since 1 week we can’t update php on our servers with crowdsec. the package : https://packages.sury.org has its ip blocked in the “crowdsec-blacklists” of ipset.
Thanks for your answer. According to my iptables the blocking is not in OUTPUT but in INPUT.
Below is the beginning of the inbound and outbound rules on iptables :
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
15192 674K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set crowdsec-blacklists src
3534K 3019M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
13312 664K drop_invalid all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
660K 40M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3011K 6134M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
34 1948 drop_invalid all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
660K 40M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 state NEW
182 10920 ACCEPT all -- * enp3s0f1 0.0.0.0/0 0.0.0.0/0 state NEW
490 29400 ACCEPT tcp -- * eno1 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 80,443 state NEW
0 0 ACCEPT udp -- * eno1 0.0.0.0/0 0.0.0.0/0 udp multiport dports 80,443 state NEW
0 0 Cid13699X15676.0 tcp -- * eno1 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
16 5248 Out_RULE_9 udp -- * eno1 0.0.0.0/0 0.0.0.0/0 udp dpt:67 state NEW
0 0 Cid13583X15676.0 icmp -- * eno1 0.0.0.0/0 0.0.0.0/0 icmptype 255 state NEW
0 0 Cid13583X15676.0 udp -- * eno1 0.0.0.0/0 0.0.0.0/0 udp dpts:6100:6200 state NEW
3387 257K ACCEPT udp -- * eno1 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state NEW
57 3420 ACCEPT tcp -- * eno1 0.0.0.0/0 ***.***.***.*** tcp multiport dports 587,465 state NEW
0 0 Cid16537X4644.0 tcp -- * eno1 0.0.0.0/0 0.0.0.0/0 tcp dpt:10803 state NEW
0 0 REJECT tcp -- * eno1 0.0.0.0/0 ***.***.***.*** tcp dpt:21 reject-with icmp-port-unreachable
0 0 ACCEPT tcp -- * eno1 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW
184K 13M ACCEPT udp -- * eno1 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW
2 3000 RULE_16 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp
0 0 RULE_16 all -- * * 0.0.0.0/0 0.0.0.0/0
The firewall-bouncer creates a crowdsec-blacklists list this list is at the top of iptables list and drop all packets contained in this list. during the apt update I manage to exit well however I never have a return because the ip is drop. If I just remove the ip in question from the crowdsec-blacklists, I can update the php packages again. As you can see I didn’t change the bouncer config. The problem is the blocking of the ip in the list at the input
If your on the latest version of crowdsec 1.5.1 you can use the CAPI whitelist to prevent these IP’s being added to your current decision list. (You will have to remove them manually after making this adjustment)
Firstly check if you are on the latest by running cscli version if not then use your package manager to update to the latest.
Once this has been achieved you can then run the following commands via the terminal.
Thank you that worked. What is the difference between adding a new capi_whitelists.yaml and adding the 3 ip to my current whitelist in /etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml
In short we receive handful of reports daily about the IP as well as firehol has classed the IP as a web scanner. Searching this IP shows it being used as a VPN host so this is most likely why the IP has such bad reputation.