C
CrowdSec7mo ago
mb

Are negative ban time values normal?

I was looking into the decision list with 
sudo cscli decisions list -a
sudo cscli decisions list -a
and I observed that there were some negative ban time values available 
│ 14018 │ CAPI   │ Ip:185.181.11.26                   │ ssh:bruteforce    │ ban    │         │    │ 0      │ -10h32m49s │ 1        │
│ 14058 │ CAPI   │ Ip:192.108.48.150                  │ generic:scan      │ ban    │         │    │ 0      │ -8h32m49s  │ 1        │
│ 14062 │ CAPI   │ Ip:185.220.101.70                  │ generic:scan      │ ban    │         │    │ 0      │ -8h32m49s  │ 1        │
│ 14311 │ CAPI   │ Ip:185.220.101.75                  │ generic:scan      │ ban    │         │    │ 0      │ -7h32m49s  │ 1        │
│ 14384 │ CAPI   │ Ip:104.152.52.127                  │ generic:scan      │ ban    │         │    │ 0      │ -12h32m49s │ 1        │
│ 14398 │ CAPI   │ Ip:185.220.101.77                  │ generic:scan      │ ban    │         │    │ 0      │ -8h32m49s  │ 1        │
│ 14613 │ CAPI   │ Ip:43.139.41.183                   │ generic:scan      │ ban    │         │    │ 0      │ -7h32m49s  │ 1        │
│ 14728 │ CAPI   │ Ip:176.65.134.18                   │ generic:scan      │ ban    │         │    │ 0      │ -10h32m49s │ 1        │
│ 14874 │ CAPI   │ Ip:23.178.112.217                  │ generic:scan      │ ban    │         │    │ 0      │ -11h32m49s │ 1   
│ 14018 │ CAPI   │ Ip:185.181.11.26                   │ ssh:bruteforce    │ ban    │         │    │ 0      │ -10h32m49s │ 1        │
│ 14058 │ CAPI   │ Ip:192.108.48.150                  │ generic:scan      │ ban    │         │    │ 0      │ -8h32m49s  │ 1        │
│ 14062 │ CAPI   │ Ip:185.220.101.70                  │ generic:scan      │ ban    │         │    │ 0      │ -8h32m49s  │ 1        │
│ 14311 │ CAPI   │ Ip:185.220.101.75                  │ generic:scan      │ ban    │         │    │ 0      │ -7h32m49s  │ 1        │
│ 14384 │ CAPI   │ Ip:104.152.52.127                  │ generic:scan      │ ban    │         │    │ 0      │ -12h32m49s │ 1        │
│ 14398 │ CAPI   │ Ip:185.220.101.77                  │ generic:scan      │ ban    │         │    │ 0      │ -8h32m49s  │ 1        │
│ 14613 │ CAPI   │ Ip:43.139.41.183                   │ generic:scan      │ ban    │         │    │ 0      │ -7h32m49s  │ 1        │
│ 14728 │ CAPI   │ Ip:176.65.134.18                   │ generic:scan      │ ban    │         │    │ 0      │ -10h32m49s │ 1        │
│ 14874 │ CAPI   │ Ip:23.178.112.217                  │ generic:scan      │ ban    │         │    │ 0      │ -11h32m49s │ 1
Not sure if this is normal and what this means. I set up crowsec as a multiserver architecture. I also already restarted the security engines and the bouncers multiple times. Especially after adding them to the LAPI.
5 Replies
CrowdSec
CrowdSec7mo ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❤️
_KaszpiR_
_KaszpiR_7mo ago
it is used to remove existing entries for example crowdsec detect an attack and adds it to bans for 24h, but then the attack stops and there are no more reported connections, so after say 8h it can set unban the ip, but instead of letting the ban to self exipire after 24h it may set the new time - positive if it still is thought as a threat or negative if it should be removed. The fact that those are with such high negative values may mean the decision was to unblock it earlier but was not propagated (that's my wild guess)
Loz
Loz7mo ago
Yes decisions can become a negative timespan and when the database does a flush it will remove any entries that have negative timespans.
mb
mbOP7mo ago
Ok, great. Didn't know about that.Thank you very much for your help and response 😄
CrowdSec
CrowdSec7mo ago
Resolving Are negative ban time values normal? This has now been resolved. If you think this is a mistake please run /unresolve

Did you find this page helpful?