Hello everyone,
I first used fail2ban and have now switched to Crowdsec.
I run some services behind Traefik and for testing I added a basic authentication. After a few failed login attempts the IP was banned by fail2ban, not so with crowdsec.
I have analyzed an excerpt with the failed login attempts by cscli explain and would appreciate help and advice.
line: 2003:cf:xxx:xxx:xxx:xxx:xxx:xxx- fgjh [17/Dec/2024:15:59:28 +0000] “GET / HTTP/2.0” 401 17 “-” “-” 108709 “whoami-new@docker” “-” 1ms
├ s00-raw
| ├ crowdsecurity/cri-logs
| ├ crowdsecurity/docker-logs
| ├ crowdsecurity/syslog-logs
| └ crowdsecurity/non-syslog (+5 ~8)
├ s01-parse
| ├ crowdsecurity/appsec-logs
| ├ crowdsecurity/iptables-logs
| ├ crowdsecurity/nginx-logs
| ├ crowdsecurity/sshd-logs
| ├ crowdsecurity/sshd-success-logs
| └ crowdsecurity/traefik-logs (+24 ~2)
├ s02-enrich
| ├ crowdsecurity/dateparse-enrich (+2 ~2)
| ├ crowdsecurity/geoip-enrich (+13)
| ├ crowdsecurity/http-logs (+6)
| └ crowdsecurity/whitelists (unchanged)
├-------- parser success
├ Scenarios
├ crowdsecurity/http-crawl-non_statics
└ crowdsecurity/http-dos-swithcing-ua
The log files are evaluated:
───────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/logs/traefik/access.log │ 1.82k │ 1.81k │ 14 │ 641 │ - │
│ file:/logs/traefik/traefik.log │ 1.18k │ - │ 1.18k │ - │ - │
crowdsecurity/http-generic-bf enabled 0.6 /etc/crowdsec/scenarios/http-generic-bf.yaml
Can someone help me?
BR,
Chris