urbaman
1
Hi,
I see no alerts on my dashboard (last one from some days ago), so no decisions and a warning in the logs about the traefik bouncer:
time="2024-12-14T22:49:27+01:00" level=info msg="10.0.100.52 - [Sat, 14 Dec 2024 22:49:27 CET] \"GET /health HTTP/2.0 200 53.823µs \"kube-probe/1.31\" \""
time="2024-12-14T22:49:28+01:00" level=info msg="10.0.100.52 - [Sat, 14 Dec 2024 22:49:28 CET] \"GET /health HTTP/2.0 200 33.009µs \"kube-probe/1.31\" \""
time="2024-12-14T22:49:37+01:00" level=info msg="10.0.100.52 - [Sat, 14 Dec 2024 22:49:37 CET] \"GET /health HTTP/2.0 200 37.053µs \"kube-probe/1.31\" \""
time="2024-12-14T22:49:38+01:00" level=info msg="10.0.100.52 - [Sat, 14 Dec 2024 22:49:38 CET] \"GET /health HTTP/2.0 200 37.934µs \"kube-probe/1.31\" \""
time="2024-12-14T22:49:39+01:00" level=warning msg="bad user agent 'Crowdsec bouncer Traefik Plugin'" ip=10.1.238.140 name="CrowdSec Bouncer@10.1.238.140"
time="2024-12-14T22:49:39+01:00" level=info msg="10.1.238.140 - [Sat, 14 Dec 2024 22:49:39 CET] \"GET /v1/decisions/stream?startup=false HTTP/1.1 200 133.700299ms \"Crowdsec bouncer Traefik Plugin\" \""
time="2024-12-14T22:49:47+01:00" level=info msg="10.0.100.52 - [Sat, 14 Dec 2024 22:49:47 CET] \"GET /health HTTP/2.0 200 36.034µs \"kube-probe/1.31\" \""
time="2024-12-14T22:49:48+01:00" level=info msg="10.0.100.52 - [Sat, 14 Dec 2024 22:49:48 CET] \"GET /health HTTP/2.0 200 39.753µs \"kube-probe/1.31\" \""
time="2024-12-14T22:49:57+01:00" level=info msg="10.0.100.52 - [Sat, 14 Dec 2024 22:49:57 CET] \"GET /health HTTP/2.0 200 29.873µs \"kube-probe/1.31\" \""
It’s a microk8s deployment that worked for over a month:
What could have gone wrong?
urbaman
2
It could have happened after last LAPI pod restart:
NAME READY STATUS RESTARTS AGE
crowdsec-lapi-7ffcd555fb-vcls8 1/1 Running 1 (4d14h ago)
So maybe it lost some settings?
I also do not see alerts/decisions moslty after the restart:
cscli alerts list
╭──────┬───────────────────┬────────────────────────────────────────────┬─────────┬──────────────────────────────────┬───────────┬─────────────────────────────────────────╮
│ ID │ value │ reason │ country │ as │ decisions │ created_at
│
├──────┼───────────────────┼────────────────────────────────────────────┼─────────┼──────────────────────────────────┼───────────┼─────────────────────────────────────────┤
│ 3009 │ Ip:172.172.130.74 │ crowdsecurity/http-crawl-non_statics │ US │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-11 00:07:57.571233236 +0000 UTC │
│ 3008 │ Ip:172.172.130.74 │ crowdsecurity/http-backdoors-attempts │ US │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-11 00:08:10.543425113 +0000 UTC │
│ 3007 │ Ip:172.172.130.74 │ crowdsecurity/http-admin-interface-probing │ US │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-11 00:07:58.768890106 +0000 UTC │
│ 3006 │ Ip:172.172.130.74 │ crowdsecurity/http-probing │ US │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-11 00:07:57.571276296 +0000 UTC │
│ 3005 │ Ip:172.172.130.74 │ crowdsecurity/http-wordpress-scan │ US │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-11 00:07:57.571175891 +0000 UTC │
│ 3004 │ Ip:52.163.62.159 │ crowdsecurity/http-backdoors-attempts │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 23:31:33.541056344 +0000 UTC │
│ 3003 │ Ip:52.163.62.159 │ crowdsecurity/http-admin-interface-probing │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 23:31:11.012633578 +0000 UTC │
│ 3002 │ Ip:52.163.62.159 │ crowdsecurity/http-probing │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 23:31:10.168332747 +0000 UTC │
│ 3001 │ Ip:52.163.62.159 │ crowdsecurity/http-wordpress-scan │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 23:31:10.340202307 +0000 UTC │
│ 2999 │ Ip:206.189.83.126 │ crowdsecurity/http-probing │ SG │ 14061 DIGITALOCEAN-ASN │ ban:1 │ 2024-12-10 23:17:27.658994314 +0000 UTC │
│ 2998 │ Ip:206.189.83.126 │ crowdsecurity/http-wordpress-scan │ SG │ 14061 DIGITALOCEAN-ASN │ ban:1 │ 2024-12-10 23:17:27.658842087 +0000 UTC │
│ 2997 │ Ip:52.163.64.127 │ crowdsecurity/http-admin-interface-probing │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 23:09:19.126676502 +0000 UTC │
│ 2996 │ Ip:52.163.64.127 │ crowdsecurity/http-probing │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 23:09:18.061859538 +0000 UTC │
│ 2995 │ Ip:52.163.64.127 │ crowdsecurity/http-wordpress-scan │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 23:09:18.061865046 +0000 UTC │
│ 2994 │ Ip:52.187.74.132 │ crowdsecurity/http-admin-interface-probing │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 23:03:28.968670733 +0000 UTC │
│ 2993 │ Ip:52.187.74.132 │ crowdsecurity/http-crawl-non_statics │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 23:02:21.534166669 +0000 UTC │
│ 2992 │ Ip:52.187.74.132 │ crowdsecurity/http-backdoors-attempts │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 23:02:33.225537643 +0000 UTC │
│ 2991 │ Ip:52.187.74.132 │ crowdsecurity/http-admin-interface-probing │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 23:02:21.534262303 +0000 UTC │
│ 2990 │ Ip:52.187.74.132 │ crowdsecurity/http-wordpress-scan │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 23:02:22.78149756 +0000 UTC │
│ 2989 │ Ip:52.187.74.132 │ crowdsecurity/http-probing │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 23:02:21.534324391 +0000 UTC │
│ 2988 │ Ip:109.202.99.46 │ crowdsecurity/http-probing │ NL │ 49453 Global Layer B.V. │ ban:1 │ 2024-12-10 22:51:26.500555642 +0000 UTC │
│ 2987 │ Ip:109.202.99.46 │ crowdsecurity/http-sensitive-files │ NL │ 49453 Global Layer B.V. │ ban:1 │ 2024-12-10 22:51:26.509443904 +0000 UTC │
│ 2986 │ Ip:52.163.62.159 │ crowdsecurity/http-backdoors-attempts │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 22:42:42.963167051 +0000 UTC │
│ 2985 │ Ip:52.163.62.159 │ crowdsecurity/http-admin-interface-probing │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 22:42:19.776381834 +0000 UTC │
│ 2984 │ Ip:52.163.62.159 │ crowdsecurity/http-probing │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 22:42:18.766851268 +0000 UTC │
│ 2983 │ Ip:52.163.62.159 │ crowdsecurity/http-wordpress-scan │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 22:42:18.936010393 +0000 UTC │
│ 2982 │ Ip:13.250.15.200 │ crowdsecurity/http-probing │ SG │ 16509 AMAZON-02 │ ban:1 │ 2024-12-10 22:37:03.560802216 +0000 UTC │
│ 2981 │ Ip:178.128.94.68 │ crowdsecurity/http-probing │ SG │ 14061 DIGITALOCEAN-ASN │ ban:1 │ 2024-12-10 22:32:35.560573347 +0000 UTC │
│ 2980 │ Ip:52.163.62.159 │ crowdsecurity/http-backdoors-attempts │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 22:24:44.454682439 +0000 UTC │
│ 2979 │ Ip:52.163.62.159 │ crowdsecurity/http-admin-interface-probing │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 22:24:18.471052687 +0000 UTC │
│ 2978 │ Ip:52.163.62.159 │ crowdsecurity/http-probing │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 22:24:17.388653634 +0000 UTC │
│ 2977 │ Ip:52.163.62.159 │ crowdsecurity/http-wordpress-scan │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 22:24:17.576201724 +0000 UTC │
│ 2976 │ Ip:52.187.30.82 │ crowdsecurity/http-crawl-non_statics │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 22:10:29.430009338 +0000 UTC │
│ 2975 │ Ip:52.187.30.82 │ crowdsecurity/http-backdoors-attempts │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 22:10:29.430161424 +0000 UTC │
│ 2974 │ Ip:52.187.30.82 │ crowdsecurity/http-probing │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 22:10:29.430156777 +0000 UTC │
│ 2973 │ Ip:52.187.24.247 │ crowdsecurity/http-admin-interface-probing │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 22:07:19.67005327 +0000 UTC │
│ 2972 │ Ip:52.187.24.247 │ crowdsecurity/http-probing │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 22:07:18.492779648 +0000 UTC │
│ 2971 │ Ip:52.187.24.247 │ crowdsecurity/http-wordpress-scan │ SG │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 22:07:18.492702224 +0000 UTC │
│ 2970 │ Ip:20.169.232.142 │ crowdsecurity/http-admin-interface-probing │ US │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 22:06:44.686550158 +0000 UTC │
│ 2969 │ Ip:20.169.232.142 │ crowdsecurity/http-probing │ US │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 22:06:44.113197622 +0000 UTC │
│ 2968 │ Ip:20.169.232.142 │ crowdsecurity/http-wordpress-scan │ US │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 22:06:44.11302983 +0000 UTC │
│ 2967 │ Ip:172.172.130.74 │ crowdsecurity/http-backdoors-attempts │ US │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 21:51:06.995373735 +0000 UTC │
│ 2966 │ Ip:172.172.130.74 │ crowdsecurity/http-admin-interface-probing │ US │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 21:50:50.167275722 +0000 UTC │
│ 2965 │ Ip:172.172.130.74 │ crowdsecurity/http-probing │ US │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 21:50:49.503357431 +0000 UTC │
│ 2964 │ Ip:172.172.130.74 │ crowdsecurity/http-wordpress-scan │ US │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 21:50:49.642422335 +0000 UTC │
│ 2963 │ Ip:20.169.232.142 │ crowdsecurity/http-admin-interface-probing │ US │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 21:45:13.756684985 +0000 UTC │
│ 2962 │ Ip:20.169.232.142 │ crowdsecurity/http-probing │ US │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 21:45:12.983279069 +0000 UTC │
│ 2961 │ Ip:20.169.232.142 │ crowdsecurity/http-wordpress-scan │ US │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 21:45:12.982520406 +0000 UTC │
│ 2960 │ Ip:20.169.232.142 │ crowdsecurity/http-admin-interface-probing │ US │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 21:37:00.24545845 +0000 UTC │
│ 2959 │ Ip:20.169.232.142 │ crowdsecurity/http-probing │ US │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2024-12-10 21:36:58.991034621 +0000 UTC │
╰──────┴───────────────────┴────────────────────────────────────────────┴─────────┴──────────────────────────────────┴───────────┴─────────────────────────────────────────╯
crowdsec-lapi-7ffcd555fb-vcls8:/# cscli decisions list
No active decisions
