What to do in this scenario..?
I run Crowdsec inside OPNsense in my homelab and it's been working great as far as I can tell, with occasional frequent bursts of bans on several IPs over the last few months.
This week I'm travelling to Dubai and am experiencing multiple bans occurring almost every minute from 79.124.49.146 which is worrying me.
How to i find out what is triggering this..? I have a few honelab services I use like Immich and Dawarich which "phone home" via cloudflare tunnels from my phone/laptop and also run Tailscale... could it be them..?
It's a fair amount of notifications I'm logging via Gotify and best case is just annoying, worst case some bad actor doing constant port scans... any ideas guys..?
2 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
Most likely its because of the echo chamber effect that comes from when opnsense blocks an IP.
the short of it, by default opnsense logs all packets whether its dropped from CrowdSec block. So this causes an echo chamber where the reason the packet was dropped because of a CrowdSec block and then it retrigger the scenario over and over again because the parser/scenario doesnt know the origin.
The easiest way is to alter your profiles to have a profile to match if
< 1 decisions exist for an IP and trigger a notification. If the IP has more than that another profile should be made to still trigger a decision but not issue a notfiication.