The docker has traefik, crowdsec, traefik-bouncer. The collections crowdsecurity/http-cve crowdsecurity/traefik LePresidente/authelia Dominic-Wagner/vaultwarden are installed. Logs are connected, crowdsec reads them correctly. But… It reads the logs, but it blocks not everyone and not always. I checked it on myself, it always blocks me at different intervals, sometimes with 6 tries, sometimes with 10, sometimes with 15.
Today I was looking through the logs, and this is what I saw
This is the concept of the leaky bucket, that events will pour over time so depending on how aggressive the “bad actor” is, is how fastthey will be banned. Not only that depending on how the bouncer is configured (Anything traefik is third party) will either have an internal timer or will be live. (Live is always faster than internal timer)
Is it normal that crowdsec misses this?
What has CrowdSec missed? you can configured the scenarios to be more aggressive, however, this will likely increase your false positive rate.
Nothing to worry about in principle? Is everything working as it should?
Yes it seems so, Since you are using the traefik bouncer you will most likely see multiple alerts anyways since the connection is not dropped it just get a 401 or 403 (cant remember) status code
