It happens when i try to login to SOGo webmail (mailcow) and put in a wrong passwort. But thats usually not a BF attack?
Here the detail log:
docker exec crowdsec cscli alerts inspect 2583 -d
################################################################################################
- ID : 2583
- Date : 2023-08-14T07:47:50Z
- Machine : localhost
- Simulation : false
- Reason : LePresidente/http-generic-403-bf
- Events Count : 8
- Scope:Value : Ip:91.xxxx
- Country : DE
- AS : Deutsche Telekom AG
- Begin : 2023-08-14 07:46:46.041611421 +0000 UTC
- End : 2023-08-14 07:47:50.20209917 +0000 UTC
- UUID : 92fd56bb-fe10-4db5-9bcd-xxxxxxx
- Events :
- Date: 2023-08-14 07:47:45 +0000 UTC
+---------------------+----------------------------------+
| Key | Value |
+---------------------+----------------------------------+
| ASNNumber | 3320 |
+---------------------+----------------------------------+
| ASNOrg | Deutsche Telekom AG |
+---------------------+----------------------------------+
| IsInEU | true |
+---------------------+----------------------------------+
| IsoCode | DE |
+---------------------+----------------------------------+
| SourceRange | 91.0.0.0/10 |
+---------------------+----------------------------------+
| datasource_path | /var/log/traefik/access.log |
+---------------------+----------------------------------+
| datasource_type | file |
+---------------------+----------------------------------+
| http_args_len | 0 |
+---------------------+----------------------------------+
| http_path | /SOGo/so/passwordRecoveryEnabled |
+---------------------+----------------------------------+
| http_status | 403 |
+---------------------+----------------------------------+
| http_user_agent | - |
+---------------------+----------------------------------+
| http_verb | POST |
+---------------------+----------------------------------+
| log_type | http_access-log |
+---------------------+----------------------------------+
| service | http |
+---------------------+----------------------------------+
| source_ip | 91.xxxxxx |
+---------------------+----------------------------------+
| timestamp | 2023-08-14T07:47:45Z |
+---------------------+----------------------------------+
| traefik_router_name | nginx-mailcow-secure@docker |
+---------------------+----------------------------------+
| user | - |
+---------------------+----------------------------------+
- Date: 2023-08-14 09:47:45 +0200 +0200
+-----------------+--------------------------------------------------------------+
| Key | Value |
+-----------------+--------------------------------------------------------------+
| ASNNumber | 3320 |
+-----------------+--------------------------------------------------------------+
| ASNOrg | Deutsche Telekom AG |
+-----------------+--------------------------------------------------------------+
| IsInEU | true |
+-----------------+--------------------------------------------------------------+
| IsoCode | DE |
+-----------------+--------------------------------------------------------------+
| SourceRange | 91.0.0.0/10 |
+-----------------+--------------------------------------------------------------+
| datasource_path | mailcowdockerized-nginx-mailcow-1 |
+-----------------+--------------------------------------------------------------+
| datasource_type | docker |
+-----------------+--------------------------------------------------------------+
| http_args_len | 0 |
+-----------------+--------------------------------------------------------------+
| http_path | /SOGo/so/passwordRecoveryEnabled |
+-----------------+--------------------------------------------------------------+
| http_status | 403 |
+-----------------+--------------------------------------------------------------+
| http_user_agent | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 |
| | (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 |
+-----------------+--------------------------------------------------------------+
| http_verb | POST |
+-----------------+--------------------------------------------------------------+
| log_type | http_access-log |
+-----------------+--------------------------------------------------------------+
| service | http |
+-----------------+--------------------------------------------------------------+
| source_ip | 91.xxxx |
+-----------------+--------------------------------------------------------------+
| timestamp | 2023-08-14T09:47:45+02:00 |
+-----------------+--------------------------------------------------------------+
- Date: 2023-08-14 09:47:48 +0200 +0200
+-----------------+--------------------------------------------------------------+
| Key | Value |
+-----------------+--------------------------------------------------------------+
| ASNNumber | 3320 |
+-----------------+--------------------------------------------------------------+
| ASNOrg | Deutsche Telekom AG |
+-----------------+--------------------------------------------------------------+
| IsInEU | true |
+-----------------+--------------------------------------------------------------+
| IsoCode | DE |
+-----------------+--------------------------------------------------------------+
| SourceRange | 91.0.0.0/10 |
+-----------------+--------------------------------------------------------------+
| datasource_path | mailcowdockerized-nginx-mailcow-1 |
+-----------------+--------------------------------------------------------------+
| datasource_type | docker |
+-----------------+--------------------------------------------------------------+
| http_args_len | 0 |
+-----------------+--------------------------------------------------------------+
| http_path | /SOGo/so/passwordRecoveryEnabled |
+-----------------+--------------------------------------------------------------+
| http_status | 403 |
+-----------------+--------------------------------------------------------------+
| http_user_agent | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 |
| | (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 |
+-----------------+--------------------------------------------------------------+
| http_verb | POST |
+-----------------+--------------------------------------------------------------+
| log_type | http_access-log |
+-----------------+--------------------------------------------------------------+
| service | http |
+-----------------+--------------------------------------------------------------+
| source_ip | 91.xxxxxx |
+-----------------+--------------------------------------------------------------+
| timestamp | 2023-08-14T09:47:48+02:00 |
+-----------------+--------------------------------------------------------------+
- Date: 2023-08-14 07:47:48 +0000 UTC
+---------------------+----------------------------------+
| Key | Value |
+---------------------+----------------------------------+
| ASNNumber | 3320 |
+---------------------+----------------------------------+
| ASNOrg | Deutsche Telekom AG |
+---------------------+----------------------------------+
| IsInEU | true |
+---------------------+----------------------------------+
| IsoCode | DE |
+---------------------+----------------------------------+
| SourceRange | 91.0.0.0/10 |
+---------------------+----------------------------------+
| datasource_path | /var/log/traefik/access.log |
+---------------------+----------------------------------+
| datasource_type | file |
+---------------------+----------------------------------+
| http_args_len | 0 |
+---------------------+----------------------------------+
| http_path | /SOGo/so/passwordRecoveryEnabled |
+---------------------+----------------------------------+
| http_status | 403 |
+---------------------+----------------------------------+
| http_user_agent | - |
+---------------------+----------------------------------+
| http_verb | POST |
+---------------------+----------------------------------+
| log_type | http_access-log |
+---------------------+----------------------------------+
| service | http |
+---------------------+----------------------------------+
| source_ip | 91.xxxxx |
+---------------------+----------------------------------+
| timestamp | 2023-08-14T07:47:48Z |
+---------------------+----------------------------------+
| traefik_router_name | nginx-mailcow-secure@docker |
+---------------------+----------------------------------+
| user | - |
+---------------------+----------------------------------+
- Date: 2023-08-14 09:47:50 +0200 +0200
+-----------------+--------------------------------------------------------------+
| Key | Value |
+-----------------+--------------------------------------------------------------+
| ASNNumber | 3320 |
+-----------------+--------------------------------------------------------------+
| ASNOrg | Deutsche Telekom AG |
+-----------------+--------------------------------------------------------------+
| IsInEU | true |
+-----------------+--------------------------------------------------------------+
| IsoCode | DE |
+-----------------+--------------------------------------------------------------+
| SourceRange | 91.0.0.0/10 |
+-----------------+--------------------------------------------------------------+
| datasource_path | mailcowdockerized-nginx-mailcow-1 |
+-----------------+--------------------------------------------------------------+
| datasource_type | docker |
+-----------------+--------------------------------------------------------------+
| http_args_len | 0 |
+-----------------+--------------------------------------------------------------+
| http_path | /SOGo/so/passwordRecoveryEnabled |
+-----------------+--------------------------------------------------------------+
| http_status | 403 |
+-----------------+--------------------------------------------------------------+
| http_user_agent | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 |
| | (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 |
+-----------------+--------------------------------------------------------------+
| http_verb | POST |
+-----------------+--------------------------------------------------------------+
| log_type | http_access-log |
+-----------------+--------------------------------------------------------------+
| service | http |
+-----------------+--------------------------------------------------------------+
| source_ip | 91.xxxx |
+-----------------+--------------------------------------------------------------+
| timestamp | 2023-08-14T09:47:50+02:00 |
+-----------------+--------------------------------------------------------------+
- Date: 2023-08-14 07:47:50 +0000 UTC
+---------------------+----------------------------------+
| Key | Value |
+---------------------+----------------------------------+
| ASNNumber | 3320 |
+---------------------+----------------------------------+
| ASNOrg | Deutsche Telekom AG |
+---------------------+----------------------------------+
| IsInEU | true |
+---------------------+----------------------------------+
| IsoCode | DE |
+---------------------+----------------------------------+
| SourceRange | 91.0.0.0/10 |
+---------------------+----------------------------------+
| datasource_path | /var/log/traefik/access.log |
+---------------------+----------------------------------+
| datasource_type | file |
+---------------------+----------------------------------+
| http_args_len | 0 |
+---------------------+----------------------------------+
| http_path | /SOGo/so/passwordRecoveryEnabled |
+---------------------+----------------------------------+
| http_status | 403 |
+---------------------+----------------------------------+
| http_user_agent | - |
+---------------------+----------------------------------+
| http_verb | POST |
+---------------------+----------------------------------+
| log_type | http_access-log |
+---------------------+----------------------------------+
| service | http |
+---------------------+----------------------------------+
| source_ip | 91.xxxx |
+---------------------+----------------------------------+
| timestamp | 2023-08-14T07:47:50Z |
+---------------------+----------------------------------+
| traefik_router_name | nginx-mailcow-secure@docker |
+---------------------+----------------------------------+
| user | - |
+---------------------+----------------------------------+
the scenario has a capacity of 5, does that not mean after 5 trys i should get banned?