It works with a delay and doesn't ban


The docker has traefik, crowdsec, traefik-bouncer. The collections crowdsecurity/http-cve crowdsecurity/traefik LePresidente/authelia Dominic-Wagner/vaultwarden are installed. Logs are connected, crowdsec reads them correctly. But… It reads the logs, but it blocks not everyone and not always. I checked it on myself, it always blocks me at different intervals, sometimes with 6 tries, sometimes with 10, sometimes with 15.

Today I was looking through the logs, and this is what I saw

Is it normal that crowdsec misses this? Can it be configured more aggressively?

This is the concept of the leaky bucket, that events will pour over time so depending on how aggressive the “bad actor” is, is how fastthey will be banned. Not only that depending on how the bouncer is configured (Anything traefik is third party) will either have an internal timer or will be live. (Live is always faster than internal timer)

Is it normal that crowdsec misses this?

What has CrowdSec missed? you can configured the scenarios to be more aggressive, however, this will likely increase your false positive rate.

CrowdSec seems to ban it. It’s some kind of smart scanner, even geoblock doesn’t catch it, and fail2ban :slight_smile:

Nothing to worry about in principle? Is everything working as it should?

Nothing to worry about in principle? Is everything working as it should?

Yes it seems so, Since you are using the traefik bouncer you will most likely see multiple alerts anyways since the connection is not dropped it just get a 401 or 403 (cant remember) status code

1 Like

Thank you.

You still haven’t been able to reproduce the problem with the notification not working in Telegram?

Honestly no, but I can try replicate it now.

I still don’t understand why my notifications don’t work. I really don’t know where to look. I would really like to be able to keep track of bans

Why an unsupported protocol scheme :sob:

I replied in other thread closing this.