C
CrowdSec3mo ago
mb

Are negative ban time values normal?

I was looking into the decision list with 
sudo cscli decisions list -a
sudo cscli decisions list -a
and I observed that there were some negative ban time values available 
│ 14018 │ CAPI   │ Ip:185.181.11.26                   │ ssh:bruteforce    │ ban    │         │    │ 0      │ -10h32m49s │ 1        │
│ 14058 │ CAPI   │ Ip:192.108.48.150                  │ generic:scan      │ ban    │         │    │ 0      │ -8h32m49s  │ 1        │
│ 14062 │ CAPI   │ Ip:185.220.101.70                  │ generic:scan      │ ban    │         │    │ 0      │ -8h32m49s  │ 1        │
│ 14311 │ CAPI   │ Ip:185.220.101.75                  │ generic:scan      │ ban    │         │    │ 0      │ -7h32m49s  │ 1        │
│ 14384 │ CAPI   │ Ip:104.152.52.127                  │ generic:scan      │ ban    │         │    │ 0      │ -12h32m49s │ 1        │
│ 14398 │ CAPI   │ Ip:185.220.101.77                  │ generic:scan      │ ban    │         │    │ 0      │ -8h32m49s  │ 1        │
│ 14613 │ CAPI   │ Ip:43.139.41.183                   │ generic:scan      │ ban    │         │    │ 0      │ -7h32m49s  │ 1        │
│ 14728 │ CAPI   │ Ip:176.65.134.18                   │ generic:scan      │ ban    │         │    │ 0      │ -10h32m49s │ 1        │
│ 14874 │ CAPI   │ Ip:23.178.112.217                  │ generic:scan      │ ban    │         │    │ 0      │ -11h32m49s │ 1   
│ 14018 │ CAPI   │ Ip:185.181.11.26                   │ ssh:bruteforce    │ ban    │         │    │ 0      │ -10h32m49s │ 1        │
│ 14058 │ CAPI   │ Ip:192.108.48.150                  │ generic:scan      │ ban    │         │    │ 0      │ -8h32m49s  │ 1        │
│ 14062 │ CAPI   │ Ip:185.220.101.70                  │ generic:scan      │ ban    │         │    │ 0      │ -8h32m49s  │ 1        │
│ 14311 │ CAPI   │ Ip:185.220.101.75                  │ generic:scan      │ ban    │         │    │ 0      │ -7h32m49s  │ 1        │
│ 14384 │ CAPI   │ Ip:104.152.52.127                  │ generic:scan      │ ban    │         │    │ 0      │ -12h32m49s │ 1        │
│ 14398 │ CAPI   │ Ip:185.220.101.77                  │ generic:scan      │ ban    │         │    │ 0      │ -8h32m49s  │ 1        │
│ 14613 │ CAPI   │ Ip:43.139.41.183                   │ generic:scan      │ ban    │         │    │ 0      │ -7h32m49s  │ 1        │
│ 14728 │ CAPI   │ Ip:176.65.134.18                   │ generic:scan      │ ban    │         │    │ 0      │ -10h32m49s │ 1        │
│ 14874 │ CAPI   │ Ip:23.178.112.217                  │ generic:scan      │ ban    │         │    │ 0      │ -11h32m49s │ 1
Not sure if this is normal and what this means. I set up crowsec as a multiserver architecture. I also already restarted the security engines and the bouncers multiple times. Especially after adding them to the LAPI.
5 Replies
CrowdSec
CrowdSec3mo ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❤️
_KaszpiR_
_KaszpiR_3mo ago
it is used to remove existing entries for example crowdsec detect an attack and adds it to bans for 24h, but then the attack stops and there are no more reported connections, so after say 8h it can set unban the ip, but instead of letting the ban to self exipire after 24h it may set the new time - positive if it still is thought as a threat or negative if it should be removed. The fact that those are with such high negative values may mean the decision was to unblock it earlier but was not propagated (that's my wild guess)
iiamloz
iiamloz3mo ago
Yes decisions can become a negative timespan and when the database does a flush it will remove any entries that have negative timespans.
mb
mbOP3mo ago
Ok, great. Didn't know about that.Thank you very much for your help and response 😄
CrowdSec
CrowdSec3mo ago
Resolving Are negative ban time values normal? This has now been resolved. If you think this is a mistake please run /unresolve

Did you find this page helpful?