Block ip packages.sury.org

since 1 week we can’t update php on our servers with crowdsec. the package : https://packages.sury.org has its ip blocked in the “crowdsec-blacklists” of ipset.

Capture d’écran 2023-05-22 à 09.26.36

Is there any other alternative than manually deleting the ip’s in the list to get the updates.
Thank you for your help

Hey so we don’t block outgoing traffic unless you have specified for the firewall bouncer to be on OUTPUT chains.

So from what I can see:

143.244.56.51 is NOT within our community blocklist but is listed within Firehol greensnow.co list

143.244.56.50 is LISTED within our community blocklist and Firehol greensnow.co list

143.244.56.49 is NOT within our community blocklist but is listed within Firehol greensnow.co list

Hello,

Thanks for your answer. According to my iptables the blocking is not in OUTPUT but in INPUT.

Below is the beginning of the inbound and outbound rules on iptables :

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
15192  674K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set crowdsec-blacklists src
3534K 3019M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
13312  664K drop_invalid  all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
 660K   40M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
3011K 6134M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
   34  1948 drop_invalid  all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
 660K   40M ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            state NEW
  182 10920 ACCEPT     all  --  *      enp3s0f1  0.0.0.0/0            0.0.0.0/0            state NEW
  490 29400 ACCEPT     tcp  --  *      eno1    0.0.0.0/0            0.0.0.0/0            tcp multiport dports 80,443 state NEW
    0     0 ACCEPT     udp  --  *      eno1    0.0.0.0/0            0.0.0.0/0            udp multiport dports 80,443 state NEW
    0     0 Cid13699X15676.0  tcp  --  *      eno1    0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW
   16  5248 Out_RULE_9  udp  --  *      eno1    0.0.0.0/0            0.0.0.0/0            udp dpt:67 state NEW
    0     0 Cid13583X15676.0  icmp --  *      eno1    0.0.0.0/0            0.0.0.0/0            icmptype 255 state NEW
    0     0 Cid13583X15676.0  udp  --  *      eno1    0.0.0.0/0            0.0.0.0/0            udp dpts:6100:6200 state NEW
 3387  257K ACCEPT     udp  --  *      eno1    0.0.0.0/0            0.0.0.0/0            udp dpt:123 state NEW
   57  3420 ACCEPT     tcp  --  *      eno1    0.0.0.0/0            ***.***.***.***        tcp multiport dports 587,465 state NEW
    0     0 Cid16537X4644.0  tcp  --  *      eno1    0.0.0.0/0            0.0.0.0/0            tcp dpt:10803 state NEW
    0     0 REJECT     tcp  --  *      eno1    0.0.0.0/0            ***.***.***.***         tcp dpt:21 reject-with icmp-port-unreachable
    0     0 ACCEPT     tcp  --  *      eno1    0.0.0.0/0            0.0.0.0/0            tcp dpt:53 state NEW
 184K   13M ACCEPT     udp  --  *      eno1    0.0.0.0/0            0.0.0.0/0            udp dpt:53 state NEW
    2  3000 RULE_16    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp
    0     0 RULE_16    all  --  *      *       0.0.0.0/0            0.0.0.0/0 

The firewall-bouncer creates a crowdsec-blacklists list this list is at the top of iptables list and drop all packets contained in this list. during the apt update I manage to exit well however I never have a return because the ip is drop. If I just remove the ip in question from the crowdsec-blacklists, I can update the php packages again. As you can see I didn’t change the bouncer config. The problem is the blocking of the ip in the list at the input

mode: iptables
pid_dir: /var/run/
update_frequency: 10s
daemonize: true
log_mode: file
log_dir: /var/log/
log_level: info
log_compression: true
log_max_size: 100
log_max_backups: 3
log_max_age: 30
api_url: https://srv-**********
api_key: **********************
insecure_skip_verify: false
disable_ipv6: true
deny_action: DROP
deny_log: false
supported_decisions_types:
  - ban
#to change log prefix
#deny_log_prefix: "crowdsec: "
#to change the blacklists name
blacklists_ipv4: crowdsec-blacklists
blacklists_ipv6: crowdsec6-blacklists
#type of ipset to use
ipset_type: nethash
#if present, insert rule in those chains
iptables_chains:
  - INPUT
#  - FORWARD
#  - DOCKER-USER

## nftables
nftables:
  ipv4:
    enabled: true
    set-only: false
    table: crowdsec
    chain: crowdsec-chain
    priority: -10
  ipv6:
    enabled: true
    set-only: false
    table: crowdsec6
    chain: crowdsec6-chain
    priority: -10

nftables_hooks:
  - input
  - forward

# packet filter
pf:
  # an empty string disables the anchor
  anchor_name: ""

prometheus:
  enabled: true
  listen_addr: 127.0.0.1
  listen_port: 60601

Do you have any idea how I can solve this problem?

Thank you very much.

If your on the latest version of crowdsec 1.5.1 you can use the CAPI whitelist to prevent these IP’s being added to your current decision list. (You will have to remove them manually after making this adjustment)

Firstly check if you are on the latest by running cscli version if not then use your package manager to update to the latest.

Once this has been achieved you can then run the following commands via the terminal.

echo "ips:
  - 143.244.56.51
  - 143.244.56.50
  - 143.244.56.49" > /etc/crowdsec/capi_whitelists.yaml
echo "api:
  server:
    capi_whitelists_path: \"/etc/crowdsec/capi_whitelists.yaml\"" > /etc/crowdsec/config.yaml.local

Then sudo systemctl restart crowdsec after that has run successfully you can delete the IP’s from the decision list

for i in 49 50 51; do cscli decisions delete --ip "143.244.56.$i"; done

Hello,

Thank you that worked. What is the difference between adding a new capi_whitelists.yaml and adding the 3 ip to my current whitelist in /etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml

thanks

/etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml is only for your log parsing and does not apply to IP’s from CAPI.

The above steps you took stops those coming down from third party lists and community blocklists.

Hello,
Thanks for this post, I am concerned too by this Issue. Can we know why this IP 143.244.56.50 is ban ?

Please find all information here CrowdSec Console

In short we receive handful of reports daily about the IP as well as firehol has classed the IP as a web scanner. Searching this IP shows it being used as a VPN host so this is most likely why the IP has such bad reputation.

1 Like