New Rules adding in crowdsec

1

Idont know how i can create a new rule, on my server i have someone who try access all 10 minutes

postfix/smtpd[49071]: lost connection after EHLO from unknown[91.224.92.40]
disconnect from unknown[91.224.92.40] ehlo=1 commands=1

thats repeat all 8 to 10 Minutes

then i have a another case

all 30 minutes

ovpn-server[1104]: tls-crypt unwrap error: packet too short
ovpn-server[1104]: tls-crypt unwrap error: packet too short

this is in journalctl

crowdsecc dont ban this

need help

2

i dont know where i must make the files for it

maybe someone can give a short tutotrial, thats was great

3

there is a collection for postfix so you could add that already…
I don’t see any vpn collections so I guess it is because crowdsec staff does not consider that as a threat because of all the security ovpn or wireguard has in place?

EDIT:
there is a collection for wireguard but

Whilst CrowdSecurity designed this collection, we highly discourage the use of it (Yes we know very odd). Wireguard is designed to be high performant and secure by default protocol using key pairs. The logs were only designed to be for debugging purposes then turned back off. If a user wishes to use this collection go ahead but no support will be offered from the team if you run into issues with wireguard or the collection.

So I guess that’s their answer to it.

4

hello,

i use openvpn, and at this time i ban this handmade, i have the postfix collection installed but i didnt ban

5

so the postfix collections are enabled in your crowdsec but still the ip are not added to iptables ?

And as I said if they have the logic for wireguard with what I said earlier, it’s highly probable that they have the same logic with openvpn. IF you have an up to date openvpn then there is theorically no risk for the openvpn instance. That’s my guess why there is no decisions or anything about openvpn.

6

This is hard to ban from openvpn as there is not corresponding IP address

Ensure the postfix logs are being parsed correctly via cscli metrics and if they are most likely the attacker is too slow to be picked up by the current leakspeed.