diff --git a/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 b/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 index 76f64ab..6c576f4 100644 --- a/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 +++ b/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 @@ -13,11 +13,11 @@ whitelist: {% if node['name'] == 'auth' %} expression: # budget local-first sql scrap rule - - "evt.Meta.target_fqdn == '{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/data/migrations/'" + - "evt.Meta.target_fqdn == '{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/data/migrations/'" # immich thumbnail request 404 error false positive - - "evt.Meta.target_fqdn == '{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'" + - "evt.Meta.target_fqdn == '{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'" # opencloud chunk request false positive - - "evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/js/chunks/'" + - "evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/js/chunks/'" # nextcloud thumbnail/preview request error false positive - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path startsWith '/index.php/core/preview?'" {% endif %} diff --git a/docs/issues/crowdsec/260321_actual_budget.md b/docs/issues/crowdsec/260321_actual_budget.md index c5d7417..cf40d04 100644 --- a/docs/issues/crowdsec/260321_actual_budget.md +++ b/docs/issues/crowdsec/260321_actual_budget.md @@ -21,13 +21,14 @@ ## Timeline - 2026-03-21: Release actual budget - 2026-03-21: Find the false positive case, and add whitelist +- 2026-05-07: Optimize whitelist expression ## Solution - Access to fw - Check the ban list with `sudo cscli alerts list` - Read the ban case with `sudo cscli alerts inspect $NUMBER` - Add expressions on whitelist - - evt.Meta.target_fqdn == '{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/data/migrations/' + - evt.Meta.target_fqdn == '{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/data/migrations/' - Delete false positive decision - Check false positive decision with `sudo cscli decision list` - Delete false positive decision with `sudo cscli decision delete --id $ID` diff --git a/docs/issues/crowdsec/260321_immich.md b/docs/issues/crowdsec/260321_immich.md index bfc33ed..9ad4be1 100644 --- a/docs/issues/crowdsec/260321_immich.md +++ b/docs/issues/crowdsec/260321_immich.md @@ -20,13 +20,14 @@ ## Timeline - 2026-03-21: Release Immich - 2026-03-21: Find the false positive case, and add whitelist +- 2026-05-07: Optimize whitelist expression ## Solution - Access to fw - Check the ban list with `sudo cscli alerts list` - Read the ban case with `sudo cscli alerts inspect $NUMBER` - Add expressions on whitelist - - evt.Meta.target_fqdn == '{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail' + - evt.Meta.target_fqdn == '{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail' - Delete false positive decision - Check false positive decision with `sudo cscli decision list` - Delete false positive decision with `sudo cscli decision delete --id $ID` diff --git a/docs/issues/crowdsec/260404_opencloud.md b/docs/issues/crowdsec/260404_opencloud.md index 2b66977..eafeae6 100644 --- a/docs/issues/crowdsec/260404_opencloud.md +++ b/docs/issues/crowdsec/260404_opencloud.md @@ -20,13 +20,14 @@ ## Timeline - 2026-04-04: Release OpenCloud - 2026-04-04: Find the false positive case, and add whitelist +- 2026-05-07: Optimize whitelist expression ## Solution - Access to fw - Check the ban list with `sudo cscli alerts list` - Read the ban case with `sudo cscli alerts inspect $NUMBER` - Add expressions on whitelist - - evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/js/chunks/' + - evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/js/chunks/' - Delete false positive decision - Check false positive decision with `sudo cscli decision list` - Delete false positive decision with `sudo cscli decision delete --id $ID` diff --git a/docs/services/common/crowdsec.md b/docs/services/common/crowdsec.md index 1bc72dc..54af053 100644 --- a/docs/services/common/crowdsec.md +++ b/docs/services/common/crowdsec.md @@ -234,9 +234,9 @@ fw@fw:~$ sudo cscli alerts inspect 230 -d - check the log and analyze and make expression - e.g. immich - - evt.Meta.target_fqdn == 'immich.ilnmors.com' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail' + - "evt.Meta.target_fqdn == '{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'" - e.g. opencloud - - "evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/js/chunks/'" + - "evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/js/chunks/'" - free false positive decision fw@fw:~$ sudo cscli decision list