Hello,
I have encountered an issue with my Crowdsec setup and I’m seeking assistance. I’ve installed Crowdsec on my server and need to access it via GitHub Actions to transfer certain data. However, the GitHub Action is frequently being banned with the tag “crowdsecurity/http-probing”. The straightforward solution might be to whitelist all Microsoft servers, but this isn’t ideal as attacks could also originate from the Azure network.
To address this, I’ve created a script that sends the IP of the runner to my server. This IP is then added to the whitelist as follows:
parsers/s02-enrich/
name: "mylist/auto-whitelist-2024010722542596wT"
description: "Auto Whitelist events API"
whitelist:
reason: "Auto Whitelist ipv4/ipv6 ip/ranges"
ip:
- "4.155.40.19"
After this, I restart Crowdsec to ensure the whitelist is properly activated. Despite these measures, the service continues to be banned with the “crowdsecurity/http-probing” message.
Could anyone provide insights into why this ban occurs despite the active whitelist? Any suggestions or advice would be greatly appreciated.
Thank you!
My honest opinion is you will be playing a cat and mouse game to whitelist everything. In the past people have used a vpn from github actions to the private server so the requests come a private IP and wont trigger crowdsec rules.
And why it doesnt work? well from the example you only show one IP it could be coming from thousands.
Thank you for your input. I understand the concern about the potential cat and mouse game with whitelisting, but my setup might be a bit different. In my case, the GitHub Action explicitly communicates its IP, which is then directly added to the whitelist. This IP remains consistent throughout the entire action, and it’s automatically removed after completion. Therefore, it’s not a variable target but a specific, consistent one.
Moreover, the issue I’m facing isn’t with blocking the entire Microsoft network. The specific IP mentioned in my example, which is the same IP used by the GitHub Action and subsequently whitelisted, is the one being banned. My problem lies in the fact that despite explicitly whitelisting this particular IP, it still ends up being banned. This is puzzling since the banned IP is the same one I had added to the whitelist.
Any thoughts on why this specific scenario is happening would be greatly appreciated.
So could you try find a line with said IP and then run it through cscli explain
for example
grep 4.155.40.19 /var/log/<your_log>.log | tail -n 1 | cscli explain -f- --type <log_type> -v
This will show you how the line is treated and if you whitelist is working.
Thank you! I will try it out at the next opportunity