since 1 week we can’t update php on our servers with crowdsec. the package : https://packages.sury.org has its ip blocked in the “crowdsec-blacklists” of ipset.
Is there any other alternative than manually deleting the ip’s in the list to get the updates.
Thank you for your help
Hey so we don’t block outgoing traffic unless you have specified for the firewall bouncer to be on OUTPUT chains.
So from what I can see:
143.244.56.51 is NOT within our community blocklist but is listed within Firehol greensnow.co list
143.244.56.50 is LISTED within our community blocklist and Firehol greensnow.co list
143.244.56.49 is NOT within our community blocklist but is listed within Firehol greensnow.co list
Hello,
Thanks for your answer. According to my iptables the blocking is not in OUTPUT but in INPUT.
Below is the beginning of the inbound and outbound rules on iptables :
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
15192 674K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set crowdsec-blacklists src
3534K 3019M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
13312 664K drop_invalid all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
660K 40M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3011K 6134M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
34 1948 drop_invalid all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
660K 40M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 state NEW
182 10920 ACCEPT all -- * enp3s0f1 0.0.0.0/0 0.0.0.0/0 state NEW
490 29400 ACCEPT tcp -- * eno1 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 80,443 state NEW
0 0 ACCEPT udp -- * eno1 0.0.0.0/0 0.0.0.0/0 udp multiport dports 80,443 state NEW
0 0 Cid13699X15676.0 tcp -- * eno1 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
16 5248 Out_RULE_9 udp -- * eno1 0.0.0.0/0 0.0.0.0/0 udp dpt:67 state NEW
0 0 Cid13583X15676.0 icmp -- * eno1 0.0.0.0/0 0.0.0.0/0 icmptype 255 state NEW
0 0 Cid13583X15676.0 udp -- * eno1 0.0.0.0/0 0.0.0.0/0 udp dpts:6100:6200 state NEW
3387 257K ACCEPT udp -- * eno1 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state NEW
57 3420 ACCEPT tcp -- * eno1 0.0.0.0/0 ***.***.***.*** tcp multiport dports 587,465 state NEW
0 0 Cid16537X4644.0 tcp -- * eno1 0.0.0.0/0 0.0.0.0/0 tcp dpt:10803 state NEW
0 0 REJECT tcp -- * eno1 0.0.0.0/0 ***.***.***.*** tcp dpt:21 reject-with icmp-port-unreachable
0 0 ACCEPT tcp -- * eno1 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW
184K 13M ACCEPT udp -- * eno1 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW
2 3000 RULE_16 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp
0 0 RULE_16 all -- * * 0.0.0.0/0 0.0.0.0/0
The firewall-bouncer creates a crowdsec-blacklists list this list is at the top of iptables list and drop all packets contained in this list. during the apt update I manage to exit well however I never have a return because the ip is drop. If I just remove the ip in question from the crowdsec-blacklists, I can update the php packages again. As you can see I didn’t change the bouncer config. The problem is the blocking of the ip in the list at the input
mode: iptables
pid_dir: /var/run/
update_frequency: 10s
daemonize: true
log_mode: file
log_dir: /var/log/
log_level: info
log_compression: true
log_max_size: 100
log_max_backups: 3
log_max_age: 30
api_url: https://srv-**********
api_key: **********************
insecure_skip_verify: false
disable_ipv6: true
deny_action: DROP
deny_log: false
supported_decisions_types:
- ban
#to change log prefix
#deny_log_prefix: "crowdsec: "
#to change the blacklists name
blacklists_ipv4: crowdsec-blacklists
blacklists_ipv6: crowdsec6-blacklists
#type of ipset to use
ipset_type: nethash
#if present, insert rule in those chains
iptables_chains:
- INPUT
# - FORWARD
# - DOCKER-USER
## nftables
nftables:
ipv4:
enabled: true
set-only: false
table: crowdsec
chain: crowdsec-chain
priority: -10
ipv6:
enabled: true
set-only: false
table: crowdsec6
chain: crowdsec6-chain
priority: -10
nftables_hooks:
- input
- forward
# packet filter
pf:
# an empty string disables the anchor
anchor_name: ""
prometheus:
enabled: true
listen_addr: 127.0.0.1
listen_port: 60601
Do you have any idea how I can solve this problem?
Thank you very much.
If your on the latest version of crowdsec 1.5.1 you can use the CAPI whitelist to prevent these IP’s being added to your current decision list. (You will have to remove them manually after making this adjustment)
Firstly check if you are on the latest by running cscli version if not then use your package manager to update to the latest.
Once this has been achieved you can then run the following commands via the terminal.
echo "ips:
- 143.244.56.51
- 143.244.56.50
- 143.244.56.49" > /etc/crowdsec/capi_whitelists.yaml
echo "api:
server:
capi_whitelists_path: \"/etc/crowdsec/capi_whitelists.yaml\"" > /etc/crowdsec/config.yaml.local
Then sudo systemctl restart crowdsec after that has run successfully you can delete the IP’s from the decision list
for i in 49 50 51; do cscli decisions delete --ip "143.244.56.$i"; done
Hello,
Thank you that worked. What is the difference between adding a new capi_whitelists.yaml and adding the 3 ip to my current whitelist in /etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml
thanks
/etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml is only for your log parsing and does not apply to IP’s from CAPI.
The above steps you took stops those coming down from third party lists and community blocklists.
Hello,
Thanks for this post, I am concerned too by this Issue. Can we know why this IP 143.244.56.50 is ban ?
Please find all information here CrowdSec Console
In short we receive handful of reports daily about the IP as well as firehol has classed the IP as a web scanner. Searching this IP shows it being used as a VPN host so this is most likely why the IP has such bad reputation.