Crowdsec not blocking brute-force login attempts to docker containers behind NTMplus
I have NPMplus installed with Crowdsec. Everything is working fine. I can see decisions being made in the Crowdsec log based on IPs.
I have 12 services running behind NPMplus. If I visit subdomain.mydomain.com, I can see the IP appear in the Crowdsec log.
I installed the bouncer: crowdsec-firewall-bouncer-iptables
If I go to the Crowdsec terminal and type in cscli metrics, I see npmplus/nginx/acess.log being parsed. I also see the cs-firewall-bouncer listed under the Bouncer section.
However, if I try to login to any of my 12 services (all docker containers) and the logins fail, I am not being banned. I am trying from a VPN IP address to login.
The ONLY docker container that will ban failed logins is NPMplus. All my other containers that are behind NPMplus never fail. I can keep trying to login forever. All the docker containers are in network: host mode.
If I try to brute foce login to any of my other docker containers like Radarr, Sonarr, Change Detection, Jackett, etc., none of them will ban the IP address like the NPMplus docker container does. All of the docker containers are in network_mode: host.
Crowdsec is somewhat working because I see another foreign IP address in the screenshot above that is not from me that got banned.
It appears everything is working fine, EXCEPT the brute force login for my various other containers. Is there maybe something different I need to do with my other containers? Or should the NPMplus traffic and logs be enough for Crowdsec?
Attached are a couple screenshots:
I asked Zoey, the creating of NPMplus, but she thinks it's a Crowdsec issue. Here is what she said in our Github converstaion: crowdsec firewall bouncer saves its blacklist inside ipset lists
Any help would be appreciated. Thank you!
I have 12 services running behind NPMplus. If I visit subdomain.mydomain.com, I can see the IP appear in the Crowdsec log.
I installed the bouncer: crowdsec-firewall-bouncer-iptables
If I go to the Crowdsec terminal and type in cscli metrics, I see npmplus/nginx/acess.log being parsed. I also see the cs-firewall-bouncer listed under the Bouncer section.
However, if I try to login to any of my 12 services (all docker containers) and the logins fail, I am not being banned. I am trying from a VPN IP address to login.
The ONLY docker container that will ban failed logins is NPMplus. All my other containers that are behind NPMplus never fail. I can keep trying to login forever. All the docker containers are in network: host mode.
If I try to brute foce login to any of my other docker containers like Radarr, Sonarr, Change Detection, Jackett, etc., none of them will ban the IP address like the NPMplus docker container does. All of the docker containers are in network_mode: host.
Crowdsec is somewhat working because I see another foreign IP address in the screenshot above that is not from me that got banned.
It appears everything is working fine, EXCEPT the brute force login for my various other containers. Is there maybe something different I need to do with my other containers? Or should the NPMplus traffic and logs be enough for Crowdsec?
Attached are a couple screenshots:
- decisions list. It is banning IPs.
- Screenshot of my docker log for the Crowdsec container
I asked Zoey, the creating of NPMplus, but she thinks it's a Crowdsec issue. Here is what she said in our Github converstaion: crowdsec firewall bouncer saves its blacklist inside ipset lists
Any help would be appreciated. Thank you!
