Tainted collection-scenario for custom setting

crowdsec
1

Hi,
I’ve a strange problem on a web app with auth basic login and Chrome (it seems the problem does not happen with Firefox).
The steps are:

  1. a user opens multiple tabs on the same application and he logs in correctly
  2. the session expires and the user closes Chrome
  3. the user restarts Chrome (and it restores all the previous tabs)
  4. the user wrongs password on the auth basic login in a tab

On Apache error.log I can see several rows like this one:

Tue Aug 16 15:30:18.589649 2022] [auth_basic:error] [pid 3810045:tid 140349557122816] [client IP_ADDRESS:34372] AH01617: user MYUSERNAME: authentication failure for "/": Password Mismatch

and also like this

Tue Aug 16 15:30:18.589649 2022] [auth_basic:error] [pid 3810045:tid 140349557122816] [client IP_ADDRESS:34372] AH01617: user MYUSERNAME: authentication failure for "/MYPATH": Password Mismatch, referer: https://MYWEBAPP.MYDOMAIN./ANOTHER_PATH

and a ban happens so with just one wrong login the user got banned.

I can’t understand how to fix it, the unique idea is to increase the capacity of crowdsecurity/http-generic-bf scenario but when i try the command sudo cscli hub list it returns me that both the crowdsecurity/http-generic-bf scenario and the crowdsecurity/base-http-scenarios collection are tainted.

How can I resolve this?

Many thanks.

2

Hey and thanks for your question. Sorry about the long turn around time on a reply though.

In terms of the message you get on the scenario being tainted that’s expected behavior. But as far as I know it doesn’t mean anything in terms of how well the scenario works or if the agent is collecting data and sharing them. Can you confirm that everything works in spite of this? As I understand it you do the right thing to fix it.

On an unrelated note: if you want a faster reply on your support requests going forward I would advice you to join our Discord at CrowdSec.

3

Many thanks for your reply.

So, is this the right way to modify a standard scenario? And what’s happen when I upgrade the scenario?

4

Hey

Yes this is the right way. When you upgrade, nothing gets overwritten by default. You would need to use --force for that.

So to edit an existing scenario you have two options

  1. edit the file directly and live with the hassle of upgrading
  2. copy it, give it another name and use this one instead going forward.

I hope that provided a reply for you. If not, you’re welcome to ask again, of course.