C
CrowdSec4w ago
se7entynine

Appsec whitelist #2

I have a similar issue like @PerryCox007 from the latest post "AppSec whitelist? Ignoire vpatch-git-config when matching?" https://discord.com/channels/921520481163673640/1413237394647552121 I try to allow .env and .git files on my nextcloud instance. My ../crowdsec/acquis.d/appsec.yaml: 
listen_addr: 0.0.0.0:7422
appsec_configs:
  - crowdsecurity/appsec-default
  - custom/appsec-nextcloud-whitelist
name: myAppSecComponent
source: appsec
labels:
  type: appsec
log_level: debug
listen_addr: 0.0.0.0:7422
appsec_configs:
  - crowdsecurity/appsec-default
  - custom/appsec-nextcloud-whitelist
name: myAppSecComponent
source: appsec
labels:
  type: appsec
log_level: debug
My ../crowdsec/appsec-config/nextcloud-whitelist.yaml 
name: custom/appsec-nextcloud-whitelist
pre_eval:
  #- filter: IsInBand == true && req.URL.Path contains '/remote.php/dav/'
  #- filter: IsInBand == true && req.RequestURI contains '/remote.php/dav/'
  - filter: IsInBand == true && req.Host == "nextcloud.example.com" && req.RequestURI contains '/remote.php/dav/'
    apply:
    - RemoveInBandRuleByName("crowdsecurity/vpatch-git-config")
    - RemoveInBandRuleByName("crowdsecurity/vpatch-env-config")
name: custom/appsec-nextcloud-whitelist
pre_eval:
  #- filter: IsInBand == true && req.URL.Path contains '/remote.php/dav/'
  #- filter: IsInBand == true && req.RequestURI contains '/remote.php/dav/'
  - filter: IsInBand == true && req.Host == "nextcloud.example.com" && req.RequestURI contains '/remote.php/dav/'
    apply:
    - RemoveInBandRuleByName("crowdsecurity/vpatch-git-config")
    - RemoveInBandRuleByName("crowdsecurity/vpatch-env-config")
I can see that the config gets loaded level=debug msg="loading config /etc/crowdsec/appsec-configs/nextcloud-whitelist.yaml" component=appsec_config name=myAppSecComponent type=appsec 
sudo cscli appsec-configs inspect custom/appsec-nextcloud-whitelist
type: appsec-configs
name: custom/appsec-nextcloud-whitelist
file_name: nextcloud-whitelist.yaml
dependencies: {}
local_path: /etc/crowdsec/appsec-configs/nextcloud-whitelist.yaml
downloadpath: ""
up_to_date: true
tainted: false
installed: true
local: true

Current metrics:
sudo cscli appsec-configs inspect custom/appsec-nextcloud-whitelist
type: appsec-configs
name: custom/appsec-nextcloud-whitelist
file_name: nextcloud-whitelist.yaml
dependencies: {}
local_path: /etc/crowdsec/appsec-configs/nextcloud-whitelist.yaml
downloadpath: ""
up_to_date: true
tainted: false
installed: true
local: true

Current metrics:
BUT no metrics and I can't access .env files from my nextcloud instance. Any idea what could be wrong? I tried to replicate everything from the other post but no clue whats missing. Thanks in advance! 🙂
6 Replies
CrowdSec
CrowdSec4w ago
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.
Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
se7entynine
se7entynineOP4w ago
The alerts:

message.txt

se7entynine
se7entynineOP4w ago
@blotus @PerryCox007 Do you have any idea what could be missing? tried lots of differrent combinations but nothing worked yet. Thanks!
PerryCox007
PerryCox0074w ago
German? my configs / my documentations 
vi /opt/docker/crowdsec/config/appsec-configs/nextcloud-whitelist.yaml

    # https://docs.crowdsec.net/docs/next/appsec/hooks/#req-object
    #
    # Discord Post
    # -> https://discordapp.com/channels/921520481163673640/1413237394647552121
    #
    name: perrycox007/appsec-nextcloud-whitelist
    #log_level: debug
    pre_eval:
     #- filter: IsInBand == true && req.URL.Host == "cloud.home.xyz.xyz" && req.URL.Path contains '/remote.php/dav/'
     #- filter: IsInBand == true && req.URL.Path contains '/remote.php/dav/'
     - filter: IsInBand == true && req.Host == "cloud.home.xyz.xyz" && req.RequestURI contains '/remote.php/dav/'
       apply:
        - RemoveInBandRuleByName("crowdsecurity/vpatch-git-config")
        - RemoveInBandRuleByName("crowdsecurity/vpatch-env-access")
        - RemoveInBandRuleByName("crowdsecurity/vpatch-suspicious-extensions")

vi /opt/docker/crowdsec/config/appsec-configs/test-whitelist.yaml

    # https://docs.crowdsec.net/docs/next/appsec/hooks/#req-object
    #
    # Test 
    # - not be blocked
    # -> curl https://nas.home.xyz.xyz/crowdsec-test.env
    # -> curl https://nas.home.xyz.xyz/crowdsec-test/.git
    #
    # - should be blocked
    # -> curl https://tvheadend.home.xyz.xyz/crowdsec-test.env
    # -> curl https://tvheadend.home.xyz.xyz/crowdsec-test/.git/refs
    #
    name: perrycox007/appsec-test-whitelist
    #log_level: debug
    pre_eval:
     #- filter: IsInBand == true && req.URL.Host == "nas.home.xyz.xyz"
     #- filter: IsInBand == true
     - filter: IsInBand == true && req.Host == "nas.home.xyz.xyz"
       apply:
        - RemoveInBandRuleByName("crowdsecurity/vpatch-git-config")
        - RemoveInBandRuleByName("crowdsecurity/vpatch-env-access")
        - RemoveInBandRuleByName("crowdsecurity/vpatch-suspicious-extensions")

cat /opt/docker/crowdsec/config/acquis.d/npmplus.yaml

    ...
    listen_addr: 0.0.0.0:7422
    appsec_config: crowdsecurity/appsec-default
    name: appsec
    source: appsec
    labels:
      type: appsec
    ...

vi /opt/docker/crowdsec/config/acquis.d/npmplus.yaml

    ...
    listen_addr: 0.0.0.0:7422
    appsec_configs:
     - crowdsecurity/appsec-default
     - perrycox007/appsec-nextcloud-whitelist
     - perrycox007/appsec-test-whitelist
    name: appsec
    source: appsec
    labels:
      type: appsec
    ...

docker restart crowdsec
docker logs crowdsec -f
vi /opt/docker/crowdsec/config/appsec-configs/nextcloud-whitelist.yaml

    # https://docs.crowdsec.net/docs/next/appsec/hooks/#req-object
    #
    # Discord Post
    # -> https://discordapp.com/channels/921520481163673640/1413237394647552121
    #
    name: perrycox007/appsec-nextcloud-whitelist
    #log_level: debug
    pre_eval:
     #- filter: IsInBand == true && req.URL.Host == "cloud.home.xyz.xyz" && req.URL.Path contains '/remote.php/dav/'
     #- filter: IsInBand == true && req.URL.Path contains '/remote.php/dav/'
     - filter: IsInBand == true && req.Host == "cloud.home.xyz.xyz" && req.RequestURI contains '/remote.php/dav/'
       apply:
        - RemoveInBandRuleByName("crowdsecurity/vpatch-git-config")
        - RemoveInBandRuleByName("crowdsecurity/vpatch-env-access")
        - RemoveInBandRuleByName("crowdsecurity/vpatch-suspicious-extensions")

vi /opt/docker/crowdsec/config/appsec-configs/test-whitelist.yaml

    # https://docs.crowdsec.net/docs/next/appsec/hooks/#req-object
    #
    # Test 
    # - not be blocked
    # -> curl https://nas.home.xyz.xyz/crowdsec-test.env
    # -> curl https://nas.home.xyz.xyz/crowdsec-test/.git
    #
    # - should be blocked
    # -> curl https://tvheadend.home.xyz.xyz/crowdsec-test.env
    # -> curl https://tvheadend.home.xyz.xyz/crowdsec-test/.git/refs
    #
    name: perrycox007/appsec-test-whitelist
    #log_level: debug
    pre_eval:
     #- filter: IsInBand == true && req.URL.Host == "nas.home.xyz.xyz"
     #- filter: IsInBand == true
     - filter: IsInBand == true && req.Host == "nas.home.xyz.xyz"
       apply:
        - RemoveInBandRuleByName("crowdsecurity/vpatch-git-config")
        - RemoveInBandRuleByName("crowdsecurity/vpatch-env-access")
        - RemoveInBandRuleByName("crowdsecurity/vpatch-suspicious-extensions")

cat /opt/docker/crowdsec/config/acquis.d/npmplus.yaml

    ...
    listen_addr: 0.0.0.0:7422
    appsec_config: crowdsecurity/appsec-default
    name: appsec
    source: appsec
    labels:
      type: appsec
    ...

vi /opt/docker/crowdsec/config/acquis.d/npmplus.yaml

    ...
    listen_addr: 0.0.0.0:7422
    appsec_configs:
     - crowdsecurity/appsec-default
     - perrycox007/appsec-nextcloud-whitelist
     - perrycox007/appsec-test-whitelist
    name: appsec
    source: appsec
    labels:
      type: appsec
    ...

docker restart crowdsec
docker logs crowdsec -f
Streilinger
Streilinger3w ago
Pretty sure it's "crowdsecurity/vpatch-env-access" and not "crowdsecurity/vpatch-env-config"
iiamloz
iiamloz3w ago
yes, https://app.crowdsec.net/hub/author/crowdsecurity/appsec-rules/vpatch-env-access
Collections, AppSec Rules & Configurations | CrowdSec Hub
Manage collections, configurations, remediation components, and AppSec rules with CrowdSec Hub. Streamline security with tools and integrations for enhanced protection.

Did you find this page helpful?