Having a simliar issue to my prior thread but in this case Apache basic authentication failures aren’t getting banned by crowdsec…
Fresh Ubuntu 20.04 with default apache2 packages installed. Log formatting not changed from default.
/var/log/apache2/error.log:
[Thu Jan 13 19:28:51.401988 2022] [auth_basic:error] [pid 887:tid 140128332801792] [client 192.168.1.1:57590] AH01617: user user1: authentication failure for "/": Password Mismatch
[Thu Jan 13 19:28:59.952831 2022] [auth_basic:error] [pid 888:tid 140128265660160] [client 192.168.1.1:57584] AH01618: user adsfdsaf not found: /
/var/log/apache2/parser-dump.yaml:
- evt:
ExpectMode: 1
Stage: s01-parse
Line:
Raw: '[Thu Jan 13 19:28:51.401988 2022] [auth_basic:error] [pid 888:tid 140128332801792]
[client 192.168.1.1:57584] AH01617: user user1: authentication failure
for "/": Password Mismatch'
Src: /var/log/apache2/error.log
time: 2022-01-13T19:32:42.322730237Z
Labels:
type: apache
process: true
Module: file
Parsed:
message: '[Thu Jan 13 19:28:51.401988 2022] [auth_basic:error] [pid 888:tid
140128332801792] [client 192.168.1.1:57584] AH01617: user user1: authentication
failure for "/": Password Mismatch'
program: apache
Time: 2022-01-13T19:32:42.322863562Z
Meta:
datasource_path: /var/log/apache2/error.log
datasource_type: file
success: true
- evt:
ExpectMode: 1
Stage: s01-parse
Line:
Raw: '[Thu Jan 13 19:28:59.952831 2022] [auth_basic:error] [pid 888:tid 140128423175936]
[client 192.168.1.1:57584] AH01618: user adsfdsaf not found: /'
Src: /var/log/apache2/error.log
time: 2022-01-13T19:32:42.322956388Z
Labels:
type: apache
process: true
Module: file
Parsed:
message: '[Thu Jan 13 19:28:54.843458 2022] [auth_basic:error] [pid 888:tid
140128423175936] [client 192.168.1.1:57584] AH01618: user adsfdsaf not
found: /'
program: apache
Time: 2022-01-13T19:32:42.323053063Z
Meta:
datasource_path: /var/log/apache2/error.log
datasource_type: file
success: true
cscli explain -f /var/log/apache2/error.log --type apache:
line: [Thu Jan 13 19:28:51.401988 2022] [auth_basic:error] [pid 888:tid 140128332801792] [client 192.168.1.1:57584] AH01617: user user1: authentication failure for "/": Password Mismatch
├ s00-raw
| ├ 🟢 crowdsecurity/non-syslog (first_parser)
| └ 🔴 crowdsecurity/syslog-logs
├ s01-parse
| ├ 🔴 crowdsecurity/apache2-logs
| ├ 🔴 crowdsecurity/nginx-logs
| └ 🔴 crowdsecurity/sshd-logs
└-------- parser failure 🔴
line: [Thu Jan 13 19:28:59.952831 2022] [auth_basic:error] [pid 888:tid 140128265660160] [client 192.168.1.1:57584] AH01618: user adsfdsaf not found: /
├ s00-raw
| ├ 🟢 crowdsecurity/non-syslog (first_parser)
| └ 🔴 crowdsecurity/syslog-logs
├ s01-parse
| ├ 🔴 crowdsecurity/apache2-logs
| ├ 🔴 crowdsecurity/nginx-logs
| └ 🔴 crowdsecurity/sshd-logs
└-------- parser failure 🔴
cscli collections list:
COLLECTIONS
------------------------------------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
------------------------------------------------------------------------------------------------------------
crowdsecurity/nginx ✔️ enabled 0.1 /etc/crowdsec/collections/nginx.yaml
crowdsecurity/base-http-scenarios ✔️ enabled 0.5 /etc/crowdsec/collections/base-http-scenarios.yaml
crowdsecurity/linux ✔️ enabled 0.2 /etc/crowdsec/collections/linux.yaml
crowdsecurity/sshd ✔️ enabled 0.2 /etc/crowdsec/collections/sshd.yaml
crowdsecurity/apache2 ✔️ enabled 0.1 /etc/crowdsec/collections/apache2.yaml
------------------------------------------------------------------------------------------------------------
cscli parsers list:
PARSERS
---------------------------------------------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
---------------------------------------------------------------------------------------------------------------------
crowdsecurity/apache2-logs ✔️ enabled 0.9 /etc/crowdsec/parsers/s01-parse/apache2-logs.yaml
crowdsecurity/http-logs ✔️ enabled 0.7 /etc/crowdsec/parsers/s02-enrich/http-logs.yaml
crowdsecurity/syslog-logs ✔️ enabled 0.7 /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
crowdsecurity/whitelists ⚠️ enabled,tainted ? /etc/crowdsec/parsers/s02-enrich/whitelists.yaml
crowdsecurity/sshd-logs ✔️ enabled 1.6 /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
crowdsecurity/dateparse-enrich ✔️ enabled 0.2 /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
crowdsecurity/nginx-logs ✔️ enabled 1.0 /etc/crowdsec/parsers/s01-parse/nginx-logs.yaml
crowdsecurity/geoip-enrich ✔️ enabled 0.2 /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
---------------------------------------------------------------------------------------------------------------------
crowdsec -version:
2022/01/13 19:55:08 version: v1.2.3-debian-pragmatic-a6e405422c732e9b6c46ae1004a2b80297df8336
2022/01/13 19:55:08 Codename: alphaga
2022/01/13 19:55:08 BuildDate: 2022-01-11_10:14:55
2022/01/13 19:55:08 GoVersion: 1.17.5
2022/01/13 19:55:08 Constraint_parser: >= 1.0, <= 2.0
2022/01/13 19:55:08 Constraint_scenario: >= 1.0, < 3.0
2022/01/13 19:55:08 Constraint_api: v1
2022/01/13 19:55:08 Constraint_acquis: >= 1.0, < 2.0
Any help appreciated! 