Status 200 in all logfilesโฆ
Then you need to write a custom scenario as we dont know the difference between a โgoodโ 200 and a โbadโ 200 status code
Providing us context of what the application is we can advise
I have a server running at home with an Intel J5005 CPU (https://www.asrock.com/mb/Intel/J5005-ITX/index.de.asp) and Docker with Home Assistant is running on it (Docker).
This allows me to control lights, heating, appliances, etc. by voice. In order to use this, you need an https connection that can be accessed from the Internet. Hence NPM (for ssl). Unfortunately, anyone can access this โopenโ Home Assistant instance. Although you need a user and password, I still want more security against bot networks, hackers or automated scripts that try to gain access. Hence crowdsec. I can access an instance hosted on the internet by my home server and log in at home using a normal link via duckdns. This should be protected by crowdsec.
If someone enters the wrong password 3 times, they should be banned.
Since home-assistant doesnt log the status code somebody has already wrote a parser for HA logs
https://app.crowdsec.net/hub/author/crowdsecurity/collections/home-assistant
Is installed, but no ban. I can see it in app.crowdsec.net.
time="2024-02-06T14:02:01Z" level=info msg="capi metrics: sending"
time="2024-02-06T14:02:57Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 14:02:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 1.061891ms \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T14:03:57Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 14:03:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 927.006ยตs \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T14:04:57Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 14:04:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 971.808ยตs \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T14:05:57Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 14:05:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 929.684ยตs \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T14:06:57Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 14:06:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 770.941ยตs \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T14:07:57Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 14:07:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 655.555ยตs \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T14:08:05Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 14:08:05 UTC] \"POST /v1/watchers/login HTTP/1.1 200 85.079889ms \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T14:08:57Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 14:08:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 935.62ยตs \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T14:09:57Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 14:09:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 718.297ยตs \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T14:10:57Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 14:10:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 814.544ยตs \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T14:11:57Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 14:11:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 360.4ยตs \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T14:12:57Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 14:12:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 828.244ยตs \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T14:13:57Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 14:13:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 393.839ยตs \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T14:14:57Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 14:14:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 906.873ยตs \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T14:15:57Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 14:15:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 792.739ยตs \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T14:16:57Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 14:16:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 818.466ยตs \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T14:17:57Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 14:17:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 736.132ยตs \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T14:18:57Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 14:18:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 895.644ยตs \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T14:19:57Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 14:19:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 910.882ยตs \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T14:20:57Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 14:20:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 909.643ยตs \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T14:21:44Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:21:44 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 77.68907ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:21:45Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:21:45 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 80.148657ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:21:47Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:21:47 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 57.273726ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:21:48Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:21:48 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 80.801386ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:21:50Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:21:50 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 79.09474ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:21:52Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:21:52 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 76.648831ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:21:54Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:21:54 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 41.424487ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:21:55Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:21:55 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 63.628548ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:21:56Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:21:56 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 73.309099ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:21:57Z" level=info msg="127.0.0.1 - [Tue, 06 Feb 2024 14:21:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 385.21ยตs \"crowdsec/v1.6.0-4192af30\" \""
time="2024-02-06T14:21:58Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:21:58 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 75.721127ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:21:59Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:21:59 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 79.460863ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:22:01Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:22:01 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 38.665765ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:22:02Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:22:02 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 45.556413ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:22:03Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:22:03 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 39.38893ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:22:04Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:22:04 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 79.759498ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:22:05Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:22:05 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 78.430724ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:22:07Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:22:07 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 79.786577ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:22:08Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:22:08 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 77.39168ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:22:09Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:22:09 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 78.643328ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:22:10Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:22:10 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 43.082529ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:22:12Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:22:12 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 73.604555ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:22:13Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:22:13 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 75.152942ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:22:15Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:22:15 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 78.534567ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:22:16Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:22:16 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 44.646199ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:22:17Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:22:17 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 83.450341ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:22:19Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:22:19 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 75.952942ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:22:20Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:22:20 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 74.931665ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:22:21Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:22:21 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 82.489856ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
time="2024-02-06T14:22:28Z" level=info msg="172.16.0.4 - [Tue, 06 Feb 2024 14:22:28 UTC] \"GET /v1/decisions?ip=176.6.179.224 HTTP/1.1 200 83.767393ms \"crowdsec-openresty-bouncer/v1.0.1\" \""
Acquisition Metrics:
โญโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Source โ Lines read โ Lines parsed โ Lines unparsed โ Lines poured to bucket โ
โโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโค
โ file:/var/log/auth.log โ 1 โ - โ 1 โ - โ
โ file:/var/log/syslog โ 52 โ - โ 52 โ - โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโฏ
Parser Metrics:
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโฎ
โ Parsers โ Hits โ Parsed โ Unparsed โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโผโโโโโโโโโผโโโโโโโโโโโค
โ child-crowdsecurity/syslog-logs โ 53 โ 53 โ - โ
โ crowdsecurity/syslog-logs โ 53 โ 53 โ - โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโดโโโโโโโโโดโโโโโโโโโโโฏ
Local API Metrics:
โญโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโฎ
โ Route โ Method โ Hits โ
โโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโค
โ /v1/decisions โ GET โ 7 โ
โ /v1/heartbeat โ GET โ 3 โ
โ /v1/watchers/login โ POST โ 1 โ
โฐโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโฏ
Local API Machines Metrics:
โญโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโฎ
โ Machine โ Route โ Method โ Hits โ
โโโโโโโโโโโโโผโโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโค
โ localhost โ /v1/heartbeat โ GET โ 3 โ
โฐโโโโโโโโโโโโดโโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโฏ
Local API Bouncers Metrics:
โญโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโฎ
โ Bouncer โ Route โ Method โ Hits โ
โโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโค
โ nginx-proxy โ /v1/decisions โ GET โ 7 โ
โฐโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโฏ
Local API Bouncers Decisions:
โญโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโฎ
โ Bouncer โ Empty answers โ Non-empty answers โ
โโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโค
โ nginx-proxy โ 7 โ 0 โ
โฐโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโฏ
Local API Decisions:
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโฎ
โ Reason โ Origin โ Action โ Count โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโผโโโโโโโโค
โ crowdsecurity/f5-big-ip-cve-2020-5902 โ CAPI โ ban โ 23 โ
โ crowdsecurity/http-admin-interface-probing โ CAPI โ ban โ 1415 โ
โ crowdsecurity/http-probing โ CAPI โ ban โ 1276 โ
โ crowdsecurity/ssh-bf โ CAPI โ ban โ 14055 โ
โ crowdsecurity/CVE-2022-35914 โ CAPI โ ban โ 48 โ
โ crowdsecurity/CVE-2022-42889 โ CAPI โ ban โ 4 โ
โ crowdsecurity/http-sensitive-files โ CAPI โ ban โ 38 โ
โ crowdsecurity/ssh-slow-bf โ CAPI โ ban โ 46 โ
โ crowdsecurity/thinkphp-cve-2018-20062 โ CAPI โ ban โ 6 โ
โ firehol_cybercrime โ lists โ ban โ 840 โ
โ crowdsecurity/CVE-2022-41082 โ CAPI โ ban โ 872 โ
โ crowdsecurity/http-cve-2021-41773 โ CAPI โ ban โ 19 โ
โ crowdsecurity/http-cve-2021-42013 โ CAPI โ ban โ 5 โ
โ crowdsecurity/netgear_rce โ CAPI โ ban โ 4 โ
โ otx-webscanners โ lists โ ban โ 8225 โ
โ crowdsecurity/http-bad-user-agent โ CAPI โ ban โ 14153 โ
โ crowdsecurity/CVE-2023-22518 โ CAPI โ ban โ 11 โ
โ crowdsecurity/http-backdoors-attempts โ CAPI โ ban โ 1192 โ
โ crowdsecurity/http-path-traversal-probing โ CAPI โ ban โ 178 โ
โ crowdsecurity/CVE-2023-22515 โ CAPI โ ban โ 17 โ
โ crowdsecurity/CVE-2023-49103 โ CAPI โ ban โ 227 โ
โ crowdsecurity/apache_log4j2_cve-2021-44228 โ CAPI โ ban โ 372 โ
โ crowdsecurity/http-crawl-non_statics โ CAPI โ ban โ 425 โ
โ crowdsecurity/jira_cve-2021-26086 โ CAPI โ ban โ 10 โ
โ ltsich/http-w00tw00t โ CAPI โ ban โ 1 โ
โ firehol_cruzit_web_attacks โ lists โ ban โ 13252 โ
โ crowdsecurity/CVE-2019-18935 โ CAPI โ ban โ 85 โ
โ crowdsecurity/grafana-cve-2021-43798 โ CAPI โ ban โ 49 โ
โ crowdsecurity/CVE-2022-37042 โ CAPI โ ban โ 21 โ
โ crowdsecurity/CVE-2022-26134 โ CAPI โ ban โ 216 โ
โ crowdsecurity/http-generic-bf โ CAPI โ ban โ 16 โ
โ crowdsecurity/http-open-proxy โ CAPI โ ban โ 870 โ
โ crowdsecurity/fortinet-cve-2018-13379 โ CAPI โ ban โ 58 โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโดโโโโโโโโฏ
Local API Alerts:
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโฎ
โ Reason โ Count โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโค
โ manual 'ban' from 'localhost' โ 3 โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโฏ
Yes, but have you setup the logs for home assistant to be passed into crowdsec? and then setup the acquisition to find the files?
1 Like
Now it finally works! Thank you for your great support, I couldnโt have done it without you! Thanks so much for your big help 
I mounted the HA-log with Docker and put this in the acquis.yml:
filenames:
- /var/log/homeassistant/home-assistant.log
labels:
type: home-assistant
1 Like