I’m running crowdsec with Nextcloud, especially it’s Memories app.
Browsing through my large image collection frequently triggers 404 for previews.
I added a custom whitelist including this directive to avoid false-positive lockouts
- evt.Meta.http_status in ['0','200', '404', '500'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/memories/api/image/(multipreview|preview)' #memories missing previews
which at the first glance helped to address the problem - but today I hit another block with following alert:
################################################################################################
- ID : 16007
- Date : 2025-09-06T16:21:36Z
- Machine : localhost
- Simulation : false
- Remediation : true
- Reason : crowdsecurity/http-probing
- Events Count : 11
- Scope:Value : Ip:192.168.11.219
- Country :
- AS :
- Begin : 2025-09-06 16:21:35.633040011 +0000 UTC
- End : 2025-09-06 16:21:35.68533892 +0000 UTC
- UUID : cf7224eb-1096-4754-bebd-d7e7f16cee00
+---------------------------------------------------------------------------+
| Active Decisions |
+----------+-------------------+--------+------------+----------------------+
| ID | scope:value | action | expiration | created_at |
+----------+-------------------+--------+------------+----------------------+
| 84160186 | Ip:192.168.11.219 | ban | 16m18s | 2025-09-06T16:21:36Z |
+----------+-------------------+--------+------------+----------------------+
- Context :
+------------+--------------------------------------------------------------+
| Key | Value |
+------------+--------------------------------------------------------------+
| method | GET |
| status | 404 |
| target_uri | /apps/memories/api/image/preview/1508600?c=67dea1c00edce289a |
| | 4cc200715439764&x=340&y=340&a=1 |
| target_uri | /apps/memories/api/image/preview/1508666?c=cbca74f23d6d6bebc |
| | ee1d538632c5328&x=340&y=340&a=1 |
| target_uri | /apps/memories/api/image/preview/1508675?c=85876063d93980e6a |
| | a3ff7d6ba941dfd&x=340&y=340&a=1 |
| target_uri | /apps/memories/api/image/preview/1508664?c=eb599732783c15381 |
| | 28071a9415b9613&x=340&y=340&a=1 |
| target_uri | /apps/memories/api/image/preview/1508681?c=e47e6cbfb03bdd1f9 |
| | 5df9aebdb8a6790&x=340&y=340&a=1 |
| target_uri | /apps/memories/api/image/preview/1508766?c=c658585d54890c819 |
| | c7243e1518c02a5&x=340&y=340&a=1 |
| target_uri | /apps/memories/api/image/preview/1508662?c=bf6fbe3c2d8ac5cc9 |
| | 700e47d7017ab7e&x=681&y=681&a=1 |
| target_uri | /apps/memories/api/image/preview/1508558?c=8003b7e84a4b9edaf |
| | b71ec8cff091bf6&x=340&y=340&a=1 |
| target_uri | /apps/memories/api/image/preview/1508595?c=1dcce5d0a3c8c691b |
| | f447f2ce8ccebc4&x=340&y=340&a=1 |
| target_uri | /apps/memories/api/image/preview/1508687?c=a18c8d29b99a67ab6 |
| | b3be78b217dc414&x=340&y=340&a=1 |
| target_uri | /apps/memories/api/image/preview/1508568?c=bbc53d53e6f3d2b35 |
| | 03a892e0184fc3c&x=681&y=681&a=1 |
| user_agent | MemoriesNative/1.12 Mozilla/5.0 (Linux; Android 10) |
| | AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.76 |
| | Mobile Safari/537.36 |
+------------+--------------------------------------------------------------+
from the reverse proxy logs I see 12 events related to the issue
"2025-09-06T18:21:35+02:00","192.168.11.219",404,"nc.mydomain.tld","/apps/memories/api/image/preview/1508600?c=67dea1c00edce289a4cc200715439764&x=340&y=340&a=1","nc@docker",404
"2025-09-06T18:21:35+02:00","192.168.11.219",404,"nc.mydomain.tld","/apps/memories/api/image/preview/1508666?c=cbca74f23d6d6bebcee1d538632c5328&x=340&y=340&a=1","nc@docker",404
"2025-09-06T18:21:35+02:00","192.168.11.219",404,"nc.mydomain.tld","/apps/memories/api/image/preview/1508675?c=85876063d93980e6aa3ff7d6ba941dfd&x=340&y=340&a=1","nc@docker",404
"2025-09-06T18:21:35+02:00","192.168.11.219",404,"nc.mydomain.tld","/apps/memories/api/image/preview/1508664?c=eb599732783c1538128071a9415b9613&x=340&y=340&a=1","nc@docker",404
"2025-09-06T18:21:35+02:00","192.168.11.219",404,"nc.mydomain.tld","/apps/memories/api/image/preview/1508681?c=e47e6cbfb03bdd1f95df9aebdb8a6790&x=340&y=340&a=1","nc@docker",404
"2025-09-06T18:21:35+02:00","192.168.11.219",404,"nc.mydomain.tld","/apps/memories/api/image/preview/1508766?c=c658585d54890c819c7243e1518c02a5&x=340&y=340&a=1","nc@docker",404
"2025-09-06T18:21:35+02:00","192.168.11.219",404,"nc.mydomain.tld","/apps/memories/api/image/preview/1508662?c=bf6fbe3c2d8ac5cc9700e47d7017ab7e&x=681&y=681&a=1","nc@docker",404
"2025-09-06T18:21:35+02:00","192.168.11.219",404,"nc.mydomain.tld","/apps/memories/api/image/preview/1508558?c=8003b7e84a4b9edafb71ec8cff091bf6&x=340&y=340&a=1","nc@docker",404
"2025-09-06T18:21:35+02:00","192.168.11.219",404,"nc.mydomain.tld","/apps/memories/api/image/preview/1508595?c=1dcce5d0a3c8c691bf447f2ce8ccebc4&x=340&y=340&a=1","nc@docker",404
"2025-09-06T18:21:35+02:00","192.168.11.219",404,"nc.mydomain.tld","/apps/memories/api/image/preview/1508687?c=a18c8d29b99a67ab6b3be78b217dc414&x=340&y=340&a=1","nc@docker",404
"2025-09-06T18:21:35+02:00","192.168.11.219",404,"nc.mydomain.tld","/apps/memories/api/image/preview/1508568?c=bbc53d53e6f3d2b3503a892e0184fc3c&x=681&y=681&a=1","nc@docker",404
"2025-09-06T18:21:35+02:00","192.168.11.219",404,"nc.mydomain.tld","/apps/memories/api/image/preview/1508561?c=23b39fa1e6f925a519d3d1dd7c184fb8&x=340&y=340&a=1","nc@docker",404
my TZ is UTC+2 so reverse proxy timestamp 2025-09-06T18:21:35+02:00is equal to crowdsec alert time stamp - 2025-09-06 16:21:35.633040011 +0000 UTC..
I have the feeling my whitelist doesn’t apply for some reason - any ideas what is wrong? IMO the whitelist directive should have addressed the scenario - please help me understand why the scenario triggered?