#Blocking IP based on X number of attemps (Crowdsec + Traefik Docker containers + Traefik Bouncer)

Hi guys, question, I'm currently testing Crowdsec as a docker container with Traefik Bouncer.
Everything is working fine however some of my web services return a HTTP 302 response if login failed, so when I checked the scenario already installed, I noticed they are based on detecting 401 login attemps though.

My coworker told me he has been using Fail2Ban so far and he could parse logs and when counting too many login attemps (even if http code is 302), he put a ban on the IP, so he would like me to recreate that sort of behavior.

After checking online, I kinda understand that I would need to create a parser / scenario on my own in order to block such IP after X attemps. If so, because I'm using Crowdsec as a docker container, where should I setup my parser and scenario though ?

You could make a fail2ban custom command which would run cscli command and interacting with crowdsec api to ban the detected ip

https://discourse.crowdsec.net/t/fail2ban-as-agent-for-crowdsec/910/2 quik search

Otherwise if you are in containers then you probably need to parse logs from the app or traefik within another container, and invoke action in the similar way

You wouldn't need to create a parser since we already have one for traefik just a scenario. You can start by using an one made us by and adapting it to your needs like:

# Generic 302 login spam
type: leaky
#debug: true
name: my/http-generic-302-bf
description: "Detect 302 login spam brute force"
filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.verb == 'POST' && evt.Meta.http_status == '302' && evt.Meta.http_path == '/login'" 
groupby: evt.Meta.source_ip
capacity: 5
leakspeed: "10s"
blackhole: 1m
labels:
  confidence: 3
  spoofable: 0
  classification:
    - attack.T1110
  behavior: "http:bruteforce"
  label: "HTTP Bruteforce"
  service: http
  remediation: true

Since 302 can happen for normal redirection we filter down by http path to ensure we only count requests to login for example

And you create the scenario within the scenarios directory in /etc/crowdsec (using the .yaml extension so it can be any name just dont pick something that already there) so if you persisted that directory which all our examples do then you either need to access the docker volume and place it or if it relative find the relative mount.

Thanks a lot! I'll dig into that

Resolving Blocking IP based on X number of attemps (Crowdsec + Traefik Docker containers + Traefik Bouncer)

This has now been resolved. If you think this is a mistake please run /unresolve

After gathering more info about the webapp from my fellow devs team, I finally decided to make a custom parser and scenario. I did both following the documentation however now I'm confused how to integrate these custom yaml files to my Crowdsec docker container. The mounted volume from the host /var/lib/docker/volumes/crowdsec-config/_data/parsershas only broken symbolic link files pointing to the path /etc/crowdsec/inside the container.

So I understand how Docker works but I'm a bit confused on how to integrate my custom parser and scenario ? can you help me with that ?

Unresolving Blocking IP based on X number of attemps (Crowdsec + Traefik Docker containers + Traefik Bouncer)

This has now been unresolved.

Found the solution eventually. I was just confused with the broken links however I just needed to create my yaml file inside the folder anyway and after restarting the container, it was working as expected , sorry it was driving me nuts ! thanks !

Resolving Blocking IP based on X number of attemps (Crowdsec + Traefik Docker containers + Traefik Bouncer)