spady7
April 26, 2022, 1:10pm
1
Hi, Can someone help understand why ip is not added to decision list? Let me explain. I’am implemented as bouncer “crowdsec-firewall-bouncer”.
name: default_ip_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
notifications:
- http_default
- email_default
on_success: break
---
name: ssh_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() in ["crowdsecurity/ssh-bf", "crowdsecurity/ssh-bf_user-enum", "crowdsecurity/ssh-slow-bf", "crowdsecurity/ssh-slow-bf_user-enum"]
decisions:
- type: ban
duration: 8h
notifications:
- http_default
- email_default
on_success: break
---
If i do a
cscli explain --file /var/log/host/auth.log --type syslog
i get following result
line: Apr 26 14:50:16 dockerhub sshd[2981132]: Failed password for invalid user pluto from 192.168.100.1 port 60796 ssh2
├ s00-raw
| ├ 🔴 crowdsecurity/docker-logs
| └ 🟢 crowdsecurity/syslog-logs (first_parser)
├ s01-parse
| ├ 🔴 LePresidente/authelia-logs
| ├ 🔴 crowdsecurity/nginx-logs
| └ 🟢 crowdsecurity/sshd-logs (+8 ~1)
├ s02-enrich
| ├ 🟢 crowdsecurity/dateparse-enrich (+2 ~1)
| ├ 🟢 crowdsecurity/geoip-enrich (+9)
| ├ 🔴 crowdsecurity/http-logs
| └ 🟢 crowdsecurity/whitelists (unchanged)
├-------- parser success 🟢
├ Scenarios
├ 🟢 crowdsecurity/ssh-bf
├ 🟢 crowdsecurity/ssh-bf_user-enum
├ 🟢 crowdsecurity/ssh-slow-bf
└ 🟢 crowdsecurity/ssh-slow-bf_user-enum
but i never see “192.168.100.1” in the decision list.
Any idea?
Regards
Hello,
Yes, you have the crowdsecurity/whitelists parser installed, which whitelist private IP.
spady7
April 26, 2022, 2:00pm
3
Hi, and thank for reply.
PARSERS
-------------------------------------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
-------------------------------------------------------------------------------------------------------------
crowdsecurity/syslog-logs ✔️ enabled 0.8 /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
crowdsecurity/nginx-logs ✔️ enabled 1.1 /etc/crowdsec/parsers/s01-parse/nginx-logs.yaml
crowdsecurity/http-logs ✔️ enabled 0.8 /etc/crowdsec/parsers/s02-enrich/http-logs.yaml
crowdsecurity/sshd-logs ✔️ enabled 1.9 /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
crowdsecurity/docker-logs ✔️ enabled 0.1 /etc/crowdsec/parsers/s00-raw/docker-logs.yaml
LePresidente/authelia-logs ✔️ enabled 0.3 /etc/crowdsec/parsers/s01-parse/authelia-logs.yaml
crowdsecurity/dateparse-enrich ✔️ enabled 0.2 /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
crowdsecurity/geoip-enrich ✔️ enabled 0.2 /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
-------------------------------------------------------------------------------------------------------------
But no ip in the decision list
here output of “explain”:
line: Apr 26 15:57:03 dockerhub sshd[3015086]: Failed password for invalid user aaa from 192.168.100.1 port 60802 ssh2
├ s00-raw
| ├ 🔴 crowdsecurity/docker-logs
| └ 🟢 crowdsecurity/syslog-logs (first_parser)
├ s01-parse
| ├ 🔴 LePresidente/authelia-logs
| ├ 🔴 crowdsecurity/nginx-logs
| └ 🟢 crowdsecurity/sshd-logs (+8 ~1)
| └ update evt.Stage : s01-parse -> s02-enrich
| └ create evt.Parsed.sshd_client_ip : 192.168.100.1
| └ create evt.Parsed.sshd_invalid_user : aaa
| └ create evt.Parsed.sshd_port : 60802
| └ create evt.Parsed.sshd_protocol : ssh2
| └ create evt.Meta.source_ip : 192.168.100.1
| └ create evt.Meta.target_user : aaa
| └ create evt.Meta.log_type : ssh_failed-auth
| └ create evt.Meta.service : ssh
├ s02-enrich
| ├ 🟢 crowdsecurity/dateparse-enrich (+2 ~1)
| ├ create evt.Enriched.MarshaledTime : 2022-04-26T15:57:03Z
| ├ update evt.MarshaledTime : -> 2022-04-26T15:57:03Z
| ├ create evt.Meta.timestamp : 2022-04-26T15:57:03Z
| ├ 🟢 crowdsecurity/geoip-enrich (+9)
| ├ create evt.Enriched.ASNNumber : 0
| ├ create evt.Enriched.ASNOrg :
| ├ create evt.Enriched.ASNumber : 0
| ├ create evt.Enriched.IsInEU : false
| ├ create evt.Enriched.IsoCode :
| ├ create evt.Enriched.Latitude : 0.000000
| ├ create evt.Enriched.Longitude : 0.000000
| ├ create evt.Meta.ASNNumber : 0
| ├ create evt.Meta.IsInEU : false
| └ 🔴 crowdsecurity/http-logs
├-------- parser success 🟢
├ Scenarios
├ 🟢 crowdsecurity/ssh-bf
├ 🟢 crowdsecurity/ssh-bf_user-enum
├ 🟢 crowdsecurity/ssh-slow-bf
└ 🟢 crowdsecurity/ssh-slow-bf_user-enum```
Hello,
Using cscli explain will not trigger a decision. It just shows that in “real life”, this logs would have triggered the 4 ssh related scenarios.
spady7
April 26, 2022, 4:32pm
5
Hi, sure I know that.
It’s right. And since your log is successfully parsed and triggered by scenarios, it should works. How many failed attempt did you do ?
spady7
April 26, 2022, 5:11pm
7
Until get disconnected because many attempts. I do remeber 4…or 5. Anyway i get disconnected.
From the scenario configuration (CrowdSec Hub ), you need to do at least 6 failed authentication in a short timeframe. Can you try to do this and check if the scenario is triggered?
spady7
April 28, 2022, 11:45am
9
Hi, you are right!! thanks.