Hi,
I have the great Crowdsec Plugin running on my Opnsense firewall.
Also running ist the Nginx with the nginx collector.
I have installed the collector with this command.
cscli collections install crowdsecurity/nginx
as i can see that it counts lines
root@OPNsense:/usr/local/etc/crowdsec/acquis.d # sudo cscli metrics
╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Acquisition Metrics │
├────────────────────────────────────────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├────────────────────────────────────────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/var/log/audit/latest.log │ 199 │ - │ 199 │ - │ - │
│ file:/var/log/filter/latest.log │ 12.86k │ 887 │ 11.97k │ 601 │ - │
│ file:/var/log/nginx/error.log │ 1 │ - │ 1 │ - │ - │
│ file:/var/log/nginx/locatehub1.xxxxxxxxxxxxxxxx.access.log │ 50 │ 50 │ - │ 5 │ - │
│ file:/var/log/nginx/stream_b1c0dda5-30ea-47f2-acf1-5e75daed48d6.access.log │ 7 │ - │ 7 │ - │ - │
│ file:/var/log/nginx/stream_b1c0dda5-30ea-47f2-acf1-5e75daed48d6.error.log │ 21 │ - │ 21 │ - │ - │
│ file:/var/log/nginx/tls_handshake.log │ 56 │ - │ 56 │ - │ - │
│ file:/var/log/nginx/visuserver.xxxxxxxxxxxxxxxx.access.log │ 6 │ 6 │ - │ 6 │ - │
╰────────────────────────────────────────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯
but the file “/var/log/nginx/locatehub1.xxxxxxx” is getting filed up with date from my nginx engine but the counter stops at 50 lines.
I would like to block the IPs after x wrong logins on my webseites.
The Scenarios is showing enable.
crowdsecurity/nginx-req-limit-exceeded enabled 0.3 Detects IPs which violate nginx’s user set request limit.
The logfile looks like this.
193.xxx.xxx.55 - - [14/Apr/2025:13:59:51 +0200] “POST /service/connect/token HTTP/2.0” 500 674 “xxxx://locatehub1.xyz.cxy/login” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36” “-”
10.xx.xxx.23 - - [14/Apr/2025:14:00:13 +0200] “GET / HTTP/1.1” 200 1072 “-” “Uptime-Kuma/1.23.16” “-”
193.xxx.xxx.55 - - [14/Apr/2025:14:00:13 +0200] “GET /login HTTP/2.0” 200 433 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36” “-”
193.xxx.xxx.55 - - [14/Apr/2025:14:00:13 +0200] “GET /i18n/locale-de-e04a8c062a.json HTTP/2.0” 304 0 “xxxx://locatehub1.xyz.cxy/login” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36” “-”
193.xxx.xxx.55 - - [14/Apr/2025:14:00:17 +0200] “POST /service/connect/token HTTP/2.0” 500 676 “xxxx://locatehub1.xyz.cxy/login” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36” “-”
193.xxx.xxx.55 - - [14/Apr/2025:14:00:18 +0200] “POST /service/connect/token HTTP/2.0” 500 676 “xxxx://locatehub1.xyz.cxy/login” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36” “-”
193.xxx.xxx.55 - - [14/Apr/2025:14:00:19 +0200] “POST /service/connect/token HTTP/2.0” 500 676 “xxxx://locatehub1.xyz.cxy/login” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36” “-”
Thanks
Chris