Postoverflow Whitelist Ignored
Hi there!
We have a custom postoverflow whitelist solution, but lately a customer has been complaining that their API bot is being banned despite being on our whitelist.
I've been debugging the issue for hours, but can't find why this happens.
We have the same whitelist system running on multiple servers, and it works flawlessly on our SMTP servers for example.
The server where we first became aware of this issue is running Apache, and the reason for the alerts and bans are crowdsecurity/http-backdoors-attempts and crowdsecurity/http-probing.
Unfortunately our customer is running a badly written API bot, so all their requests come from the same IP, regardless of the actual user's IP. They acknowledged this, and are not worried that a whitelist would let all this through.
This is how our whitelist system is set up currently (company name obscured):
/etc/crowdsec/postoverflows/s01-whitelist/custom_whitelist.yaml
The <company>_ipwl.txt contains IP ranges, something like this:
/var/lib/crowdsec/data/<company>_ipwl.txt
I've checked the contents of this file, it is correct, it contains the right IP.
It seems to me that the postoverflow step just doesn't run for some reason. I'm not sure if it has something to do with the type of alert that is being triggered, given that this system works on our mail servers.
Any help, or any debugging steps I could take are much appreciated.
Here's what I know for sure:
- the contents of the ipwl.txt file are correct
- the postoverflow is loaded
We have a custom postoverflow whitelist solution, but lately a customer has been complaining that their API bot is being banned despite being on our whitelist.
I've been debugging the issue for hours, but can't find why this happens.
We have the same whitelist system running on multiple servers, and it works flawlessly on our SMTP servers for example.
The server where we first became aware of this issue is running Apache, and the reason for the alerts and bans are crowdsecurity/http-backdoors-attempts and crowdsecurity/http-probing.
Unfortunately our customer is running a badly written API bot, so all their requests come from the same IP, regardless of the actual user's IP. They acknowledged this, and are not worried that a whitelist would let all this through.
This is how our whitelist system is set up currently (company name obscured):
/etc/crowdsec/postoverflows/s01-whitelist/custom_whitelist.yaml
The <company>_ipwl.txt contains IP ranges, something like this:
/var/lib/crowdsec/data/<company>_ipwl.txt
I've checked the contents of this file, it is correct, it contains the right IP.
It seems to me that the postoverflow step just doesn't run for some reason. I'm not sure if it has something to do with the type of alert that is being triggered, given that this system works on our mail servers.
Any help, or any debugging steps I could take are much appreciated.
Here's what I know for sure:
- the contents of the ipwl.txt file are correct
- the postoverflow is loaded
