False positives occuring with Nextcloud and eBook reader Kavita

2

Hi there,

Got more or less the same issue.
Installed crowdsec on my Nextcloud server and got banned at my first login attempt.

# cscli decisions list
+-------+----------+-----------------+--------------------------------------+--------+---------+---------+--------+--------------------+----------+
|  ID   |  SOURCE  |   SCOPE:VALUE   |                REASON                | ACTION | COUNTRY |   AS    | EVENTS |     EXPIRATION     | ALERT ID |
+-------+----------+-----------------+--------------------------------------+--------+---------+---------+--------+--------------------+----------+
| 43984 | crowdsec | Ip:x.x.x.x| crowdsecurity/http-crawl-non_statics | ban    | FR      |  Orange |     47 | 1h57m54.664254699s |       62 |
+-------+----------+-----------------+--------------------------------------+--------+---------+---------+--------+--------------------+----------+

Then took a look at the http-crawl-non_statics scenario :

https://hub.crowdsec.net/author/crowdsecurity/configurations/http-crawl-non_statics

Thus, it is just about high rate requests on non static ressources.
Unfortunately, the Nextcloud browser-side code is known to generate a lot of requests (which tends to offer poor user experience).

However, quicly parsed my Apache logs :

cat drive.access.log | cut -d' ' -f8 | cut -d'/' -f-4 | sort | uniq -c
...
    1 /index.php/js/core
      3 /index.php/login
      1 /index.php/svg/activity
      1 /index.php/svg/circles
     43 /index.php/svg/contacts
    187 /index.php/svg/core
      2 /index.php/svg/deck
      8 /index.php/svg/files
...

Hummm, looks that multiple requests to /index.php/svg is the root cause.

Then, took a look at :

https://discourse.crowdsec.net/t/help-with-whitelist-rules-expression-with-portion-of-url/41

but due to some syntax errors with usage of ‘expression’ in the yaml config file, had to adjust based on :

https://github.com/antonmedv/expr/blob/master/docs/Language-Definition.md

So, finally, I ended with creating the following whitelist file :

vi /etc/crowdsec/parsers/s02-enrich/mynextcloudwhitelist.yaml

name: crowdsecurity/mynextcloudwhitelist
description: "Whitelist events from nextcloud legitimate access"
whitelist:
  reason: "ignore index.php/svg"
  expression:
    - evt.Parsed.request contains "'/index.php/svg/'"

Then :

systemctl restart crowdsec

Removed the false-positive decision :

cscli decisions delete --id 43984

Job done (it looks).

Please, consider this as a candidate workaround ; not a perfect fix.

Regards.