Same IP banned twice 2 hours apart?
I've seen the same IP getting banned twice 2 hours apart, not sure how it's possible?
My default bans are for longer, so it shouldn't be possible, I do see the active decision for that IP, so I wonder if I'm missing something?
Thanks.
31 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
Which remediation component are you using?
Are you referring to this?
Yes, I see firewall and nginx don't suppose you used cloudflare?
Nope I don't use cloudflare currently.
Very odd, cause typically it should block on firewall layer, do you use any remediation other than ban?
I don't think so...
sudo cscli decisions list shows only ban for the action, if I should see anything else there.Nah it was a question to understand if the first was another decision type but you would know if you configured captcha
Don't recall anything regarding captcha so I assume not
If you run
iptables -L INPUT you see the crowdsec chain definedwhat about FORWARD? if it is for example nated to docker?
I think the backend uses nftables and I do see some rules for FORWARD to docker, but if there is some specific question let me know, not super familiar with that in depth.
what I mean is that default crowdsec firewall remediation is via iptables FORWARD rules
but if you have web server under docker or similiar setup then the traffic is NAT'ed so then it goes through FORWARD rule (thus being skipped by INPUT rules), which effectively means the crowdsec firewall remediation is ommited, unless you also have crowdsec rules for FORWARD
check
iptables -n -L FORWARD if there is CROWDSEC_CHAIN there as well
another option can be the fact that in iptables -n L INPUT crowdsec chain is below other rules and those rules are accepting connections anyway
in that case you would have to move CROWDSEC_CHAIN to the topI guess it might be the case?
Should I add CROWDSEC_CHAIN to FORWARD as well then?
I did check the setup in general tho, and the ban decisions does seem to apply.
But I guess it might still be the case
if your apps are dockerized and they serve requests then yeah
What would be the proper approach of doing that? Is there some docs that cover this?
https://github.com/crowdsecurity/cs-firewall-bouncer/blob/main/pkg/iptables/iptables_context.go#L71 probably would require to raise the issue on cs-firewall-bouncer to add
input and output and not just the filter (unless there is already such issue)
https://github.com/crowdsecurity/cs-firewall-bouncer/issues/32 maybe
o wait, there is an option to specifyi it already https://github.com/crowdsecurity/cs-firewall-bouncer/blob/main/config/crowdsec-firewall-bouncer.yaml#L30-L33I'll try to enable that, should I also enable DOCKER-USER?
this is not needed, because DOCKER-USER is in FORWARD chain, and CROWDSEC_CHAIN should be added before it
unless you need additional rules for DOCKER-USER for cross-container communication fitering
generally you can enable DOCKER-USER for max security for the price of the additional load on the node due to processing additional firewall rules, should not be a problem on modern hardware
I see, I think I'll try without it for now, I use rpi4 so the hardware is not great.
frankly speaking I'd rather suggest to block it on the router, before it even reaches rpi
Hmm not sure my router can do that..
what router?
Some are xiaomi and some are tp link
hm no idea, if they expose access to them via telnet/api then maybe
I guess it might be possible with something like openwrt but common routers..not sure.
I can try to ssh into my router and maybe try that perhaps.
it would reuire dedicated bouncer for that device, similiar to other bouncers
rpi4 should be able to handle it
Hmm yeah
Alright, I'll enable that too then 🙂
It seems to work now btw, so that's a good start
if the load is too high you can disable it and see how it goes
https://docs.crowdsec.net/u/bouncers/custom/ or basic shell script but probably it would require some coding, another option if the firewall supports ipsets or blacklists from a file then https://docs.crowdsec.net/u/bouncers/blocklist-mirror could be used
ok, gotta go to sleep, cu
Thanks a lot for the help!!! 🙂