Traefik: failed basic auth attempts aren’t banned

crowdsec
1

Hello everyone,

I first used fail2ban and have now switched to Crowdsec.

I run some services behind Traefik and for testing I added a basic authentication. After a few failed login attempts the IP was banned by fail2ban, not so with crowdsec.

I have analyzed an excerpt with the failed login attempts by cscli explain and would appreciate help and advice.

line: 2003:cf:xxx:xxx:xxx:xxx:xxx:xxx- fgjh [17/Dec/2024:15:59:28 +0000] “GET / HTTP/2.0” 401 17 “-” “-” 108709 “whoami-new@docker” “-” 1ms
├ s00-raw
| ├ :red_circle: crowdsecurity/cri-logs
| ├ :red_circle: crowdsecurity/docker-logs
| ├ :red_circle: crowdsecurity/syslog-logs
| └ :green_circle: crowdsecurity/non-syslog (+5 ~8)
├ s01-parse
| ├ :red_circle: crowdsecurity/appsec-logs
| ├ :red_circle: crowdsecurity/iptables-logs
| ├ :red_circle: crowdsecurity/nginx-logs
| ├ :red_circle: crowdsecurity/sshd-logs
| ├ :red_circle: crowdsecurity/sshd-success-logs
| └ :green_circle: crowdsecurity/traefik-logs (+24 ~2)
├ s02-enrich
| ├ :green_circle: crowdsecurity/dateparse-enrich (+2 ~2)
| ├ :green_circle: crowdsecurity/geoip-enrich (+13)
| ├ :green_circle: crowdsecurity/http-logs (+6)
| └ :green_circle: crowdsecurity/whitelists (unchanged)
├-------- parser success :green_circle:
├ Scenarios
:green_circle: crowdsecurity/http-crawl-non_statics
:green_circle: crowdsecurity/http-dos-swithcing-ua

The log files are evaluated:
───────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/logs/traefik/access.log │ 1.82k │ 1.81k │ 14 │ 641 │ - │
│ file:/logs/traefik/traefik.log │ 1.18k │ - │ 1.18k │ - │ - │

crowdsecurity/http-generic-bf :heavy_check_mark: enabled 0.6 /etc/crowdsec/scenarios/http-generic-bf.yaml

Can someone help me? :slight_smile:

BR,
Chris

2

The http-generic-bf scenarios checks for POST method requests, not GET so when you mean login do you mean basic www authenticate?

3

Sure, I have added basic www auth (I mean a basicAuth middleware in Traefik)

4

Okay, we looked at it and the filter on POST doesnt make much sense as in the case where www auth is used then this can happen on any requests. We will make changes to update the scenario.

1 Like
5

Thanks for the update, sounds good.

6

Can you already estimate when an update can be expected?

7

It is now merged, if you are on the latest version you can run:

cscli hub update && cscli hub upgrade

If you are running inside a container you can exec those commands and restart the container afterwards.

1 Like
8

Please note due to a lot of feedback on the changes about false positives and overall decline in alerts generated from these changes we have decided to revert these changes for now till we can explore a better solution for traefik.

The issue with CLF logs with traefik we do not know it’s a failed authentication as it a middleware, if the middle was logging some kind of information this would be better to monitor for.

9

Hello,

thanks for the update!
That is of course a disappointment, but I have also received false positives.

It happened to me when I was working with Safari on my MacBook (see logs).

What information is missing in Traefik’s log file? You can actually display quite extensive information.

Best regards,
Christopher

91.xx.xx.110 - - [20/Jan/2025:20:42:58 +0000] "GET /apple-touch-icon.png HTTP/2.0" 401 17 "-" "com.apple.WebKit.Networking/20619.2.8.11.12 Network/4277.41.2 macOS/15.1.1" 651997 "whoami-new@docker" "-" 0ms
91.xx.xx.110 - - [20/Jan/2025:20:42:58 +0000] "GET /apple-touch-icon-precomposed.png HTTP/2.0" 401 17 "-" "com.apple.WebKit.Networking/20619.2.8.11.12 Network/4277.41.2 macOS/15.1.1" 651998 "whoami-new@docker" "-" 0ms
91.xx.xx.110 - - [20/Jan/2025:20:42:58 +0000] "GET /favicon.ico HTTP/2.0" 401 17 "-" "com.apple.WebKit.Networking/20619.2.8.11.12 Network/4277.41.2 macOS/15.1.1" 651996 "whoami-new@docker" "-" 0ms
91.xx.xx.110 - - [20/Jan/2025:20:42:58 +0000] "GET / HTTP/2.0" 401 17 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.4 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.4 facebookexternalhit/1.1 Facebot Twitterbot/1.0" 651999 "whoami-new@docker" "-" 0ms
10

If the logs are set to JSON instead of CLF there could be more information that we could know such as www-authenticate` header for example we used in the caddy parser

I see traefik does have a way to include the headers:

but we would only care about Authorization header from the request

11

Ok. Thanks for the update.
I am not sure if I have understood this correctly. Does this mean that I get the desired behavior if I set the log output in Traefik accordingly and include the headers?