Best Practice for Basic Auth? CrowdSec blocks POST attacks but ignores GET

crowdsec
1

Hello CrowdSec Community,

I’m a complete newcomer to CrowdSec, having used it for only 2-3 days. I’m trying to understand a specific behavior and would appreciate your expertise.

My Setup: I’m running CrowdSec on my Nginx Proxy Manager (NPM) instance. This NPM acts as a reverse proxy for several internal services running on different servers in my network. One of these backend services is protected with HTTP Basic Auth (.htaccess). This means the authentication is handled by the backend server itself, not by NPM.

The Problem & My Observation: My primary goal is to protect this service from brute-force attacks. Here is what I’ve observed:

  1. When a normal user accesses the service via a browser, a GET request is made. If the password is wrong, the backend server correctly sends a 401 Unauthorized status, which I can clearly see in the NPM access.log. However, CrowdSec takes no action on this. This is a major security issue for me, as an attacker could try hundreds of thousands of passwords unnoticed.

  2. To investigate this, I dug deeper. I can see that the standard scenario crowdsecurity/http-generic-bf is installed. (http-generic-bf Scenario)

  3. Surprisingly, when I ran a test simulating an attack using the POST method, the IP was immediately and correctly blocked.

I’m now facing a situation where the standard attack vector via a browser (GET) is completely unprotected, while the less common POST attack vector is secured. As a newcomer, it’s not clear to me why the POST attack is caught—it could be the parser flagging it as an auth_fail for the http-generic-bf scenario, or another, more specific POST-only scenario is catching it. Either way, the result is that GET requests are not being handled.

My Questions for You:

  1. Why is there a difference between GET and POST? Is there a specific reason why a 401 error on a GET request is not considered a real authentication failure by the default parser/scenario setup? Or, as a newcomer, is it possible I have a fundamental misunderstanding of how this is supposed to work?

  2. What is the best practice for this situation? How do others secure their services that use Basic Auth on a backend server? The key constraint here is that my CrowdSec instance can only read the NPM access.log. I do not have access to the error.log of the backend service on the other server, where more explicit failure messages might be logged. Any decision to ban an IP must be made solely based on the proxy’s access log data (i.e., seeing repeated 401 statuses on GET requests).

I would be grateful for any advice on how to properly and securely handle what I imagine is a very common use case.

Thank you!