fl0ppy-d1sk
commented
1 year ago Hello @DimitryVo,
IMO this is not a real "problem" because BW is still asking CS API when there is a new request. I did a quick test with BW 1.5.1 and plugins 1.1.
Decision on the 1.3.3.7 IP :
$ cscli decisions list
╭────┬──────────┬─────────────┬───────────────────────────────────┬────────┬─────────┬────┬────────┬──────────────────┬──────────╮
│ ID │ Source │ Scope:Value │ Reason │ Action │ Country │ AS │ Events │ expiration │ Alert ID │
├────┼──────────┼─────────────┼───────────────────────────────────┼────────┼─────────┼────┼────────┼──────────────────┼──────────┤
│ 1 │ crowdsec │ Ip:1.3.3.7 │ crowdsecurity/jira_cve-2021-26086 │ ban │ CN │ │ 1 │ 3h58m18.9374069s │ 1 │
╰────┴──────────┴─────────────┴───────────────────────────────────┴────────┴─────────┴────┴────────┴──────────────────┴──────────╯Send request from 1.3.3.7 (real IP activated for testing) :
curl -H "X-Forwarded-For: 1.3.3.7" "http://www.example.comI can see that request is blocked by CS plugin :
[ACCESS] denied access from crowdsec : CrowSec bouncer denied request, client: 1.3.3.7, server: www.example.com, request: "GET / HTTP/1.1", host: "www.example.com"
Hello, I have problem ban IP on BunkerWeb from crowdsec.
Plugin(s) crowdsec
Description I see in crowdsec container some banned IP, but I can't see it in bunkerweb.
How to reproduce
For all services is activated "Use CrowdSec" option.
docker-compose exec crowdsec cscli bouncers list Name IP Address Valid Last API pull Type Version Auth Type bunkerweb 10.20.31.2 ✔ 2023-07-28T12:58:59Z crowdsec-bunkerweb-bouncer v0.1 api-key
docker-compose exec crowdsec cscli decisions list │ ID │ Source │ Scope:Value │ Reason │ Action │ Country │ AS │ Events │ expiration │ Alert ID │ │ 435131 │ crowdsec │ Ip:59.18.150.155 │ crowdsecurity/thinkphp-cve-2018-20062 │ ban │ KR │ 4766 Korea Telecom │ 1 │ 3h30m18.129711836s │ 160 │ │ 435130 │ crowdsec │ Ip:146.190.33.8 │ crowdsecurity/CVE-2022-26134 │ ban │ US │ 14061 DIGITALOCEAN-ASN │ 1 │ 3h15m33.070097333s │ 159 │ │ 435127 │ crowdsec │ Ip:167.94.138.49 │ crowdsecurity/http-bad-user-agent │ ban │ US │ 398324 CENSYS-ARIN-01 │ 2 │ 1h16m53.328785208s │ 156 │ │ 435123 │ crowdsec │ Ip:139.59.182.142 │ crowdsecurity/jira_cve-2021-26086 │ ban │ GB │ 14061 DIGITALOCEAN-ASN │ 1 │ 8m36.788698052s │ 152 │
docker-compose exec bunkerweb bwcli bans [2023-07-28 18:01:03] - API - ℹ - Successfully sent API request to http://127.0.0.1:5000/bans [2023-07-28 18:01:03] - CLI - ℹ - CLI command status : ✔ (success) List of bans for 127.0.0.1: No ban found
dockec-compose.yaml
services: bunkerweb: image: bunkerity/bunkerweb ports:
CROWDSEC_API_KEY=xxxxx ...
crowdsec: image: crowdsecurity/crowdsec:v1.5.1 environment:
BunkerWeb version BunkerWeb - actual version 1.5.0
docker-compose exec crowdsec cscli version 2023/07/28 18:09:07 version: v1.5.1-eddb994c0b48d77b34a3f22b719dc5716670d2ae 2023/07/28 18:09:07 Codename: alphaga 2023/07/28 18:09:07 BuildDate: 2023-05-17_11:05:12 2023/07/28 18:09:07 GoVersion: 1.20.4 2023/07/28 18:09:07 Platform: docker 2023/07/28 18:09:07 Constraint_parser: >= 1.0, <= 2.0 2023/07/28 18:09:07 Constraint_scenario: >= 1.0, < 3.0 2023/07/28 18:09:07 Constraint_api: v1 2023/07/28 18:09:07 Constraint_acquis: >= 1.0, < 2.0