I used cs-firewall-bouncer-1693367437 bouncer, and there is a same ip to use ssh-bf, ssh-slow-bf, ssh-bf_user-enum and ssh-slow-bf_user-enum to attack my server.
problem
I received many alerts from the same ip, does it work as expected? I have thought it would alert once when the ip is banned.
I added the decision by using cscli decisions add --ip 64.227.128.155 --duration 24h, but it would be overwrite by the other decision like below image, does it included in the skipped decisions?
Hmmmm something may be mis-configured then as the IP address should be blocked, however, within firewall rules they may be a rule on top of ours allowing SSH
does it included in the skipped decisions?
Yes decisions are whenever it is triggered so if a decision is made after one was already there this one is the newest.
name: default_ip_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
notifications:
# - slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
# - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
- http_default # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
# - email_default # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break
/etc/crowdsec/notifications/http.yaml
type: http # Don't change
name: http_default # Must match the registered plugin in the profile
# One of "trace", "debug", "info", "warn", "error", "off"
log_level: info
# group_wait: # Time to wait collecting alerts before relaying a message to this plugin, eg "30s"
group_threshold: 10 # Amount of alerts that triggers a message before <group_wait> has expired, eg "10"
# max_retry: # Number of attempts to relay messages to plugins in case of error
# timeout: # Time to wait for response from the plugin before considering the attempt a failure, eg "10s"
#-------------------------
# plugin-specific options
# The following template receives a list of models.Alert objects
# The output goes in the http request body
format: |
{{.|toJson}}
...skipped something...
Yes but UFW isnt a firewall, its a manager for a firewall. So you need to check the actual rules so which underlying firewall have you configured to use. If you dont know then most likely iptables so you can see the rules if you run sudo iptables -L