How to test than setup will block attack
Hi all,
I had some alerts and decisions, not much but few a day. I had old mikrotik router so I had only default blocklist and one CVE with few IPs, yet that was too much for router to process (almost all time it was 100% CPU). I bought new Mikrotik router. Now it takes few sec (CPU 25%) in peaks but works really wel. Now I have not any decision or alert for more then day.
Is it possible to test that my setup working correctly?
I know that mikrotik working ok, because there are blocked connections which are comming from address list wich is made by mikrotik bouncer.
What I do not understad is why I have no alert and no decision for more then day π¦ Am I lucky that bad ppl do not try my IP?
8 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
Β© Created By WhyAydan for CrowdSec β€οΈ
AFAIR we were testing this before, I was curl'ing your ip constantly and you added my IP and it was later blocked. If you want I can try to run commands again from my IP to your io at specific path known to ge treated as http scan
I do not want to bother you. I can test that by my self from office π what traffic do I need generate to be treated as bad guy?
something like
but replace ip with proper fqdn
should be detected as admin panel probing https://hub-data.crowdsec.net/web/admin_interfaces.txt
assuming that path returns 403
GitHub
hub/scenarios/crowdsecurity/http-probing.yaml at master Β· crowdsec...
Main repository for crowdsec scenarios/parsers. Contribute to crowdsecurity/hub development by creating an account on GitHub.
do it 10 times within 10s and should trigger
wow that is easy π
we also have some specific tests scenarios to see if crowdsec is reading your logs properly: https://docs.crowdsec.net/u/getting_started/health_check#-detection-checks
(note that it will not block you, it's intended to check if crowdsec itself is configured properly)
CrowdSec Security Engine Setup Health-Check | CrowdSec
Health Check Version: 0.1.0