Update crowdsec.lua - Githubissues

crowdsecurity / cs-haproxy-bouncer

Crowdsec bouncer for HAProxy

MIT License

18 stars 7 forks source link

Update crowdsec.lua #29

Open Berthe01 opened 10 months ago

Berthe01 commented 10 months ago

This commit makes ban decisions more important than captcha descisions for a single IP in live mode.

LaurenceJJones commented 10 months ago

Hey thank you for your PR if we want to give priority to ban decisions could we break earlier?

    core.Debug("Checking all decisions for ip="..source_ip)
    for i, decision in pairs(decisions) do
        --parse all decisions for that ip
        decisType = decision.type
        if decision.type == "ban" then
            core.Debug("Ban descision found")
            break
        end
        core.Debug("Captcha descision found")
        --priority to ban decision
        core.msleep(1)
    end

however, I ask the team input on this as the bouncer is not respecting the order or decisions made.

Berthe01 commented 10 months ago

Hi,

Sure we could break earlier, thanks for the optimization :)

The decisions returned by LAPI using http://[LAPI_URL]/v1/decisions?ip=176.172.45.172 are ordered from earlier to last :

[ { "duration": "1h56m40.30511709s", "id": 12033439, "origin": "crowdsec", "scenario": "xxx/xxx-baduser-captcha", "scope": "Ip", "type": "captcha", "value": "176.172.45.172" }, { "duration": "3h59m46.163659811s", "id": 12033440, "origin": "crowdsec", "scenario": "xxx/xxx-baduser-ban", "scope": "Ip", "type": "ban", "value": "176.172.45.172" } ]

So the captcha type is kept in the original code.

I don't think that's a good idea either to keep the last decision (can be a captcha) because in my mind a ban is more important than a captcha.

LaurenceJJones commented 10 months ago

The decisions returned by LAPI using http://[LAPI_URL]/v1/decisions?ip=176.172.45.172 are ordered from earlier to last :

Cause technically just using HAproxy can trigger mutilple ban scenarios EG user keeps crawling getting 401,403 response codes and keep triggering ban after ban. Since we already know they have an existing ban we can exit earlier and not have to loop over many decisions

Berthe01 commented 10 months ago

I updated my PR according to your recommendations.

Berthe01 commented 10 months ago

Any news ?

LaurenceJJones commented 9 months ago

Apologies for the delay, asking @AlteredCoder or @nitescuc for a second pair of 👀 then we can merge