Can you explain me those things?

Foxinou35 · August 25, 2021, 12:08pm

| 211 | Ip:185.253.97.235   | crowdsecurity/http-path-traversal-probing |         |  M247 Ltd                      | ban:1     | 2021-08-25 11:17:48.796651214  |
| 198 | Ip:185.253.97.235   | crowdsecurity/http-path-traversal-probing |         |  M247 Ltd                      | ban:1     | 2021-08-25 09:52:09.878302036  |
| 197 | Ip:185.253.97.235   | crowdsecurity/http-path-traversal-probing |         |  M247 Ltd                      | ban:1     | 2021-08-25 09:38:22.614388731  |
| 196 | Ip:185.253.97.235   | crowdsecurity/http-path-traversal-probing |         |  M247 Ltd                      | ban:1     | 2021-08-25 09:35:27.479266114  |
| 193 | Ip:185.253.97.235   | crowdsecurity/http-path-traversal-probing |         |  M247 Ltd                      | ban:1     | 2021-08-25 08:59:35.286548224  |
| 165 | Ip:185.253.97.235   | crowdsecurity/http-path-traversal-probing |         |  M247 Ltd                      | ban:1     | 2021-08-25 06:49:19.151134843  |
| 139 | Ip:185.253.97.235   | crowdsecurity/http-path-traversal-probing |         |  M247 Ltd                      | ban:1     | 2021-08-25 04:57:50.079403512  |
| 111 | Ip:185.253.97.235   | crowdsecurity/http-path-traversal-probing |         |  M247 Ltd                      | ban:1     | 2021-08-25 02:13:06.547834985  |
|  53 | Ip:185.253.97.235   | crowdsecurity/http-path-traversal-probing |         |  M247 Ltd                      | ban:1     | 2021-08-24 19:39:20.560827193  |
|  52 | Ip:185.253.97.235   | crowdsecurity/http-probing                |         |  M247 Ltd                      | ban:1     | 2021-08-24 19:07:15.406812111  |
|  51 | Ip:185.253.97.235   | crowdsecurity/http-path-traversal-probing |         |  M247 Ltd                      | ban:1     | 2021-08-24 19:07:15.406897152  |
|  50 | Ip:185.253.97.235   | crowdsecurity/http-path-traversal-probing |         |  M247 Ltd                      | ban:1     | 2021-08-24 18:46:27.207730853  |
|  49 | Ip:185.253.97.235   | crowdsecurity/http-path-traversal-probing |         |  M247 Ltd                      | ban:1     | 2021-08-24 18:32:32.102330042  |
|  44 | Ip:185.253.97.235   | crowdsecurity/http-path-traversal-probing |         |  M247 Ltd                      | ban:1     | 2021-08-24 18:19:46.753098011  |
|  43 | Ip:185.253.97.235   | crowdsecurity/http-path-traversal-probing |         |  M247 Ltd                      | ban:1     | 2021-08-24 18:16:47.877478298  |
|  39 | Ip:185.253.97.235   | crowdsecurity/http-path-traversal-probing |         |  M247 Ltd                      | ban:1     | 2021-08-24 17:50:55.420897572  |
|  33 | Ip:185.253.97.235   | crowdsecurity/http-path-traversal-probing |         |  M247 Ltd                      | ban:1     | 2021-08-24 17:15:46.845790966  |
|  29 | Ip:185.253.97.235   | crowdsecurity/http-path-traversal-probing |         |  M247 Ltd                      | ban:1     | 2021-08-24 15:41:57.746549533  |
|  25 | Ip:185.253.97.235   | crowdsecurity/http-path-traversal-probing |         |  M247 Ltd                      | ban:1     | 2021-08-24 14:49:39.232150744  |

(alerts list output)

How come the same IP, can be seen in this log, a few minutes after the previous line ?
In my understanding, IP is detected, and banned for 4h.

2nd question, about leaky bucket

filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.file_name == 'wp-login.php' && evt.Parsed.verb == 'POST'"
groupby: evt.Meta.source_ip
capacity: 5
leakspeed: "10s"
blackhole: 5m

Capacity of 5 is exceeded, leaky bucket overflows, IP is banned, am I right ?

159.89.205.174 - - [25/Aug/2021:11:42:31 +0000]   "POST //wp-login.php HTTP/1.1" 200 6597  "ref=https://www.toto//wp-login.php" "ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36"  "rLoc=-"  "reqt=0.175" "respt=0.000 : 0.172" "host=www.toto" "cache=-" "upstream=10.216.124.44:9010 : 10.216.124.47:9001"  "uheadt=0.000 : 0.172" 
159.89.205.174 - - [25/Aug/2021:11:42:31 +0000]   "POST //wp-login.php HTTP/1.1" 200 6781  "ref=https://www.toto//wp-login.php" "ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36"  "rLoc=-"  "reqt=0.202" "respt=0.004 : 0.196" "host=www.toto" "cache=-" "upstream=10.216.124.44:9010 : 10.216.124.47:9001"  "uheadt=0.004 : 0.196" 
159.89.205.174 - - [25/Aug/2021:11:42:34 +0000]   "POST //wp-login.php HTTP/1.1" 200 7149  "ref=https://www.toto//wp-login.php" "ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36"  "rLoc=-"  "reqt=1.422" "respt=0.008 : 1.420" "host=www.toto" "cache=-" "upstream=10.216.124.44:9010 : 10.216.124.47:9001"  "uheadt=0.008 : 1.420" 
159.89.205.174 - - [25/Aug/2021:11:42:35 +0000]   "POST //wp-login.php HTTP/1.1" 200 7885  "ref=https://www.toto//wp-login.php" "ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36"  "rLoc=-"  "reqt=0.494" "respt=0.004 : 0.488" "host=www.toto" "cache=-" "upstream=10.216.124.44:9010 : 10.216.124.47:9001"  "uheadt=0.004 : 0.488" 
159.89.205.174 - - [25/Aug/2021:11:42:36 +0000]   "POST //wp-login.php HTTP/1.1" 200 8253  "ref=https://www.toto//wp-login.php" "ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36"  "rLoc=-"  "reqt=0.257" "respt=0.000 : 0.224" "host=www.toto" "cache=-" "upstream=10.216.124.44:9010 : 10.216.124.47:9001"  "uheadt=0.000 : 0.224" 
159.89.205.174 - - [25/Aug/2021:11:42:40 +0000]   "POST //wp-login.php HTTP/1.1" 200 9548  "ref=https://www.toto//wp-login.php" "ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36"  "rLoc=-"  "reqt=0.187" "respt=0.004 : 0.184" "host=www.toto" "cache=-" "upstream=10.216.124.44:9010 : 10.216.124.47:9001"  "uheadt=0.004 : 0.180" 
159.89.205.174 - - [25/Aug/2021:11:42:42 +0000]   "POST //wp-login.php HTTP/1.1" 403 548  "ref=https://www.toto//wp-login.php" "ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36"  "rLoc=-"  "reqt=0.003" "respt=-" "host=www.toto" "cache=-" "upstream=-"  "uheadt=-"

I would suggest to be able to see the “content” of the filter (capacity, leakspeed…) using cscli scenarios inspect command ?
The only solution I found, is to display the content of the scenario file…

Thanks

thibault · August 26, 2021, 9:33am

The IP will only be banned if you have a bouncer. Looking at your example, you might have a nginx bouncer, and because of how the bouncer works, even if the IP is really blocked, it will still end up in your nginx logs (and might thus continued to be caught by crowdsec). You are just seeing this because the IP continues to hammer you despite getting 403 at every request.

This is a good suggestion, would you mind opening an issue to suggest how you would like it ?

Topic		Replies	Views
Dashboard - Queries and Clarifications crowdsec	2	1049	August 31, 2020
Bug? when trying to delete a range from decisions	3	409	April 13, 2022
I have somehow banned myself! HELP! :-D	3	587	January 31, 2023
False Positive IP blocking crowdsec	1	1438	September 30, 2021
Checking bans really work and how to extend bans? crowdsec	8	3026	December 14, 2021

Can you explain me those things?

Related Topics