Haproxy bouncert fresh install, a few questions

1

Hello everyone ,

I have just installed following the docs the latest boucer version for haproxy, and have a few questions.

  • How easy is it to remove the captcha ? just not add the backend ?
    the software behind he haproxy has a gui for people and for hardware, so we just want the ban to work.

  • How do we actually test an"attack" on the haproxy and see how the bouncer acts ? i ran a nikto but didnt see any actions or decisions in cscli like i did with the apache2 bouncer.

Many thanks in advance !
Sebastian

2

Just do configure your profiles to issue a captcha decision and then it wont act on it

How do we actually test an"attack" on the haproxy and see how the bouncer acts ? i ran a nikto but didnt see any actions or decisions in cscli like i did with the apache2 bouncer.

Did you configure the log sources to be read by CrowdSec as the bouncer does not do any detections it just acts on what CrowdSec tells it too.

3

hello

Blockquote
Just do configure your profiles to issue a captcha decision and then it wont act on it

If i read the profile.yaml below the default is yo ban for 4h and no captcha is done is that correct (and thats what i want) ?

/etc/crowdsec/profiles.yaml
name: default_ip_remediation
#debug: true
filters:

  • Alert.Remediation == true && Alert.GetScope() == “Ip”
    decisions:
  • type: ban
    duration: 4h
    #duration_expr: Sprintf(‘%dh’, (GetDecisionsCount(Alert.GetValue()) + 1) * 4)

notifications:

- slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.

- splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.

- http_default # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.

- email_default # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.

on_success: break

Blockquote
Did you configure the log sources to be read by CrowdSec as the bouncer does not do any detections it just acts on what CrowdSec tells it too.

This is where i am thinking that the installed bouncer needs something “more”
I have followed a few tutorials that add the bouncer and tie it into haproxy

Is there something else to do ?

4

Yes you need to alter the acquis.yaml to point towards the haproxy logs. The current profiles only issue a ban which is fine as that what you want it to do :+1:

5

Blockquote
Yes you need to alter the acquis.yaml to point towards the haproxy logs. T

great thanks, i think something is missing here… i dont remember running the wizard here, isthere a way to reconfigure to add haproxy info here ?

/etc/crowdsec/acquis.yaml
#Generated acquisition file - wizard.sh (service: ssh) / files :
journalctl_filter:

  • _SYSTEMD_UNIT=ssh.service
    labels:
    type: syslog
6

The wizard automatically run on install to pick up the “basic” options such as ssh

You would need to add the configuration for haproxy such as

---
filenames:
  - /var/log/haproxy/*.log
labels:
  type: haproxy

This is the example we show on the hub

7

Blockquote
You would need to add the configuration for haproxy such as

Yes ! i found that too, but forgot to run the cscli command :smiley:

After some restarts, Haproxy is now correctly producing logs and are being parsed ,and the pentest (nikto) got banned, logs show 200 with a ban method (and not 404).

cscli is showing the ban, should be removed in 4h.

This is very nice and slick, thanks very much for the help !

Sebastian

1 Like