Configured port streams are not affected by bouncer.
A blocked ip cannot access proxied services but can access streamed ports
I tried to have NPM facing connections from the internet for all my services (in this specific test: postfix/dovecot)
(It Is working fine for all proxy connections)
Expected Behavior
Blocks are also including streamed ports or having a info about this in the docs.
In my setup while testing i noticed that given behavior but on top that all connections coming over NPM to postfix having obscured IPs like in source nat. Therefore postfix see the connection from outside with internal ip(from npm container) and is automatically whitelisted.
This is levering out bruteforce/ddos protection :(
Steps To Reproduce
The test client was using a dedicated internet connection
Block its IP for test purpose
while beeing on the blocklist
test access web
test access over streamed port
Environment
OS: debian
OS version: 12
CPU: 2x L5640
Docker version: Docker version 27.1.2, build d01f264
log for crowdsec:
ime="2024-08-27T16:01:17Z" level=info msg="(localhost/cscli) manual 'ban' from 'localhost' by ip 95.33.12.148 : 4h ban on Ip 95.33.12.148"
9672
time="2024-08-27T16:01:17Z" level=info msg="127.0.0.1 - [Tue, 27 Aug 2024 16:01:17 UTC] \"POST /v1/alerts HTTP/1.1 201 125.832548ms \"crowdsec/v1.6.2-16bfab86-docker\" \""
9673
time="2024-08-27T16:01:25Z" level=info msg="Signal push: 1 signals to push"
9676
time="2024-08-27T16:01:52Z" level=info msg="172.21.0.4 - [Tue, 27 Aug 2024 16:01:52 UTC] \"GET /v1/decisions?ip=95.33.12.148 HTTP/1.1 200 1.511162907s \"crowdsec-openresty-bouncer/v1.0.2\" \""
Container inspect
No response
Anything else?
Iam not sure if it is really a bug as I assume that port streams are not really manageable but hope for it.
At least a info in the docs would be nice, that is you are using crowdsec and streamed ports you may have a security hole
Current Behavior
Configured port streams are not affected by bouncer. A blocked ip cannot access proxied services but can access streamed ports
I tried to have NPM facing connections from the internet for all my services (in this specific test: postfix/dovecot) (It Is working fine for all proxy connections)
Expected Behavior
Blocks are also including streamed ports or having a info about this in the docs.
In my setup while testing i noticed that given behavior but on top that all connections coming over NPM to postfix having obscured IPs like in source nat. Therefore postfix see the connection from outside with internal ip(from npm container) and is automatically whitelisted. This is levering out bruteforce/ddos protection :(
Steps To Reproduce
Environment
Container creation
`version: "3" services: app: image: 'lepresidente/nginxproxymanager:latest' restart: unless-stopped container_name: Extern-NPM-Crowdsec networks: npm-connect: default: npm-extern: ipv4_address: 10.10.15.4 environment: DB_MYSQL_HOST: "db" DB_MYSQL_PORT: 3306 DB_MYSQL_USER: „XXXXX“ DB_MYSQL_PASSWORD: "XXXXX" DB_MYSQL_NAME: "XXXXX" ADMIN_PANEL_LOG: "1" CROWDSEC_BOUNCER: "1" OPENRESTY_DEBUG: "0"
db: image: 'jc21/mariadb-aria:latest' restart: unless-stopped environment: MYSQL_ROOT_PASSWORD: 'XXXXX' MYSQL_DATABASE: 'XXXXX' MYSQL_USER: 'XXXXX' MYSQL_PASSWORD: 'XXXXX' volumes:
mysql:/var/lib/mysql networks: default: aliases:
crowdsec: image: 'crowdsecurity/crowdsec:latest' restart: always environment: COLLECTIONS: "crowdsecurity/nginx" GID: "${GID-1000}" volumes:
Container log
Container inspect
No response
Anything else?
Iam not sure if it is really a bug as I assume that port streams are not really manageable but hope for it. At least a info in the docs would be nice, that is you are using crowdsec and streamed ports you may have a security hole