The bouncer decision would overwrite the manual decision?

crowdsec
1

background

I used cs-firewall-bouncer-1693367437 bouncer, and there is a same ip to use ssh-bf, ssh-slow-bf, ssh-bf_user-enum and ssh-slow-bf_user-enum to attack my server.

problem

  1. I received many alerts from the same ip, does it work as expected? I have thought it would alert once when the ip is banned.
    image
    image1920×969 299 KB
  2. I added the decision by using cscli decisions add --ip 64.227.128.155 --duration 24h, but it would be overwrite by the other decision like below image, does it included in the skipped decisions?

Thanks for any help.

2

image
image2266×284 34.6 KB

3

/var/log/crowdsec.log

image
image1920×1070 358 KB

4

Hmmmm something may be mis-configured then as the IP address should be blocked, however, within firewall rules they may be a rule on top of ours allowing SSH

does it included in the skipped decisions?

Yes decisions are whenever it is triggered so if a decision is made after one was already there this one is the newest.

Which underlying firewall are you using?

5

I use ufw to manager my firewall. And here is the bouncer I used:

1
12610×202 13.6 KB

6

/etc/crowdsec/profiles.yaml:

name: default_ip_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
 - type: ban
   duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
notifications:
#   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
#   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
  - http_default   # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
#   - email_default  # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break

/etc/crowdsec/notifications/http.yaml

type: http          # Don't change
name: http_default  # Must match the registered plugin in the profile

# One of "trace", "debug", "info", "warn", "error", "off"
log_level: info

# group_wait:         # Time to wait collecting alerts before relaying a message to this plugin, eg "30s"
group_threshold: 10   # Amount of alerts that triggers a message before <group_wait> has expired, eg "10"
# max_retry:          # Number of attempts to relay messages to plugins in case of error
# timeout:            # Time to wait for response from the plugin before considering the attempt a failure, eg "10s"

#-------------------------
# plugin-specific options

# The following template receives a list of models.Alert objects
# The output goes in the http request body
format: |
  {{.|toJson}}

...skipped something...

hub list

INFO[12-01-2024 07:47:12] Loaded 100 collecs, 110 parsers, 186 scenarios, 7 post-overflow parsers
INFO[12-01-2024 07:47:12] unmanaged items : 1 local, 0 tainted

COLLECTIONS
──────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Name                                📦 Status   Version   Local Path
──────────────────────────────────────────────────────────────────────────────────────────────────────────────
 crowdsecurity/base-http-scenarios   ✔️ enabled   0.6       /etc/crowdsec/collections/base-http-scenarios.yaml
 crowdsecurity/http-cve              ✔️ enabled   2.1       /etc/crowdsec/collections/http-cve.yaml
 crowdsecurity/linux                 ✔️ enabled   0.2       /etc/crowdsec/collections/linux.yaml
 crowdsecurity/nginx                 ✔️ enabled   0.2       /etc/crowdsec/collections/nginx.yaml
 crowdsecurity/sshd                  ✔️ enabled   0.2       /etc/crowdsec/collections/sshd.yaml
──────────────────────────────────────────────────────────────────────────────────────────────────────────────

PARSERS
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Name                             📦 Status          Version   Local Path
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 crowdsecurity/dateparse-enrich   ✔️ enabled          0.2       /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
 crowdsecurity/geoip-enrich       ✔️ enabled          0.2       /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
 crowdsecurity/http-logs          ✔️ enabled          1.1       /etc/crowdsec/parsers/s02-enrich/http-logs.yaml
 crowdsecurity/nginx-logs         ✔️ enabled          1.4       /etc/crowdsec/parsers/s01-parse/nginx-logs.yaml
 crowdsecurity/sshd-logs          ✔️ enabled          2.2       /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
 crowdsecurity/syslog-logs        ✔️ enabled          0.8       /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
 crowdsecurity/whitelists         ✔️ enabled          0.2       /etc/crowdsec/parsers/s02-enrich/whitelists.yaml
 mywhitelists.yaml                🏠 enabled,local             /etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

SCENARIOS
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Name                                               📦 Status   Version   Local Path
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 crowdsecurity/CVE-2019-18935                       ✔️ enabled   0.1       /etc/crowdsec/scenarios/CVE-2019-18935.yaml
 crowdsecurity/CVE-2022-26134                       ✔️ enabled   0.1       /etc/crowdsec/scenarios/CVE-2022-26134.yaml
 crowdsecurity/CVE-2022-35914                       ✔️ enabled   0.1       /etc/crowdsec/scenarios/CVE-2022-35914.yaml
 crowdsecurity/CVE-2022-37042                       ✔️ enabled   0.1       /etc/crowdsec/scenarios/CVE-2022-37042.yaml
 crowdsecurity/CVE-2022-40684                       ✔️ enabled   0.2       /etc/crowdsec/scenarios/CVE-2022-40684.yaml
 crowdsecurity/CVE-2022-41082                       ✔️ enabled   0.3       /etc/crowdsec/scenarios/CVE-2022-41082.yaml
 crowdsecurity/CVE-2022-41697                       ✔️ enabled   0.1       /etc/crowdsec/scenarios/CVE-2022-41697.yaml
 crowdsecurity/CVE-2022-42889                       ✔️ enabled   0.2       /etc/crowdsec/scenarios/CVE-2022-42889.yaml
 crowdsecurity/CVE-2022-44877                       ✔️ enabled   0.2       /etc/crowdsec/scenarios/CVE-2022-44877.yaml
 crowdsecurity/CVE-2022-46169                       ✔️ enabled   0.1       /etc/crowdsec/scenarios/CVE-2022-46169.yaml
 crowdsecurity/apache_log4j2_cve-2021-44228         ✔️ enabled   0.4       /etc/crowdsec/scenarios/apache_log4j2_cve-2021-44228.yaml
 crowdsecurity/f5-big-ip-cve-2020-5902              ✔️ enabled   0.1       /etc/crowdsec/scenarios/f5-big-ip-cve-2020-5902.yaml
 crowdsecurity/fortinet-cve-2018-13379              ✔️ enabled   0.2       /etc/crowdsec/scenarios/fortinet-cve-2018-13379.yaml
 crowdsecurity/grafana-cve-2021-43798               ✔️ enabled   0.1       /etc/crowdsec/scenarios/grafana-cve-2021-43798.yaml
 crowdsecurity/http-backdoors-attempts              ✔️ enabled   0.3       /etc/crowdsec/scenarios/http-backdoors-attempts.yaml
 crowdsecurity/http-bad-user-agent                  ✔️ enabled   0.8       /etc/crowdsec/scenarios/http-bad-user-agent.yaml
 crowdsecurity/http-crawl-non_statics               ✔️ enabled   0.3       /etc/crowdsec/scenarios/http-crawl-non_statics.yaml
 crowdsecurity/http-cve-2021-41773                  ✔️ enabled   0.1       /etc/crowdsec/scenarios/http-cve-2021-41773.yaml
 crowdsecurity/http-cve-2021-42013                  ✔️ enabled   0.1       /etc/crowdsec/scenarios/http-cve-2021-42013.yaml
 crowdsecurity/http-generic-bf                      ✔️ enabled   0.4       /etc/crowdsec/scenarios/http-generic-bf.yaml
 crowdsecurity/http-open-proxy                      ✔️ enabled   0.3       /etc/crowdsec/scenarios/http-open-proxy.yaml
 crowdsecurity/http-path-traversal-probing          ✔️ enabled   0.2       /etc/crowdsec/scenarios/http-path-traversal-probing.yaml
 crowdsecurity/http-probing                         ✔️ enabled   0.2       /etc/crowdsec/scenarios/http-probing.yaml
 crowdsecurity/http-sensitive-files                 ✔️ enabled   0.2       /etc/crowdsec/scenarios/http-sensitive-files.yaml
 crowdsecurity/http-sqli-probing                    ✔️ enabled   0.2       /etc/crowdsec/scenarios/http-sqli-probing.yaml
 crowdsecurity/http-xss-probing                     ✔️ enabled   0.2       /etc/crowdsec/scenarios/http-xss-probing.yaml
 crowdsecurity/jira_cve-2021-26086                  ✔️ enabled   0.1       /etc/crowdsec/scenarios/jira_cve-2021-26086.yaml
 crowdsecurity/netgear_rce                          ✔️ enabled   0.2       /etc/crowdsec/scenarios/netgear_rce.yaml
 crowdsecurity/nginx-req-limit-exceeded             ✔️ enabled   0.1       /etc/crowdsec/scenarios/nginx-req-limit-exceeded.yaml
 crowdsecurity/pulse-secure-sslvpn-cve-2019-11510   ✔️ enabled   0.2       /etc/crowdsec/scenarios/pulse-secure-sslvpn-cve-2019-11510.yaml
 crowdsecurity/spring4shell_cve-2022-22965          ✔️ enabled   0.2       /etc/crowdsec/scenarios/spring4shell_cve-2022-22965.yaml
 crowdsecurity/ssh-bf                               ✔️ enabled   0.1       /etc/crowdsec/scenarios/ssh-bf.yaml
 crowdsecurity/ssh-slow-bf                          ✔️ enabled   0.2       /etc/crowdsec/scenarios/ssh-slow-bf.yaml
 crowdsecurity/thinkphp-cve-2018-20062              ✔️ enabled   0.3       /etc/crowdsec/scenarios/thinkphp-cve-2018-20062.yaml
 crowdsecurity/vmware-cve-2022-22954                ✔️ enabled   0.2       /etc/crowdsec/scenarios/vmware-cve-2022-22954.yaml
 crowdsecurity/vmware-vcenter-vmsa-2021-0027        ✔️ enabled   0.1       /etc/crowdsec/scenarios/vmware-vcenter-vmsa-2021-0027.yaml
 ltsich/http-w00tw00t                               ✔️ enabled   0.1       /etc/crowdsec/scenarios/http-w00tw00t.yaml
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
7

I checked the ipset:

> ipset list crowdsec-blacklists | grep 64.227.128.155
64.227.128.155 timeout 549211
8

Yes but UFW isnt a firewall, its a manager for a firewall. So you need to check the actual rules so which underlying firewall have you configured to use. If you dont know then most likely iptables so you can see the rules if you run sudo iptables -L