Hello to all,
I’m coming to see you because I just discovered crowdsec and it looks really great! I can’t wait to use it! Currently however, despite the fact that everything seems to be correct on paper, I realize that despite the feedback from cscli which tells me that my ip was correctly blocked via captcha, I can still access my site without any problems, and I have on the other side a vm with kali linux which also has the same ip and nekto continues to run without encountering apparent problems …
There must be a subtlety I didn’t make.
Here is the feedback from cscli decisions and cscli collections list
±----±---------±------------------±-------------------------------------±--------±--------±—±-------±-------------------±---------+
| ID | SOURCE | SCOPE:VALUE | REASON | ACTION | COUNTRY | AS | EVENTS | EXPIRATION | ALERT ID |
±----±---------±------------------±-------------------------------------±--------±--------±—±-------±-------------------±---------+
| 501 | crowdsec | Ip:xxxx.xx.xx | crowdsecurity/http-crawl-non_statics | captcha | 55 | 3h59m44.326934702s | 61 |
±----±---------±------------------±-------------------------------------±--------±--------±—±-------±-------------------±---------+
root:/home/arawaks/cs-php-bouncer#
NFO[10-03-2022 10:37:11 AM] Ignoring file /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml of type parsers
NAME STATUS VERSION LOCAL PATH
crowdsecurity/modsecurity enabled 0.1 /etc/crowdsec/collections/modsecurity.yaml
crowdsecurity/naxsi enabled 0.1 /etc/crowdsec/collections/naxsi.yaml
crowdsecurity/postfix enabled 0.2 /etc/crowdsec/collections/postfix.yaml
crowdsecurity/sshd enabled 0.1 /etc/crowdsec/collections/sshd.yaml
crowdsecurity/base-http-scenarios enabled 0.3 /etc/crowdsec/collections/base-http-scenarios.yaml
crowdsecurity/iptables enabled 0.1 /etc/crowdsec/collections/iptables.yaml
crowdsecurity/nginx enabled 0.1 /etc/crowdsec/collections/nginx.yaml
crowdsecurity/whitelist-good-actors enabled 0.1 /etc/crowdsec/collections/whitelist-good-actors.yaml
crowdsecurity/wordpress enabled 0.1 /etc/crowdsec/collections/wordpress.yaml
crowdsecurity/linux enabled 0.2 /etc/crowdsec/collections/linux.yaml
crowdsecurity/mysql enabled 0.1 /etc/crowdsec/collections/mysql.yaml
crowdsecurity/vsftpd enabled 0.1 /etc/crowdsec/collections/vsftpd.yaml
crowdsecurity/apache2 enabled 0.1 /etc/crowdsec/collections/apache2.yaml
crowdsecurity/dovecot enabled 0.1 /etc/crowdsec/collections/dovecot.yaml
Another question while I think about it, I have 2 subdomains, will the security policies applied by crowdsec be also applied to the subdomains ?
I’m currently on debian 11, if you want more information I’m at your disposal, thanks in advance to all. And thank you for this really great software!