the attempts and leakspeed is timerange. imo most times you dont have to modify the leakspeed, so just reduce the capacity.

Did you find this page helpful?