Why ban same domain multiple times

1

Hi,

I’m new with crowdsec. I think all is running correct. It’s running in a debian vm on a proxmoxserver with the nginxporxymanager from this blog .

cscli metrics

`root@docker-vm:~# cscli metrics
Acquisition Metrics:
╭───────────────────────────────────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────╮
│ Source │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├───────────────────────────────────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/root/docker/nginxproxymanager/data/logs/fallback_access.log │ 81 │ 77 │ 4 │ 93 │ 19 │
│ file:/root/docker/nginxproxymanager/data/logs/fallback_error.log │ 46 │ 43 │ 3 │ 52 │ - │
│ file:/root/docker/nginxproxymanager/data/logs/proxy-host-1_access.log │ 495 │ 485 │ 10 │ -
│ 424 │
│ file:/root/docker/nginxproxymanager/data/logs/proxy-host-1_error.log │ 10 │ - │ 10 │ -
│ - │
│ file:/root/docker/nginxproxymanager/data/logs/proxy-host-2_access.log │ 20 │ 20 │ - │ 20 │ - │
╰───────────────────────────────────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯

Local API Alerts:
╭──────────────────────────────────────────────────────────────────────────┬───────╮
│ Reason │ Count │
├──────────────────────────────────────────────────────────────────────────┼───────┤
│ crowdsecurity/http-probing │ 10 │
│ crowdsecurity/http-sensitive-files │ 3 │
│ crowdsecurity/http-wordpress-scan │ 2 │
│ crowdsecurity/thinkphp-cve-2018-20062 │ 2 │
│ crowdsecurity/http-backdoors-attempts │ 2 │
│ crowdsecurity/http-crawl-non_statics │ 2 │
│ manual ‘ban’ from ‘40601cb7ebcf4751b38f35e596156eca9MN21HU3GK4Oxccs’ │ 1 │
│ manual ‘captcha’ from ‘40601cb7ebcf4751b38f35e596156eca9MN21HU3GK4Oxccs’ │ 3 │
│ crowdsecurity/CVE-2017-9841 │ 10 │
│ crowdsecurity/http-admin-interface-probing │ 5 │
╰──────────────────────────────────────────────────────────────────────────┴───────╯

Local API Decisions:
╭────────────────────────────────────────────┬──────────┬────────┬───────╮
│ Reason │ Origin │ Action │ Count │
├────────────────────────────────────────────┼──────────┼────────┼───────┤
│ crowdsecurity/CVE-2022-26134 │ CAPI │ ban │ 8 │
│ crowdsecurity/CVE-2023-22515 │ CAPI │ ban │ 6 │
│ crowdsecurity/f5-big-ip-cve-2020-5902 │ CAPI │ ban │ 1 │
│ crowdsecurity/http-admin-interface-probing │ CAPI │ ban │ 270 │
│ crowdsecurity/http-admin-interface-probing │ crowdsec │ ban │ 2 │
│ crowdsecurity/thinkphp-cve-2018-20062 │ CAPI │ ban │ 181 │
│ crowdsecurity/thinkphp-cve-2018-20062 │ crowdsec │ ban │ 1 │
│ crowdsecurity/CVE-2022-37042 │ CAPI │ ban │ 1 │
│ crowdsecurity/apache_log4j2_cve-2021-44228 │ CAPI │ ban │ 44 │
│ crowdsecurity/nginx-req-limit-exceeded │ CAPI │ ban │ 494 │
│ crowdsecurity/http-sensitive-files │ CAPI │ ban │ 344 │
│ crowdsecurity/ssh-slow-bf │ CAPI │ ban │ 6226 │
│ crowdsecurity/CVE-2022-35914 │ CAPI │ ban │ 2 │
│ crowdsecurity/CVE-2023-49103 │ CAPI │ ban │ 30 │
│ crowdsecurity/http-cve-2021-41773 │ CAPI │ ban │ 362 │
│ crowdsecurity/http-cve-2021-42013 │ CAPI │ ban │ 3 │
│ crowdsecurity/CVE-2019-18935 │ CAPI │ ban │ 17 │
│ crowdsecurity/http-open-proxy │ CAPI │ ban │ 2399 │
│ ltsich/http-w00tw00t │ CAPI │ ban │ 4 │
│ crowdsecurity/http-cve-probing │ CAPI │ ban │ 12 │
│ crowdsecurity/http-probing │ CAPI │ ban │ 4050 │
│ crowdsecurity/http-probing │ crowdsec │ ban │ 2 │
│ crowdsecurity/netgear_rce │ CAPI │ ban │ 78 │
│ crowdsecurity/grafana-cve-2021-43798 │ CAPI │ ban │ 1 │
│ crowdsecurity/http-bad-user-agent │ CAPI │ ban │ 14646 │
│ crowdsecurity/http-path-traversal-probing │ CAPI │ ban │ 197 │
│ crowdsecurity/http-wordpress-scan │ CAPI │ ban │ 490 │
│ crowdsecurity/http-generic-bf │ CAPI │ ban │ 30 │
│ crowdsecurity/jira_cve-2021-26086 │ CAPI │ ban │ 17 │
│ crowdsecurity/mysql-bf │ CAPI │ ban │ 26 │
│ crowdsecurity/ssh-bf │ CAPI │ ban │ 4408 │
│ crowdsecurity/CVE-2017-9841 │ CAPI │ ban │ 296 │
│ crowdsecurity/CVE-2017-9841 │ crowdsec │ ban │ 9 │
│ crowdsecurity/fortinet-cve-2018-13379 │ CAPI │ ban │ 12 │
│ crowdsecurity/http-backdoors-attempts │ CAPI │ ban │ 135 │
│ crowdsecurity/http-crawl-non_statics │ CAPI │ ban │ 471 │
│ crowdsecurity/ssh-cve-2024-6387 │ CAPI │ ban │ 52 │
╰────────────────────────────────────────────┴──────────┴────────┴───────╯

Local API Metrics:
╭────────────────────┬────────┬──────╮
│ Route │ Method │ Hits │
├────────────────────┼────────┼──────┤
│ /v1/alerts │ POST │ 10 │
│ /v1/decisions │ GET │ 373 │
│ /v1/heartbeat │ GET │ 96 │
│ /v1/usage-metrics │ POST │ 5 │
│ /v1/watchers/login │ POST │ 2 │
╰────────────────────┴────────┴──────╯

Local API Bouncers Metrics:
╭───────────┬───────────────┬────────┬──────╮
│ Bouncer │ Route │ Method │ Hits │
├───────────┼───────────────┼────────┼──────┤
│ npm-proxy │ /v1/decisions │ GET │ 373 │
╰───────────┴───────────────┴────────┴──────╯

Local API Bouncers Decisions:
╭───────────┬───────────────┬───────────────────╮
│ Bouncer │ Empty answers │ Non-empty answers │
├───────────┼───────────────┼───────────────────┤
│ npm-proxy │ 330 │ 43 │
╰───────────┴───────────────┴───────────────────╯

Local API Machines Metrics:
╭──────────────────────────────────────────────────┬───────────────┬────────┬──────╮
│ Machine │ Route │ Method │ Hits │
├──────────────────────────────────────────────────┼───────────────┼────────┼──────┤
│ 40601cb7ebcf4751b38f35e596156eca9MN21HU3GK4Oxccs │ /v1/heartbeat │ GET │ 96 │
│ 40601cb7ebcf4751b38f35e596156eca9MN21HU3GK4Oxccs │ /v1/alerts │ POST │ 10 │
╰──────────────────────────────────────────────────┴───────────────┴────────┴──────╯

Parser Metrics:
╭──────────────────────────────────────────────┬───────┬────────┬──────────╮
│ Parsers │ Hits │ Parsed │ Unparsed │
├──────────────────────────────────────────────┼───────┼────────┼──────────┤
│ child-crowdsecurity/http-logs │ 1.88k │ 1.29k │ 581 │
│ child-crowdsecurity/nginx-logs │ 1.91k │ 43 │ 1.87k │
│ child-crowdsecurity/nginx-proxy-manager-logs │ 663 │ 582 │ 81 │
│ crowdsecurity/dateparse-enrich │ 625 │ 625 │ - │
│ crowdsecurity/geoip-enrich │ 182 │ 182 │ - │
│ crowdsecurity/http-logs │ 625 │ 623 │ 2 │
│ crowdsecurity/nginx-logs │ 652 │ 43 │ 609 │
│ crowdsecurity/nginx-proxy-manager-logs │ 609 │ 582 │ 27 │
│ crowdsecurity/non-syslog │ 652 │ 652 │ - │
│ crowdsecurity/whitelists │ 625 │ 625 │ - │
╰──────────────────────────────────────────────┴───────┴────────┴──────────╯

Scenario Metrics:
╭────────────────────────────────────────────┬───────────────┬───────────┬──────────────┬────────┬─────────╮
│ Scenario │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │
├────────────────────────────────────────────┼───────────────┼───────────┼──────────────┼────────┼─────────┤
│ crowdsecurity/CVE-2017-9841 │ - │ 36 │ 36 │ - │ - │
│ crowdsecurity/http-admin-interface-probing │ - │ - │ 1 │ 1 │ 1 │
│ crowdsecurity/http-backdoors-attempts │ - │ - │ 28 │ 28 │ 28 │
│ crowdsecurity/http-bad-user-agent │ - │ - │ 2 │ 2 │ 2 │
│ crowdsecurity/http-crawl-non_statics │ - │ - │ 73 │ 78 │ 73 │
│ crowdsecurity/http-cve-probing │ - │ - │ 1 │ 1 │ 1 │
│ crowdsecurity/http-path-traversal-probing │ - │ - │ 1 │ 2 │ 1 │
│ crowdsecurity/http-probing │ 1 │ - │ 9 │ 53 │ 8 │
│ crowdsecurity/thinkphp-cve-2018-20062 │ - │ 2 │ 2 │ - │ - │
╰────────────────────────────────────────────┴───────────────┴───────────┴──────────────┴────────┴─────────╯

Whitelist Metrics:
╭──────────────────────────┬─────────────────────────────┬──────┬─────────────╮
│ Whitelist │ Reason │ Hits │ Whitelisted │
├──────────────────────────┼─────────────────────────────┼──────┼─────────────┤
│ crowdsecurity/whitelists │ private ipv4/ipv6 ip/ranges │ 625 │ 443 │
╰──────────────────────────┴─────────────────────────────┴──────┴─────────────╯
`

For notification I have discord. But I get notification from the same IP between some minutes. Is this correct? I thought that if the IP is banned, there is no longer any access.

crowdsec
crowdsec518×875 64.4 KB

2

This depends on what remediation components you are using, if you are just using Nginx Proxy Manager then it can retrigger the scenario as you are not completely blocking the IP address, the web server is just responding with a 403 response code. To completely block the IP address you have to use the firewall remediation component and alter the chains if you are directly exposing the docker proxy port to the internet. Please note if you use something like Cloudflare then this bypasses the firewall remediation as the layer 3/4 IP address is Cloudflares and we cannot access layer 7 within the firewall.

3

Thanks for your answer. Short question I have it running with this docker compose:

compose

`services:
crowdsec:
image: crowdsecurity/crowdsec:latest
container_name: crowdsec
environment:
- GID=1000
- COLLECTIONS=crowdsecurity/nginx crowdsecurity/http-cve crowdsecurity/whitelist-good-actors
- CUSTOM_HOSTNAME=192.168.178.220
volumes:
- /root/docker/swag/crowdsec/config:/etc/crowdsec:rw
- /root/docker/swag/crowdsec/data:/var/lib/crowdsec/data:rw
- /root/docker/swag/config/log/nginx:/var/log/swag:ro
- /root/docker/swag/config/log/syslog:/var/log/syslog:ro
- /var/log:/var/log/host:ro
restart: unless-stopped
logging:
driver: syslog
options:
syslog-address: “udp://192.168.22.5:514”
tag: ‘crowdsec’

swag:
image: linuxserver/swag:latest
container_name: swag
restart: unless-stopped
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Berlin
- DOCKER_MODS=linuxserver/mods:swag-dashboard|linuxserver/mods:swag-auto-reload|linuxserver/mods:swag-maxmind|linuxserver/mods:swag-crowdsec
- CROWDSEC_API_KEY=xxxx
- CROWDSEC_LAPI_URL=http://crowdsec:8080
- MAXMINDDB_LICENSE_KEY=xxxx
- SUBDOMAINS=wildcard
- VALIDATION=dns #WIE DAS LE ZERTIFIKAT GEHOLT WERDEN SOLL
- DNSPLUGIN=cloudflare #DOMAIN ANBIETER
- PROPAGATION=30
- EMAIL=xxxx@outlook.at
volumes:
- /root/docker/swag/config:/config
ports:
- 443:443
- 80:80
- 81:81
dns:
- 192.168.178.1
logging:
driver: syslog
options:
syslog-address: “udp://192.168.22.5:514”
tag: ‘swag’
`

is it possible to install the firewallbouncer on the host and use it with the compose? Or makes it sense to move to firewall bouncer? I have forwarded 443 and 80 to swag to use it as proxy
I’m running an debian

4

Yes, you just need to expose the LAPI to the host via providing a port expose:

services:
  crowdsec:
     ports:
       - '127.0.0.1:8080:8080'

Then you can install the firewall bouncer (however this may produce some warning since it cannot find cscli) then you can docker compose exec crowdsec cscli bouncers add myfirewall this will generate an api key, copy and add it to /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml and change the api_url to http://127.0.0.1:8080/

However, in the firewall configuration you need to enable the DOCKER_USER chain also since docker uses NAT to bypass the INPUT chain you need to enable this.

5 
Error response from daemon: driver failed programming external connectivity on endpoint crowdsec (34d3b78c171326f520159b23d981c93b75856229e586264eb579d73c275a71d8): failed to bind port 127.0.0.1:8080/tcp: Error starting userland proxy: listen tcp4 127.0.0.1:8080: bind: address already in use

have it running changed port to 8081:8080 but get the same ip multiple times

Screenshot_2024-10-11-18-02-50-901_com.discord
Screenshot_2024-10-11-18-02-50-901_com.discord1080×2400 136 KB