C
CrowdSec2mo ago
AR2000

decisions list strange result

I recently noticed my firewall bouncer stopped adding ip flagged for ssh attack to the iptable. I had set it up that way : 
log_mode: stdout # file or stdout
log_level: info
api_url: http://127.0.0.1:43254/
api_key: U6rIr+Rv+HSHfAElS4hBWJQjddXdtxe8YLzEbZ+08+0 # as created in crowdsec
scenarios_containing: ["ssh"]
scopes: ["Ip"]
origins: ["crowdsec", "CAPI", "cscli"]
feed_via_stdin: true
supported_decisions_types:
  - ban
log_mode: stdout # file or stdout
log_level: info
api_url: http://127.0.0.1:43254/
api_key: U6rIr+Rv+HSHfAElS4hBWJQjddXdtxe8YLzEbZ+08+0 # as created in crowdsec
scenarios_containing: ["ssh"]
scopes: ["Ip"]
origins: ["crowdsec", "CAPI", "cscli"]
feed_via_stdin: true
supported_decisions_types:
  - ban
I was wondering what changed. I also have a lot of decisions with negative expiration for the CAPI source (-16h32 for example).
4 Replies
CrowdSec
CrowdSec2mo ago
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.
Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
AR2000
AR2000OP2mo ago
From what I just understood, the config above would only block IP reported for ssh behaviour in the community blocklist and not in subscribed list Issue is : it stopped getting ssh IP to block I also don't see any ssh related ban in my current CAPI decsision list only http related ones
iiamloz
iiamloz2mo ago
as Blotus pointed out, we slighly altered the scenario naming scheme that comes from CAPI beforehand it used to say crowdsecurity/ssh-bf as the scenario itself instead now we use the behaviour name which is ssh:bruteforce so your filter should still match. However, is your engine reporting http based scenarios? as the system is designed to tailor the blocklist to your actively reported scenarios so if you are reporting them more than ssh the list will want to download more http stuff so you are more protected on your actively attacked application. 
╭──────────────────────────────────────────────────────────────────────────────────╮
│ Local API Decisions                                                              │
├──────────────────────────────────────────────────────┬──────────┬────────┬───────┤
│ Reason                                               │ Origin   │ Action │ Count │
├──────────────────────────────────────────────────────┼──────────┼────────┼───────┤
│ ssh:bruteforce                                       │ CAPI     │ ban    │ 28490 │
╭──────────────────────────────────────────────────────────────────────────────────╮
│ Local API Decisions                                                              │
├──────────────────────────────────────────────────────┬──────────┬────────┬───────┤
│ Reason                                               │ Origin   │ Action │ Count │
├──────────────────────────────────────────────────────┼──────────┼────────┼───────┤
│ ssh:bruteforce                                       │ CAPI     │ ban    │ 28490 │
this is what the behaviour looks like in cscli metrics
AR2000
AR2000OP2mo ago
I haven't had any ssh attack detected by my engine latetly which could be the reason why I don't have any ssh:* CAPI decsion currently if the list downloaded depend on what is attacked. However I do not have any ssh:* decision currently 
╭────────────────────────────────────────────────────────────╮
│ Local API Decisions                                        │
├────────────────────────────────┬──────────┬────────┬───────┤
│ Reason                         │ Origin   │ Action │ Count │
├────────────────────────────────┼──────────┼────────┼───────┤
│ http:bruteforce                │ CAPI     │ ban    │ 487   │
│ http:crawl                     │ CAPI     │ ban    │ 39    │
│ http:exploit                   │ CAPI     │ ban    │ 10645 │
│ http:scan                      │ CAPI     │ ban    │ 4298  │
│ crowdsecurity/CVE-2022-41082   │ crowdsec │ ban    │ 1     │
│ crowdsecurity/http-cve-probing │ crowdsec │ ban    │ 1     │
│ otx-webscanners                │ lists    │ ban    │ 5167  │
│ crowdsec_cve_2024_4577         │ lists    │ ban    │ 998   │
│ firehol_greensnow              │ lists    │ ban    │ 7328  │
╰────────────────────────────────┴──────────┴────────┴───────╯
╭────────────────────────────────────────────────────────────╮
│ Local API Decisions                                        │
├────────────────────────────────┬──────────┬────────┬───────┤
│ Reason                         │ Origin   │ Action │ Count │
├────────────────────────────────┼──────────┼────────┼───────┤
│ http:bruteforce                │ CAPI     │ ban    │ 487   │
│ http:crawl                     │ CAPI     │ ban    │ 39    │
│ http:exploit                   │ CAPI     │ ban    │ 10645 │
│ http:scan                      │ CAPI     │ ban    │ 4298  │
│ crowdsecurity/CVE-2022-41082   │ crowdsec │ ban    │ 1     │
│ crowdsecurity/http-cve-probing │ crowdsec │ ban    │ 1     │
│ otx-webscanners                │ lists    │ ban    │ 5167  │
│ crowdsec_cve_2024_4577         │ lists    │ ban    │ 998   │
│ firehol_greensnow              │ lists    │ ban    │ 7328  │
╰────────────────────────────────┴──────────┴────────┴───────╯
but it still doesn't explain the decisions with negative expiration 
│ 64053515 │ CAPI   │ Ip:85.8.130.90                             │ http:exploit    │ ban    │         │    │ 0      │ -4h1m16s   │ 17958    │
│ 64054168 │ CAPI   │ Ip:98.159.37.144                           │ http:exploit    │ ban    │         │    │ 0      │ -4h1m16s   │ 17958    │
│ 64055220 │ CAPI   │ Ip:216.73.163.24                           │ http:exploit    │ ban    │         │    │ 0      │ -4h1m16s   │ 17958    │
│ 64057151 │ CAPI   │ Ip:89.251.0.20                             │ http:exploit    │ ban    │         │    │ 0      │ -4h1m16s   │ 17958    │
│ 64057180 │ CAPI   │ Ip:89.251.0.18                             │ http:exploit    │ ban    │         │    │ 0      │ -4h1m16s   │ 17958    │
│ 64057858 │ CAPI   │ Ip:45.8.17.242                             │ http:exploit    │ ban    │         │    │ 0      │ -4h1m16s   │ 17958    │
│ 64062375 │ CAPI   │ Ip:177.38.178.5                            │ http:bruteforce │ ban    │         │    │ 0      │ -4h1m16s   │ 17958    │
│ 64062378 │ CAPI   │ Ip:189.218.168.30                          │ http:bruteforce │ ban    │         │    │ 0      │ 127h58m44s │ 17958    │
│ 64062453 │ CAPI   │ Ip:141.94.195.25                           │ http:bruteforce │ ban    │         │    │ 0      │ 105h58m44s │ 17958    │
╰──────────┴────────┴────────────────────────────────────────────┴─────────────────┴────────┴─────────┴────┴────────┴────────────┴──────────╯
│ 64053515 │ CAPI   │ Ip:85.8.130.90                             │ http:exploit    │ ban    │         │    │ 0      │ -4h1m16s   │ 17958    │
│ 64054168 │ CAPI   │ Ip:98.159.37.144                           │ http:exploit    │ ban    │         │    │ 0      │ -4h1m16s   │ 17958    │
│ 64055220 │ CAPI   │ Ip:216.73.163.24                           │ http:exploit    │ ban    │         │    │ 0      │ -4h1m16s   │ 17958    │
│ 64057151 │ CAPI   │ Ip:89.251.0.20                             │ http:exploit    │ ban    │         │    │ 0      │ -4h1m16s   │ 17958    │
│ 64057180 │ CAPI   │ Ip:89.251.0.18                             │ http:exploit    │ ban    │         │    │ 0      │ -4h1m16s   │ 17958    │
│ 64057858 │ CAPI   │ Ip:45.8.17.242                             │ http:exploit    │ ban    │         │    │ 0      │ -4h1m16s   │ 17958    │
│ 64062375 │ CAPI   │ Ip:177.38.178.5                            │ http:bruteforce │ ban    │         │    │ 0      │ -4h1m16s   │ 17958    │
│ 64062378 │ CAPI   │ Ip:189.218.168.30                          │ http:bruteforce │ ban    │         │    │ 0      │ 127h58m44s │ 17958    │
│ 64062453 │ CAPI   │ Ip:141.94.195.25                           │ http:bruteforce │ ban    │         │    │ 0      │ 105h58m44s │ 17958    │
╰──────────┴────────┴────────────────────────────────────────────┴─────────────────┴────────┴─────────┴────┴────────┴────────────┴──────────╯
btw the --limit option did not work cscli decision list --limit 15 --origin CAPI

Did you find this page helpful?