Hi, I’ve been using crowdsec for a while now on our inbound haproxy. It seems to be working ok apart from occasional bans affecting client IPs. We run an rmm system and we have a fairly high level of inbound web activity. Its pretty consistent though as the agents always do the same stuff.
I’d like to know how I work out why a particular ban occurred.
The other day a ban affected one of our biggest clients. ‘cscli decisions list’ reported reason: crowdsecurity/http-probing
Apart from crowdsec-firewall-bouncer.log, none of the crowdsec logs in /var/logs contained anything at all. The crowdsec-firewall-bouncer log just had the usual messages about ‘x decisions added’, nothing else.
I’ve searched on the site but can’t find anything which explains http-probing, so I can’t work out what crowdsec means by that.