Hi there,
Got more or less the same issue.
Installed crowdsec on my Nextcloud server and got banned at my first login attempt.
# cscli decisions list
+-------+----------+-----------------+--------------------------------------+--------+---------+---------+--------+--------------------+----------+
| ID | SOURCE | SCOPE:VALUE | REASON | ACTION | COUNTRY | AS | EVENTS | EXPIRATION | ALERT ID |
+-------+----------+-----------------+--------------------------------------+--------+---------+---------+--------+--------------------+----------+
| 43984 | crowdsec | Ip:x.x.x.x| crowdsecurity/http-crawl-non_statics | ban | FR | Orange | 47 | 1h57m54.664254699s | 62 |
+-------+----------+-----------------+--------------------------------------+--------+---------+---------+--------+--------------------+----------+
Then took a look at the http-crawl-non_statics scenario :
https://hub.crowdsec.net/author/crowdsecurity/configurations/http-crawl-non_statics
Thus, it is just about high rate requests on non static ressources.
Unfortunately, the Nextcloud browser-side code is known to generate a lot of requests (which tends to offer poor user experience).
However, quicly parsed my Apache logs :
cat drive.access.log | cut -d' ' -f8 | cut -d'/' -f-4 | sort | uniq -c
...
1 /index.php/js/core
3 /index.php/login
1 /index.php/svg/activity
1 /index.php/svg/circles
43 /index.php/svg/contacts
187 /index.php/svg/core
2 /index.php/svg/deck
8 /index.php/svg/files
...
Hummm, looks that multiple requests to /index.php/svg is the root cause.
Then, took a look at :
https://discourse.crowdsec.net/t/help-with-whitelist-rules-expression-with-portion-of-url/41
but due to some syntax errors with usage of ‘expression’ in the yaml config file, had to adjust based on :
https://github.com/antonmedv/expr/blob/master/docs/Language-Definition.md
So, finally, I ended with creating the following whitelist file :
vi /etc/crowdsec/parsers/s02-enrich/mynextcloudwhitelist.yaml
name: crowdsecurity/mynextcloudwhitelist
description: "Whitelist events from nextcloud legitimate access"
whitelist:
reason: "ignore index.php/svg"
expression:
- evt.Parsed.request contains "'/index.php/svg/'"
Then :
systemctl restart crowdsec
Removed the false-positive decision :
cscli decisions delete --id 43984
Job done (it looks).
Please, consider this as a candidate workaround ; not a perfect fix.
Regards.