False IP ban from scenario "http-generic-bf"

steifhahn · August 14, 2023, 8:12am

It happens when i try to login to SOGo webmail (mailcow) and put in a wrong passwort. But thats usually not a BF attack?

Here the detail log:

docker exec crowdsec cscli alerts inspect 2583 -d

################################################################################################

 - ID           : 2583
 - Date         : 2023-08-14T07:47:50Z
 - Machine      : localhost
 - Simulation   : false
 - Reason       : LePresidente/http-generic-403-bf
 - Events Count : 8
 - Scope:Value  : Ip:91.xxxx
 - Country      : DE
 - AS           : Deutsche Telekom AG
 - Begin        : 2023-08-14 07:46:46.041611421 +0000 UTC
 - End          : 2023-08-14 07:47:50.20209917 +0000 UTC
 - UUID         : 92fd56bb-fe10-4db5-9bcd-xxxxxxx


 - Events  :

- Date: 2023-08-14 07:47:45 +0000 UTC
+---------------------+----------------------------------+
|         Key         |              Value               |
+---------------------+----------------------------------+
| ASNNumber           | 3320                             |
+---------------------+----------------------------------+
| ASNOrg              | Deutsche Telekom AG              |
+---------------------+----------------------------------+
| IsInEU              | true                             |
+---------------------+----------------------------------+
| IsoCode             | DE                               |
+---------------------+----------------------------------+
| SourceRange         | 91.0.0.0/10                      |
+---------------------+----------------------------------+
| datasource_path     | /var/log/traefik/access.log      |
+---------------------+----------------------------------+
| datasource_type     | file                             |
+---------------------+----------------------------------+
| http_args_len       | 0                                |
+---------------------+----------------------------------+
| http_path           | /SOGo/so/passwordRecoveryEnabled |
+---------------------+----------------------------------+
| http_status         | 403                              |
+---------------------+----------------------------------+
| http_user_agent     | -                                |
+---------------------+----------------------------------+
| http_verb           | POST                             |
+---------------------+----------------------------------+
| log_type            | http_access-log                  |
+---------------------+----------------------------------+
| service             | http                             |
+---------------------+----------------------------------+
| source_ip           | 91.xxxxxx                  |
+---------------------+----------------------------------+
| timestamp           | 2023-08-14T07:47:45Z             |
+---------------------+----------------------------------+
| traefik_router_name | nginx-mailcow-secure@docker      |
+---------------------+----------------------------------+
| user                | -                                |
+---------------------+----------------------------------+

- Date: 2023-08-14 09:47:45 +0200 +0200
+-----------------+--------------------------------------------------------------+
|       Key       |                            Value                             |
+-----------------+--------------------------------------------------------------+
| ASNNumber       | 3320                                                         |
+-----------------+--------------------------------------------------------------+
| ASNOrg          | Deutsche Telekom AG                                          |
+-----------------+--------------------------------------------------------------+
| IsInEU          | true                                                         |
+-----------------+--------------------------------------------------------------+
| IsoCode         | DE                                                           |
+-----------------+--------------------------------------------------------------+
| SourceRange     | 91.0.0.0/10                                                  |
+-----------------+--------------------------------------------------------------+
| datasource_path | mailcowdockerized-nginx-mailcow-1                            |
+-----------------+--------------------------------------------------------------+
| datasource_type | docker                                                       |
+-----------------+--------------------------------------------------------------+
| http_args_len   | 0                                                            |
+-----------------+--------------------------------------------------------------+
| http_path       | /SOGo/so/passwordRecoveryEnabled                             |
+-----------------+--------------------------------------------------------------+
| http_status     | 403                                                          |
+-----------------+--------------------------------------------------------------+
| http_user_agent | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 |
|                 | (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36           |
+-----------------+--------------------------------------------------------------+
| http_verb       | POST                                                         |
+-----------------+--------------------------------------------------------------+
| log_type        | http_access-log                                              |
+-----------------+--------------------------------------------------------------+
| service         | http                                                         |
+-----------------+--------------------------------------------------------------+
| source_ip       | 91.xxxx                                                 |
+-----------------+--------------------------------------------------------------+
| timestamp       | 2023-08-14T09:47:45+02:00                                    |
+-----------------+--------------------------------------------------------------+

- Date: 2023-08-14 09:47:48 +0200 +0200
+-----------------+--------------------------------------------------------------+
|       Key       |                            Value                             |
+-----------------+--------------------------------------------------------------+
| ASNNumber       | 3320                                                         |
+-----------------+--------------------------------------------------------------+
| ASNOrg          | Deutsche Telekom AG                                          |
+-----------------+--------------------------------------------------------------+
| IsInEU          | true                                                         |
+-----------------+--------------------------------------------------------------+
| IsoCode         | DE                                                           |
+-----------------+--------------------------------------------------------------+
| SourceRange     | 91.0.0.0/10                                                  |
+-----------------+--------------------------------------------------------------+
| datasource_path | mailcowdockerized-nginx-mailcow-1                            |
+-----------------+--------------------------------------------------------------+
| datasource_type | docker                                                       |
+-----------------+--------------------------------------------------------------+
| http_args_len   | 0                                                            |
+-----------------+--------------------------------------------------------------+
| http_path       | /SOGo/so/passwordRecoveryEnabled                             |
+-----------------+--------------------------------------------------------------+
| http_status     | 403                                                          |
+-----------------+--------------------------------------------------------------+
| http_user_agent | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 |
|                 | (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36           |
+-----------------+--------------------------------------------------------------+
| http_verb       | POST                                                         |
+-----------------+--------------------------------------------------------------+
| log_type        | http_access-log                                              |
+-----------------+--------------------------------------------------------------+
| service         | http                                                         |
+-----------------+--------------------------------------------------------------+
| source_ip       | 91.xxxxxx                                             |
+-----------------+--------------------------------------------------------------+
| timestamp       | 2023-08-14T09:47:48+02:00                                    |
+-----------------+--------------------------------------------------------------+

- Date: 2023-08-14 07:47:48 +0000 UTC
+---------------------+----------------------------------+
|         Key         |              Value               |
+---------------------+----------------------------------+
| ASNNumber           | 3320                             |
+---------------------+----------------------------------+
| ASNOrg              | Deutsche Telekom AG              |
+---------------------+----------------------------------+
| IsInEU              | true                             |
+---------------------+----------------------------------+
| IsoCode             | DE                               |
+---------------------+----------------------------------+
| SourceRange         | 91.0.0.0/10                      |
+---------------------+----------------------------------+
| datasource_path     | /var/log/traefik/access.log      |
+---------------------+----------------------------------+
| datasource_type     | file                             |
+---------------------+----------------------------------+
| http_args_len       | 0                                |
+---------------------+----------------------------------+
| http_path           | /SOGo/so/passwordRecoveryEnabled |
+---------------------+----------------------------------+
| http_status         | 403                              |
+---------------------+----------------------------------+
| http_user_agent     | -                                |
+---------------------+----------------------------------+
| http_verb           | POST                             |
+---------------------+----------------------------------+
| log_type            | http_access-log                  |
+---------------------+----------------------------------+
| service             | http                             |
+---------------------+----------------------------------+
| source_ip           | 91.xxxxx                   |
+---------------------+----------------------------------+
| timestamp           | 2023-08-14T07:47:48Z             |
+---------------------+----------------------------------+
| traefik_router_name | nginx-mailcow-secure@docker      |
+---------------------+----------------------------------+
| user                | -                                |
+---------------------+----------------------------------+

- Date: 2023-08-14 09:47:50 +0200 +0200
+-----------------+--------------------------------------------------------------+
|       Key       |                            Value                             |
+-----------------+--------------------------------------------------------------+
| ASNNumber       | 3320                                                         |
+-----------------+--------------------------------------------------------------+
| ASNOrg          | Deutsche Telekom AG                                          |
+-----------------+--------------------------------------------------------------+
| IsInEU          | true                                                         |
+-----------------+--------------------------------------------------------------+
| IsoCode         | DE                                                           |
+-----------------+--------------------------------------------------------------+
| SourceRange     | 91.0.0.0/10                                                  |
+-----------------+--------------------------------------------------------------+
| datasource_path | mailcowdockerized-nginx-mailcow-1                            |
+-----------------+--------------------------------------------------------------+
| datasource_type | docker                                                       |
+-----------------+--------------------------------------------------------------+
| http_args_len   | 0                                                            |
+-----------------+--------------------------------------------------------------+
| http_path       | /SOGo/so/passwordRecoveryEnabled                             |
+-----------------+--------------------------------------------------------------+
| http_status     | 403                                                          |
+-----------------+--------------------------------------------------------------+
| http_user_agent | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 |
|                 | (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36           |
+-----------------+--------------------------------------------------------------+
| http_verb       | POST                                                         |
+-----------------+--------------------------------------------------------------+
| log_type        | http_access-log                                              |
+-----------------+--------------------------------------------------------------+
| service         | http                                                         |
+-----------------+--------------------------------------------------------------+
| source_ip       | 91.xxxx                                                 |
+-----------------+--------------------------------------------------------------+
| timestamp       | 2023-08-14T09:47:50+02:00                                    |
+-----------------+--------------------------------------------------------------+

- Date: 2023-08-14 07:47:50 +0000 UTC
+---------------------+----------------------------------+
|         Key         |              Value               |
+---------------------+----------------------------------+
| ASNNumber           | 3320                             |
+---------------------+----------------------------------+
| ASNOrg              | Deutsche Telekom AG              |
+---------------------+----------------------------------+
| IsInEU              | true                             |
+---------------------+----------------------------------+
| IsoCode             | DE                               |
+---------------------+----------------------------------+
| SourceRange         | 91.0.0.0/10                      |
+---------------------+----------------------------------+
| datasource_path     | /var/log/traefik/access.log      |
+---------------------+----------------------------------+
| datasource_type     | file                             |
+---------------------+----------------------------------+
| http_args_len       | 0                                |
+---------------------+----------------------------------+
| http_path           | /SOGo/so/passwordRecoveryEnabled |
+---------------------+----------------------------------+
| http_status         | 403                              |
+---------------------+----------------------------------+
| http_user_agent     | -                                |
+---------------------+----------------------------------+
| http_verb           | POST                             |
+---------------------+----------------------------------+
| log_type            | http_access-log                  |
+---------------------+----------------------------------+
| service             | http                             |
+---------------------+----------------------------------+
| source_ip           | 91.xxxx                      |
+---------------------+----------------------------------+
| timestamp           | 2023-08-14T07:47:50Z             |
+---------------------+----------------------------------+
| traefik_router_name | nginx-mailcow-secure@docker      |
+---------------------+----------------------------------+
| user                | -                                |
+---------------------+----------------------------------+

the scenario has a capacity of 5, does that not mean after 5 trys i should get banned?

iiAmLoz · August 14, 2023, 9:11am

the scenario has a capacity of 5, does that not mean after 5 trys i should get banned?

Not directly as there a concept of leaky bucket event will leak over time here a image that might explain Format | CrowdSec

You have duplicate datasources so the events are being counted twice. (So one failed attempt will count as two)

+-----------------+--------------------------------------------------------------+
| datasource_path | mailcowdockerized-nginx-mailcow-1                            |
+-----------------+--------------------------------------------------------------+
| datasource_type | docker                                                       |
+-----------------+--------------------------------------------------------------+

+---------------------+----------------------------------+
| datasource_path     | /var/log/traefik/access.log      |
+---------------------+----------------------------------+
| datasource_type     | file                             |
+---------------------+----------------------------------+

steifhahn · August 14, 2023, 9:26am

Thanks for feedback.
But then it counts only two. I mean after the first wrong login i get banned?

How to get rid of it?

iiAmLoz · August 14, 2023, 9:28am

Well either remove one of the duplicate sources I would recommend the docker nginx source as traefik is already logging them for all domains.

But then it counts only two

What you mean by this? it counts two per one event so since there was 4 events it counted 8 hence - Events Count : 8

steifhahn · August 14, 2023, 10:08am

Thanks. So one wrong login creates 4x 401 entrys. That makes 8. Got it
I deleted mailcowdockerized-nginx-mailcow-1

iiAmLoz · August 14, 2023, 10:20am

So one wrong login creates 4x 401 entrys. That makes 8.

Depends on the application and the developers what request they do, upon failed login it might try to get some resource that needs authentication Dont know I dont use mailcow so cant explain application

Topic		Replies	Views
Http-generic-bf don't work(((	10	845	June 2, 2022
LePresidente/http-generic-401-bf -> false positive & where does this role come from?	1	2143	October 31, 2022
Nginx: failed basic auth attempts aren't banned crowdsec	9	1300	January 13, 2022
Tainted collection-scenario for custom setting crowdsec	3	1023	September 7, 2022
Ban after number of attemps crowdsec	12	700	March 11, 2022

False IP ban from scenario "http-generic-bf"

Related Topics