git-dumper requests not being blocked despite sensitive-files scenario
Hi all,
I'm having the CrowdSec + nginx bouncer setup on a server with a publicly accessible
.git/ directory. I'm using git-dumper to simulate exploitation, but CrowdSec isn't blocking the requests.
The nginx logs are correctly parsed and enriched (cscli explain confirms this).
The sensitive-files scenario crowdsecurity/http-sensitive-files) is installed.
git-dumper hits look like this:
cscli explain shows only the http-crawl-non_statics scenario matched, not http-sensitive-files.
β s00-raw
| β π΄ crowdsecurity/syslog-logs
| β π’ crowdsecurity/non-syslog (+5 ~8)
β s01-parse
| β π’ crowdsecurity/nginx-logs (+23 ~2)
β s02-enrich
| β π’ crowdsecurity/dateparse-enrich (+2 ~2)
| β π’ crowdsecurity/geoip-enrich (+13)
| β π’ crowdsecurity/http-logs (+7)
| β π’ custom/whitelists (unchanged)
| β π’ crowdsecurity/whitelists (unchanged)
β-------- parser success π’
β Scenarios
β π’ crowdsecurity/http-crawl-non_statics
What could I be missing here? Do I need to customize the pattern list in the scenario? Or is this not covered by default?
Thanks!4 Replies
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type
/unresolveΒ© Created By WhyAydan for CrowdSec β€οΈ
The sensitive files is very limited and only looks for specific git files rather than a directory, imo yes crowdsec can detect these but it better to simply block all requests to dot files within a nginx configuration such as:
Then CrowdSec doesnt need to be reactive and your web server configuration is proactively stopping all requests to
.env and .git by default.Got it Thanks
Resolving git-dumper requests not being blocked despite sensitive-files scenario
This has now been resolved. If you think this is a mistake please run
/unresolve