Closed ScreNN closed 1 year ago
I can’t help you without any further information.
These seem to be smart bots that don't even get caught by fail2ban. But CrowdSec seems to catch them. I checked your GeoBlock, it works, but it lets these guys through. They go to 404 instead of 403 for some reason. What information can I give you?
Here's the GeoBlock settings
# Traefik GeoBlock Plugin
geoblock:
plugin:
geoblock:
allowLocalRequests: true
logLocalRequests: false
logAllowedRequests: false
logApiRequests: true
api: "https://get.geojs.io/v1/ip/country/{ip}"
apiTimeoutMs: 750
cacheSize: 150
forceMonthlyUpdate: true
allowUnknownCountries: false
unknownCountryApiResponse: "nil"
countries:
- RU
These are some kind of scanners. But shouldn't GeoBlock block them?
Are those HTTP/s requests or tcp/udp requests?
Traefik shows that these are HTTP/2.0 (GET, POST) requests. I have UDP closed. I only have port 443 of HTTPS open.
I think I figured out why these guys aren't banning the plugin. They don't pass the country in headers
According to CrowdSec database, these are HTTP scanners, TCP scanners, Brut-Force, UDP scanners etc.
I think I figured it out. I should have written a fake router in traefik proxy
http:
routers:
catchall:
entryPoints:
- "https"
# catchall rule
rule: "PathPrefix(`/`)"
service: unavailable
# lowest possible priority
# evaluated when no other router is matched
priority: 1
services:
# Service that will always answer a 503 Service Unavailable response
unavailable:
loadBalancer:
servers: {}
Geoblock does not use the http country header. Did you have multiple routers configured?
Geoblock does not use the http country header. Did you have multiple routers configured?
I have different routers, I have several services open outside.
After adding a fake router, the geoblock catches the guys well, with no skips
Sounds good, so I'm closing the issue.
The plugin began to skip many of the USA and beyond. Is there something wrong with the base?