Comments (9)
nickchomey
commented on June 4, 2024
At the same time, I see entries like these being created every few seconds in /var/log/crowdsec_api.log
time="11-06-2022 10:22:47" level=info msg="127.0.0.1 - [Sat, 11 Jun 2022 10:22:47 CST] \"GET /v1/decisions?ip=108.162.216.208 HTTP/1.1 200 3.387217ms \"WordPress CrowdSec Bouncer/v1.5.0\" \""
time="11-06-2022 10:22:47" level=info msg="127.0.0.1 - [Sat, 11 Jun 2022 10:22:47 CST] \"GET /v1/decisions?ip=172.69.34.41 HTTP/1.1 200 2.855276ms \"WordPress CrowdSec Bouncer/v1.5.0\" \""
time="11-06-2022 10:22:56" level=info msg="127.0.0.1 - [Sat, 11 Jun 2022 10:22:56 CST] \"GET /v1/decisions/stream?startup=false HTTP/1.1 200 4.876419ms \"crowdsec-firewall-bouncer/v0.0.23-debian-pragmatic-5a27e28ac5b528ab02fc35ae81459f75f69a3866\" \""
time="11-06-2022 10:23:05" level=info msg="127.0.0.1 - [Sat, 11 Jun 2022 10:23:05 CST] \"GET /v1/decisions?ip=108.162.216.208 HTTP/1.1 200 4.265869ms \"WordPress CrowdSec Bouncer/v1.5.0\" \""
time="11-06-2022 10:23:06" level=info msg="127.0.0.1 - [Sat, 11 Jun 2022 10:23:06 CST] \"GET /v1/decisions/stream?startup=false HTTP/1.1 200 7.429577ms \"crowdsec-firewall-bouncer/v0.0.23-debian-pragmatic-5a27e28ac5b528ab02fc35ae81459f75f69a3866\" \""
time="11-06-2022 10:23:11" level=info msg="127.0.0.1 - [Sat, 11 Jun 2022 10:23:11 CST] \"GET /v1/decisions?ip=108.162.216.208 HTTP/1.1 200 3.617608ms \"WordPress CrowdSec Bouncer/v1.5.0\" \""
time="11-06-2022 10:23:16" level=info msg="127.0.0.1 - [Sat, 11 Jun 2022 10:23:16 CST] \"GET /v1/decisions?ip=108.162.216.208 HTTP/1.1 200 5.663922ms \"WordPress CrowdSec Bouncer/v1.5.0\" \""
time="11-06-2022 10:23:16" level=info msg="127.0.0.1 - [Sat, 11 Jun 2022 10:23:16 CST] \"GET /v1/decisions/stream?startup=false HTTP/1.1 200 4.615051ms \"crowdsec-firewall-bouncer/v0.0.23-debian-pragmatic-5a27e28ac5b528ab02fc35ae81459f75f69a3866\" \""
time="11-06-2022 10:23:26" level=info msg="127.0.0.1 - [Sat, 11 Jun 2022 10:23:26 CST] \"GET /v1/decisions/stream?startup=false HTTP/1.1 200 5.191406ms \"crowdsec-firewall-bouncer/v0.0.23-debian-pragmatic-5a27e28ac5b528ab02fc35ae81459f75f69a3866\" \""
time="11-06-2022 10:23:36" level=info msg="127.0.0.1 - [Sat, 11 Jun 2022 10:23:36 CST] \"GET /v1/decisions/stream?startup=false HTTP/1.1 200 4.613679ms \"crowdsec-firewall-bouncer/v0.0.23-debian-pragmatic-5a27e28ac5b528ab02fc35ae81459f75f69a3866\" \""
time="11-06-2022 10:23:40" level=info msg="127.0.0.1 - [Sat, 11 Jun 2022 10:23:40 CST] \"GET /v1/decisions?ip=108.162.216.208 HTTP/1.1 200 4.515595ms \"WordPress CrowdSec Bouncer/v1.5.0\" \""
time="11-06-2022 10:23:41" level=info msg="127.0.0.1 - [Sat, 11 Jun 2022 10:23:41 CST] \"GET /v1/decisions?ip=172.69.68.240 HTTP/1.1 200 3.032656ms \"WordPress CrowdSec Bouncer/v1.5.0\" \""
Does this suggest that the WP Bouncer is working? I don't really know how to make use of this info...
from cs-wordpress-bouncer.
julienloizelet
commented on June 4, 2024
Hi,
This kind of line :
time="11-06-2022 10:22:47" level=info msg="127.0.0.1 - [Sat, 11 Jun 2022 10:22:47 CST] \"GET /v1/decisions?ip=108.162.216.208 HTTP/1.1 200 3.387217ms \"WordPress CrowdSec Bouncer/v1.5.0\" \""
suggests that the WordPress plugin is at least trying to bounce an IP (108.162.216.208 in this example).
The /var/log/crowdsec_api.log is the log file of the CrowdSec agent itself.
We will find more useful information in the log files of the WordPress plugin : you should find a prod.log in a folder wp-content/plugins/cs-wordpress-bouncer/logs.
Please also enable the debug log option in your plugin (see Enable debug mode in the Advanced settings) in order to find a more verbose debug.log file in the same folder.
Could you please share the content of this debug.log file that appears when you access your website with an IP that should be banned ?
Thanks
from cs-wordpress-bouncer.
nickchomey
commented on June 4, 2024
Sorry for the delay.
Here's the contents of the prod.log for a failed login. I've replaced the ip addresses for my server, laptop and cloudflare with their respective descriptions
2022-06-16T20:20:36.048415+00:00|300|{"type":"NON_AUTHORIZED_X_FORWARDED_FOR_USAGE","original_ip":"cloudflare.ip.address","x_forwarded_for_ip":"server.ip.address"}
2022-06-16T20:20:36.061796+00:00|200|{"type":"CLEAN_VALUE","scope":"Ip","value":"cloudflare.ip.address","cache":"miss"}
2022-06-16T20:20:36.061988+00:00|200|{"type":"FINAL_REMEDIATION","ip":"cloudflare.ip.address","remediation":"bypass"}
2022-06-16T20:20:43.700517+00:00|300|{"type":"NON_AUTHORIZED_X_FORWARDED_FOR_USAGE","original_ip":"cloudflare.ip.address","x_forwarded_for_ip":"my.laptop.ip.address"}
2022-06-16T20:20:43.711880+00:00|200|{"type":"CLEAN_VALUE","scope":"Ip","value":"cloudflare.ip.address","cache":"miss"}
2022-06-16T20:20:43.712067+00:00|200|{"type":"FINAL_REMEDIATION","ip":"cloudflare.ip.address","remediation":"bypass"}
2022-06-16T20:20:44.217235+00:00|300|{"type":"NON_AUTHORIZED_X_FORWARDED_FOR_USAGE","original_ip":"cloudflare.ip.address","x_forwarded_for_ip":"server.ip.address"}
2022-06-16T20:20:44.229303+00:00|200|{"type":"CLEAN_VALUE","scope":"Ip","value":"cloudflare.ip.address","cache":"miss"}
2022-06-16T20:20:44.229516+00:00|200|{"type":"FINAL_REMEDIATION","ip":"cloudflare.ip.address","remediation":"bypass"}
2022-06-16T20:20:44.881175+00:00|300|{"type":"NON_AUTHORIZED_X_FORWARDED_FOR_USAGE","original_ip":"cloudflare.ip.address","x_forwarded_for_ip":"my.laptop.ip.address"}
2022-06-16T20:20:44.881761+00:00|200|{"type":"CLEAN_VALUE","scope":"Ip","value":"cloudflare.ip.address","cache":"hit"}
2022-06-16T20:20:44.882020+00:00|200|{"type":"FINAL_REMEDIATION","ip":"cloudflare.ip.address","remediation":"bypass"}
2022-06-16T20:20:50.903896+00:00|300|{"type":"NON_AUTHORIZED_X_FORWARDED_FOR_USAGE","original_ip":"cloudflare.ip.address","x_forwarded_for_ip":"my.laptop.ip.address"}
2022-06-16T20:20:50.915129+00:00|200|{"type":"CLEAN_VALUE","scope":"Ip","value":"cloudflare.ip.address","cache":"miss"}
2022-06-16T20:20:50.915335+00:00|200|{"type":"FINAL_REMEDIATION","ip":"cloudflare.ip.address","remediation":"bypass"}
and from the debug.log
2022-06-16T20:20:35.239417+00:00|100|{"type":"API_CACHE_INIT","adapter":"Symfony\\Component\\Cache\\Adapter\\TagAwareAdapter","mode":"live","exp_clean_ips":5,"exp_bad_ips":20,"exp_captcha_flow":86400,"exp_geolocation_result":86400,"warmed_up":"false","geolocation":{"save_result":true,"enabled":false,"type":"maxmind","maxmind":{"database_type":"country"}}}
2022-06-16T20:20:35.239977+00:00|100|{"type":"REST_CLIENT_INIT","base_uri":"http://localhost:8080","timeout":1}
2022-06-16T20:20:35.240040+00:00|100|{"type":"API_CLIENT_INIT","user_agent":"WordPress CrowdSec Bouncer/v1.5.0"}
2022-06-16T20:20:35.240683+00:00|300|{"type":"NON_AUTHORIZED_X_FORWARDED_FOR_USAGE","original_ip":"cloudflare.ip.address","x_forwarded_for_ip":"my.laptop.ip.address"}
2022-06-16T20:20:35.240947+00:00|100|{"type":"START_IP_CHECK","ip":"cloudflare.ip.address"}
2022-06-16T20:20:35.241167+00:00|100|{"type":"DIRECT_API_CALL","ip":"cloudflare.ip.address"}
2022-06-16T20:20:35.241227+00:00|100|{"type":"HTTP CALL","method":"GET","uri":"http://localhost:8080/v1/decisions?ip=cloudflare.ip.address","content":null}
2022-06-16T20:20:35.256596+00:00|200|{"type":"CLEAN_VALUE","scope":"Ip","value":"cloudflare.ip.address","cache":"miss"}
2022-06-16T20:20:35.256808+00:00|200|{"type":"FINAL_REMEDIATION","ip":"cloudflare.ip.address","remediation":"bypass"}
2022-06-16T20:20:36.047796+00:00|100|{"type":"API_CACHE_INIT","adapter":"Symfony\\Component\\Cache\\Adapter\\TagAwareAdapter","mode":"live","exp_clean_ips":5,"exp_bad_ips":20,"exp_captcha_flow":86400,"exp_geolocation_result":86400,"warmed_up":"false","geolocation":{"save_result":true,"enabled":false,"type":"maxmind","maxmind":{"database_type":"country"}}}
2022-06-16T20:20:36.048076+00:00|100|{"type":"REST_CLIENT_INIT","base_uri":"http://localhost:8080","timeout":1}
2022-06-16T20:20:36.048135+00:00|100|{"type":"API_CLIENT_INIT","user_agent":"WordPress CrowdSec Bouncer/v1.5.0"}
2022-06-16T20:20:36.048415+00:00|300|{"type":"NON_AUTHORIZED_X_FORWARDED_FOR_USAGE","original_ip":"cloudflare.ip.address","x_forwarded_for_ip":"server.ip.address"}
2022-06-16T20:20:36.048773+00:00|100|{"type":"START_IP_CHECK","ip":"cloudflare.ip.address"}
2022-06-16T20:20:36.055547+00:00|100|{"type":"DIRECT_API_CALL","ip":"cloudflare.ip.address"}
2022-06-16T20:20:36.055644+00:00|100|{"type":"HTTP CALL","method":"GET","uri":"http://localhost:8080/v1/decisions?ip=cloudflare.ip.address","content":null}
2022-06-16T20:20:36.061796+00:00|200|{"type":"CLEAN_VALUE","scope":"Ip","value":"cloudflare.ip.address","cache":"miss"}
2022-06-16T20:20:36.061988+00:00|200|{"type":"FINAL_REMEDIATION","ip":"cloudflare.ip.address","remediation":"bypass"}
2022-06-16T20:20:43.700045+00:00|100|{"type":"API_CACHE_INIT","adapter":"Symfony\\Component\\Cache\\Adapter\\TagAwareAdapter","mode":"live","exp_clean_ips":5,"exp_bad_ips":20,"exp_captcha_flow":86400,"exp_geolocation_result":86400,"warmed_up":"false","geolocation":{"save_result":true,"enabled":false,"type":"maxmind","maxmind":{"database_type":"country"}}}
Please let me know if you need anything else!
from cs-wordpress-bouncer.
nickchomey
commented on June 4, 2024
I just realised that perhaps it had something to do with cloudflare. I then found that I don't have the Cloudflare Bouncer installed.
I generated a CF token and installed it via the package method here: https://docs.crowdsec.net/docs/bouncers/cloudflare and it seems to have recognized my sites etc...
Here's the prod and debug logs after doing that. I tried to "brute force" it (15 logins in rapid succession) to no avail. Not sure if you will see anything different in the log...
prod.log
2022-06-16T20:50:33.428664+00:00|300|{"type":"NON_AUTHORIZED_X_FORWARDED_FOR_USAGE","original_ip":"cloudflare.ip.address","x_forwarded_for_ip":"my.laptop.ip.address"}
2022-06-16T20:50:33.439125+00:00|200|{"type":"CLEAN_VALUE","scope":"Ip","value":"cloudflare.ip.address","cache":"miss"}
2022-06-16T20:50:33.439352+00:00|200|{"type":"FINAL_REMEDIATION","ip":"cloudflare.ip.address","remediation":"bypass"}
2022-06-16T20:50:33.757796+00:00|300|{"type":"NON_AUTHORIZED_X_FORWARDED_FOR_USAGE","original_ip":"cloudflare.ip.address","x_forwarded_for_ip":"my.server.ip.address"}
2022-06-16T20:50:33.769855+00:00|200|{"type":"CLEAN_VALUE","scope":"Ip","value":"cloudflare.ip.address","cache":"miss"}
2022-06-16T20:50:33.770058+00:00|200|{"type":"FINAL_REMEDIATION","ip":"cloudflare.ip.address","remediation":"bypass"}
2022-06-16T20:50:50.308827+00:00|300|{"type":"NON_AUTHORIZED_X_FORWARDED_FOR_USAGE","original_ip":"cloudflare.ip.address","x_forwarded_for_ip":"my.laptop.ip.address"}
debug.log
2022-06-16T20:50:33.428089+00:00|100|{"type":"API_CACHE_INIT","adapter":"Symfony\\Component\\Cache\\Adapter\\TagAwareAdapter","mode":"live","exp_clean_ips":5,"exp_bad_ips":20,"exp_captcha_flow":86400,"exp_geolocation_result":86400,"warmed_up":"false","geolocation":{"save_result":true,"enabled":false,"type":"maxmind","maxmind":{"database_type":"country"}}}
2022-06-16T20:50:33.428362+00:00|100|{"type":"REST_CLIENT_INIT","base_uri":"http://localhost:8080","timeout":1}
2022-06-16T20:50:33.428448+00:00|100|{"type":"API_CLIENT_INIT","user_agent":"WordPress CrowdSec Bouncer/v1.5.0"}
2022-06-16T20:50:33.428664+00:00|300|{"type":"NON_AUTHORIZED_X_FORWARDED_FOR_USAGE","original_ip":"cloudflare.ip.address","x_forwarded_for_ip":"my.laptop.ip.address"}
2022-06-16T20:50:33.428941+00:00|100|{"type":"START_IP_CHECK","ip":"cloudflare.ip.address"}
2022-06-16T20:50:33.429042+00:00|100|{"type":"DIRECT_API_CALL","ip":"cloudflare.ip.address"}
2022-06-16T20:50:33.429122+00:00|100|{"type":"HTTP CALL","method":"GET","uri":"http://localhost:8080/v1/decisions?ip=cloudflare.ip.address","content":null}
2022-06-16T20:50:33.439125+00:00|200|{"type":"CLEAN_VALUE","scope":"Ip","value":"cloudflare.ip.address","cache":"miss"}
2022-06-16T20:50:33.439352+00:00|200|{"type":"FINAL_REMEDIATION","ip":"cloudflare.ip.address","remediation":"bypass"}
2022-06-16T20:50:33.757286+00:00|100|{"type":"API_CACHE_INIT","adapter":"Symfony\\Component\\Cache\\Adapter\\TagAwareAdapter","mode":"live","exp_clean_ips":5,"exp_bad_ips":20,"exp_captcha_flow":86400,"exp_geolocation_result":86400,"warmed_up":"false","geolocation":{"save_result":true,"enabled":false,"type":"maxmind","maxmind":{"database_type":"country"}}}
2022-06-16T20:50:33.757505+00:00|100|{"type":"REST_CLIENT_INIT","base_uri":"http://localhost:8080","timeout":1}
2022-06-16T20:50:33.757551+00:00|100|{"type":"API_CLIENT_INIT","user_agent":"WordPress CrowdSec Bouncer/v1.5.0"}
2022-06-16T20:50:33.757796+00:00|300|{"type":"NON_AUTHORIZED_X_FORWARDED_FOR_USAGE","original_ip":"cloudflare.ip.address","x_forwarded_for_ip":"my.server.ip.address"}
2022-06-16T20:50:33.758065+00:00|100|{"type":"START_IP_CHECK","ip":"cloudflare.ip.address"}
2022-06-16T20:50:33.758167+00:00|100|{"type":"DIRECT_API_CALL","ip":"cloudflare.ip.address"}
2022-06-16T20:50:33.758219+00:00|100|{"type":"HTTP CALL","method":"GET","uri":"http://localhost:8080/v1/decisions?ip=cloudflare.ip.address","content":null}
2022-06-16T20:50:33.769855+00:00|200|{"type":"CLEAN_VALUE","scope":"Ip","value":"cloudflare.ip.address","cache":"miss"}
2022-06-16T20:50:33.770058+00:00|200|{"type":"FINAL_REMEDIATION","ip":"cloudflare.ip.address","remediation":"bypass"}
from cs-wordpress-bouncer.
nickchomey
commented on June 4, 2024
I also found this in the /var/log/crowdsec-cloudflare-bouncer.log file
time="16-06-2022 14:45:13" level=info msg="state hasn't changed, not setting up CF" account_id=account-id-number
....
huge list of "found new decision with value = ip address"
...
huge list of "found expired decision with value = ip address"
...
time="16-06-2022 14:45:13" level=info msg="found expired decision with value=MY.LAPTOP.IP.ADDRESS, scope=Ip, type=ban" account_id=2b26ea4058c195dd58c1945ec4da2f18
...
time="16-06-2022 14:45:23" level=info msg="processing decisions with scope=Ip" account_id=account-id-code
time="16-06-2022 14:45:23" level=warning msg="7497 IPs would be dropped to avoid exceeding IP list limit" account_id=account-id-code
time="16-06-2022 14:45:27" level=info msg="added 10000 new IPs and deleted 0 IPs"
time="16-06-2022 14:45:27" level=info msg="done processing decisions with scope=Ip" account_id=account-id-code
time="16-06-2022 14:48:13" level=info msg="found expired decision with value=218.92.0.203, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:23" level=info msg="processing decisions with scope=Ip" account_id=account-id-code
time="16-06-2022 14:48:23" level=info msg="no changes to IP rules "
time="16-06-2022 14:48:23" level=info msg="done processing decisions with scope=Ip" account_id=account-id-code
time="16-06-2022 14:48:43" level=info msg="found expired decision with value=196.1.228.10, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:43" level=info msg="found expired decision with value=27.131.48.19, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:43" level=info msg="found expired decision with value=200.218.251.153, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:43" level=info msg="found expired decision with value=43.154.21.147, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:43" level=info msg="found expired decision with value=210.195.24.39, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:43" level=info msg="found expired decision with value=43.154.31.155, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:43" level=info msg="found expired decision with value=182.42.23.3, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:43" level=info msg="found expired decision with value=154.89.5.72, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:43" level=info msg="found expired decision with value=43.154.237.180, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:43" level=info msg="found expired decision with value=118.193.46.79, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:43" level=info msg="found expired decision with value=14.201.43.234, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:43" level=info msg="found expired decision with value=43.154.178.151, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:43" level=info msg="found expired decision with value=115.66.55.86, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:43" level=info msg="found expired decision with value=43.154.179.164, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:53" level=info msg="processing decisions with scope=Ip" account_id=account-id-code
time="16-06-2022 14:48:53" level=info msg="no changes to IP rules "
time="16-06-2022 14:48:53" level=info msg="done processing decisions with scope=Ip" account_id=account-id-code
time="16-06-2022 14:48:53" level=info msg="found expired decision with value=196.1.228.10, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:53" level=info msg="found expired decision with value=27.131.48.19, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:53" level=info msg="found expired decision with value=200.218.251.153, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:53" level=info msg="found expired decision with value=43.154.21.147, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:53" level=info msg="found expired decision with value=210.195.24.39, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:53" level=info msg="found expired decision with value=43.154.31.155, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:53" level=info msg="found expired decision with value=182.42.23.3, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:53" level=info msg="found expired decision with value=154.89.5.72, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:53" level=info msg="found expired decision with value=43.154.237.180, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:53" level=info msg="found expired decision with value=118.193.46.79, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:53" level=info msg="found expired decision with value=14.201.43.234, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:53" level=info msg="found expired decision with value=43.154.178.151, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:53" level=info msg="found expired decision with value=115.66.55.86, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:48:53" level=info msg="found expired decision with value=43.154.179.164, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:49:03" level=info msg="processing decisions with scope=Ip" account_id=account-id-code
time="16-06-2022 14:49:03" level=info msg="no changes to IP rules "
time="16-06-2022 14:49:03" level=info msg="done processing decisions with scope=Ip" account_id=account-id-code
time="16-06-2022 14:51:33" level=info msg="found new decision with value=218.92.0.203, scope=Ip, type=ban" account_id=account-id-code
time="16-06-2022 14:51:43" level=info msg="processing decisions with scope=Ip" account_id=account-id-code
time="16-06-2022 14:51:43" level=warning msg="1 IPs would be dropped to avoid exceeding IP list limit" account_id=account-id-code
time="16-06-2022 14:51:46" level=info msg="added 1 new IPs and deleted 1 IPs"
time="16-06-2022 14:51:46" level=info msg="done processing decisions with scope=Ip" account_id=account-id-code
The line where it found my ip as an expired decision could very well be from testing I was doing with the SSH agent. Though the date/time for all entries in that file are the exact same, presumably right when I installed/configured the CF bouncer.
from cs-wordpress-bouncer.
julienloizelet
commented on June 4, 2024
Hi,
This kind of line :
2022-06-16T20:50:33.428664+00:00|300|{"type":"NON_AUTHORIZED_X_FORWARDED_FOR_USAGE","original_ip":"cloudflare.ip.address","x_forwarded_for_ip":"my.laptop.ip.address"}
shows that the WP bouncer does not know that you are using a proxy with the IP address cloudflare.ip.address.
So, the WP Bouncer is trying to bounce the cloudflare.ip.address IP and not your own my.laptop.ip.address IP (and the result is a "bypass").
Could you add the cloudflare.ip.address IP to the WP Bouncer settings : Advanced -> Remediations -> Trust these CDN Ips ?
Please, let me know if it's better after that.
p.s: The WP Bouncer can work without the Cloudfare bouncer, but it should not harm to use both. Unfortunately, I don't know how this Cloudfare bouncer is working, so I won't be able to help you for this part.
from cs-wordpress-bouncer.
nickchomey
commented on June 4, 2024
That helped for sure. But still not showing captcha (or banning, even after setting the fallback to ban). It seems to cache the ip and misses at first then hits. The final remediation is always bypass regardless of whether I try 20 times in rapid succession.
prod.log
2022-06-17T16:55:36.525241+00:00|200|{"type":"WP_SETTING_UPDATE","crowdsec_fallback_remediation":"ban"}
2022-06-17T16:59:33.275214+00:00|200|{"type":"FINAL_REMEDIATION","ip":"LAPTOP.IP","remediation":"bypass"}
2022-06-17T16:59:35.023981+00:00|200|{"type":"CLEAN_VALUE","scope":"Ip","value":"LAPTOP.IP","cache":"miss"}
2022-06-17T16:59:35.024185+00:00|200|{"type":"FINAL_REMEDIATION","ip":"LAPTOP.IP","remediation":"bypass"}
2022-06-17T16:59:37.771461+00:00|200|{"type":"CLEAN_VALUE","scope":"Ip","value":"LAPTOP.IP","cache":"hit"}
debug.log
2022-06-17T16:59:30.842822+00:00|100|{"type":"START_IP_CHECK","ip":"LAPTOP.IP"}
2022-06-17T16:59:30.843037+00:00|100|{"type":"DIRECT_API_CALL","ip":"LAPTOP.IP"}
2022-06-17T16:59:30.843143+00:00|100|{"type":"HTTP CALL","method":"GET","uri":"http://localhost:8080/v1/decisions?ip=LAPTOP.IP","content":null}
2022-06-17T16:59:30.855733+00:00|200|{"type":"CLEAN_VALUE","scope":"Ip","value":"LAPTOP.IP","cache":"miss"}
2022-06-17T16:59:30.855939+00:00|200|{"type":"FINAL_REMEDIATION","ip":"LAPTOP.IP","remediation":"bypass"}
2022-06-17T16:59:31.175649+00:00|100|{"type":"API_CACHE_INIT","adapter":"Symfony\\Component\\Cache\\Adapter\\TagAwareAdapter","mode":"live","exp_clean_ips":5,"exp_bad_ips":20,"exp_captcha_flow":86400,"exp_geolocation_result":86400,"warmed_up":"false","geolocation":{"save_result":true,"enabled":false,"type":"maxmind","maxmind":{"database_type":"country"}}}
2022-06-17T16:59:31.175855+00:00|100|{"type":"REST_CLIENT_INIT","base_uri":"http://localhost:8080","timeout":1}
2022-06-17T16:59:31.175903+00:00|100|{"type":"API_CLIENT_INIT","user_agent":"WordPress CrowdSec Bouncer/v1.5.0"}
2022-06-17T16:59:31.176134+00:00|100|{"type":"START_IP_CHECK","ip":"SERVER.IP"}
2022-06-17T16:59:31.176222+00:00|100|{"type":"DIRECT_API_CALL","ip":"SERVER.IP"}
2022-06-17T16:59:31.176270+00:00|100|{"type":"HTTP CALL","method":"GET","uri":"http://localhost:8080/v1/decisions?ip=SERVER.IP","content":null}
2022-06-17T16:59:31.187507+00:00|200|{"type":"CLEAN_VALUE","scope":"Ip","value":"SERVER.IP","cache":"miss"}
2022-06-17T16:59:31.187711+00:00|200|{"type":"FINAL_REMEDIATION","ip":"SERVER.IP","remediation":"bypass"}
2022-06-17T16:59:33.274409+00:00|100|{"type":"API_CACHE_INIT","adapter":"Symfony\\Component\\Cache\\Adapter\\TagAwareAdapter","mode":"live","exp_clean_ips":5,"exp_bad_ips":20,"exp_captcha_flow":86400,"exp_geolocation_result":86400,"warmed_up":"false","geolocation":{"save_result":true,"enabled":false,"type":"maxmind","maxmind":{"database_type":"country"}}}
2022-06-17T16:59:33.274599+00:00|100|{"type":"REST_CLIENT_INIT","base_uri":"http://localhost:8080","timeout":1}
2022-06-17T16:59:33.274642+00:00|100|{"type":"API_CLIENT_INIT","user_agent":"WordPress CrowdSec Bouncer/v1.5.0"}
2022-06-17T16:59:33.274871+00:00|100|{"type":"START_IP_CHECK","ip":"LAPTOP.IP"}
2022-06-17T16:59:33.275052+00:00|200|{"type":"CLEAN_VALUE","scope":"Ip","value":"LAPTOP.IP","cache":"hit"}
2022-06-17T16:59:33.275214+00:00|200|{"type":"FINAL_REMEDIATION","ip":"LAPTOP.IP","remediation":"bypass"}
from cs-wordpress-bouncer.
julienloizelet
commented on June 4, 2024
Hi,
it seems that the WP bouncer is now bouncing the LAPTOP.IP as expected.
It asks the LAPI to get the remediation for this IP and the result is "bypass".
If you want to test a ban for example, you have to add a decision for this (you can use the cscli command line tool)
If you want to check all the active decisions :
cscli decisions list
If you want to add a ban decision for the LAPTOP.IP:
cscli decisions add --scope Ip --value LAPTOP.IP --duration 4h --type ban
If you want to retrieve a decision for this specific LAPTOP.IP:
cscli decisions list -i LAPTOP.IP
If you want to delete a decision for this specific LAPTOP.IP:
cscli decisions delete -i LAPTOP.IP
As I see in the logs, "clean" IP decisions are cached for 5 seconds, and "bad" IP decisions are cached for 20s, so you should wait between a decision modification and refreshing your browser to see the result.
If all is ok, you should see for example a ban wall if you add a ban decision for your LAPTOP.IP.
Please let me know.
from cs-wordpress-bouncer.
julienloizelet
commented on June 4, 2024
Closing this ticket for now. Feel free to reopen if the problem still exists. Thank you.
from cs-wordpress-bouncer.
Related Issues (20)
- Question: Is the Trust these CDN Ips compatible with IPv6? HOT 1
- [Feature Request] WP-CLI integration HOT 5
- Stream mode causes ERROR 500 - Internal Server Error! HOT 9
- Exception while bouncing banned IP (not output captcha/ban page) HOT 4
- Fatal error: Uncaught TypeError: ltrim() expects parameter 1 to be string, bool given HOT 3
- [Feature Request] Multisite Support with Global Tables HOT 4
- nvm
- ive enabled crowdsec on my wp site HOT 2
- Fatal error on crowdsec WP plugin - The value 0 is too small for path "config.captcha_cache_duration" HOT 5
- Plugin does not pass "wp plugin verify-checksums" validation HOT 6
- Unable to activate plugin (Conflicting class name) HOT 3
- 2 Errors on WordPress Version 5.9.3 HOT 4
- CRITICAL Uncaught Error: Call to a member function error() on null in /wp-content/plugins/crowdsec/inc/Bounce.php:339 HOT 6
- PHP Fatal error: Uncaught Error: Call to a member function error() on null in wp-content/plugins/crowdsec/inc/Bounce.php:339 HOT 10
- Same redis DB for multiple WP sites HOT 5
- Change to user agent reported to crowdsec_api.log to include the site name HOT 3
- Cache refreshing in STREAM mode HOT 16
- Sync with crowdsec api in stream mode is inconsistent HOT 11
- safelyBounce error:session_start() HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cs-wordpress-bouncer.