Seems like failtoban would've dealt with this ... DoS and log storage filler better

stephdl · July 3, 2025, 2:32pm

many attempts from the same IP
Jul 03 16:31:04 r3-pve.rocky9-pve3.org crowdsec1[79895]: time="2025-07-03T14:31:04Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 192.168.12.1 : 12m ban on Ip 192.168.12.1"

one attempt in 10 minutes from more than 10 IP and we ban each IP for x minutes

Jul 03 16:25:17 r3-pve.rocky9-pve3.org rspamd[78579]: (rspamd_proxy) <298a20>; milter; rspamd_milter_process_command: got connection from 192.168.12.1:36176
Jul 03 16:25:17 r3-pve.rocky9-pve3.org rspamd[78579]: (rspamd_proxy) <298a20>; proxy; proxy_milter_finish_handler: finished milter connection
Jul 03 16:25:17 r3-pve.rocky9-pve3.org crowdsec1[79895]: time="2025-07-03T14:25:17Z" level=info msg="Ip 2 sources performed 'custom/distributed-postfix-bruteforce' (4 events over 3.000203177s) at 2025-07-03 14:25:17.516239687 +0000 UTC"
Jul 03 16:25:18 r3-pve.rocky9-pve3.org crowdsec1[79895]: time="2025-07-03T14:25:18Z" level=info msg="(localhost/crowdsec) custom/distributed-postfix-bruteforce by ip 192.168.12.15 : 8m ban on Ip 192.168.12.15"
Jul 03 16:25:18 r3-pve.rocky9-pve3.org crowdsec1[79895]: time="2025-07-03T14:25:18Z" level=info msg="(localhost/crowdsec) custom/distributed-postfix-bruteforce by ip 192.168.12.1 : 8m ban on Ip 192.168.12.1"
Jul 03 16:25:18 r3-pve.rocky9-pve3.org crowdsec1[79895]: time="2025-07-03T14:25:18Z" level=info msg="Signal push: 2 signals to push"
Jul 03 16:25:24 r3-pve.rocky9-pve3.org crowdsec1-firewall-bouncer[75292]: time="2025-07-03T14:25:24Z" level=info msg="2 decisions added"

mrmarkuz · July 3, 2025, 2:33pm

Great, so we don’t need to ban the whole network. That’s more safe.

stephdl · July 3, 2025, 2:35pm

The idea is to ban the attackers, not the good guy

stephdl · July 3, 2025, 2:35pm

@fasttech I am going to ping you

stephdl · July 3, 2025, 2:44pm

@davidep what do you think of this

to resume what we found

we have tests in log each 20 minutes from many IPs coming from a range
since the attempts are not coming from the same IP and the delay is long, we do not trigger a ban
the purpose is to ban if we have 10 attempts from 10 different IP in a range during 10minutes

fasttech · July 5, 2025, 5:18pm

This is an interesting case. Since banning the subnet on the fw 4 days ago they’ve continued to pound away and now the fw logs are utterly flooded. It was best to see this and take action to let the fw deal with it instead of the mail server and I can see where an automated notification of high volume of blocks by crowdsec would be beneficial so the action of blocking at the fw could be taken instead of letting crowdsec deal with it for weeks until someone noticed.

mrmarkuz · July 7, 2025, 11:38am

But this means to check the logs or get a notification mail and manually block the subnet on the firewall. No check → no block.
On a VPS for example, there’s no hardware firewall.
I think it’s an advantage that crowdsec is able check for different IPs from the same subnet and automatically ban it.
As soon as crowdsec bans, the mail server doesn’t get requests from banned IPs anymore.

stephdl · July 9, 2025, 9:37am

not tested but firewald is probably capable to block a network or a single ip

mrmarkuz · July 9, 2025, 9:52am

I thought this is what crowdsec already does. If an IP is banned it’s blocked on firewall layer (nftables)
My concern was that I don’t like to check crowdsec logs to manually block a network on an external firewall. It should work automatically IMO.

It seems firewalld can block a network, see How to Restrict Network Access Using FirewallD

stephdl · July 9, 2025, 9:55am

even better, but IIRC it works like iptables and you need a script to load the ban at each reboot