il/ilnmors-homelab
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cb4d17f99e136637c975ff12309f32f58b0dd60d
ilnmors-homelab/docs/issues/crowdsec/260321_actual_budget.md
il cb4d17f99e docs(issues): add the past issues which existed before tracking issues 
add crowdsec false positive issues

fix the file name of affine android oidc issues
2026-04-27 19:50:04 +09:00

1.1 KiB
Raw Blame History

Actual Budget crowdsec false positive issue

Status

  • Finished

Date

  • 2026-03-21

Version

  • Actual Budget: 26.3.0

Problem

  • When users access and log in actual budget, all connections to homelab services are refused.
    • fw ban users' IP address.

Reason

  • Actual budget has local first policy.
  • When the user log in actual budget, the client downloads all sql files from the server.
  • LAPI decides that as an attack which sensitive file(sql) is downloaded concurrently.

Timeline

  • 2026-03-21: Release actual budget
  • 2026-03-21: Find the false positive case, and add whitelist

Solution

  • Access to fw
    • Check the ban list with sudo cscli alerts list
    • Read the ban case with sudo cscli alerts inspect $NUMBER
  • Add regex on whitelist
    • evt.Meta.target_fqdn == '{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/data/migrations/'
  • Delete false positive decision
    • Check false positive decision with sudo cscli decision list
    • Delete false positive decision with sudo cscli decision list --id $ID
Reference in New Issue View Git Blame Copy Permalink