Skip to content

[Bug] NPM Streams are not affected by Crowdsec Bouncer #11

New issue
New issue
Open
Open
[Bug] NPM Streams are not affected by Crowdsec Bouncer#11
Labels
bugSomething isn't working
@seele05

Description

@seele05
seele05
opened on Aug 27, 2024

Current Behavior

Configured port streams are not affected by bouncer.
A blocked ip cannot access proxied services but can access streamed ports

I tried to have NPM facing connections from the internet for all my services (in this specific test: postfix/dovecot)
(It Is working fine for all proxy connections)

Expected Behavior

Blocks are also including streamed ports or having a info about this in the docs.

In my setup while testing i noticed that given behavior but on top that all connections coming over NPM to postfix having obscured IPs like in source nat. Therefore postfix see the connection from outside with internal ip(from npm container) and is automatically whitelisted.
This is levering out bruteforce/ddos protection :(

Steps To Reproduce

  • The test client was using a dedicated internet connection
  • Block its IP for test purpose
  • while beeing on the blocklist
  • test access web
  • test access over streamed port

Environment

  • OS: debian
  • OS version: 12
  • CPU: 2x L5640
  • Docker version: Docker version 27.1.2, build d01f264
  • Device model:
  • Browser/OS: chrome:latest

Container creation

`version: "3"
services:
app:
image: 'lepresidente/nginxproxymanager:latest'
restart: unless-stopped
container_name: Extern-NPM-Crowdsec
networks:
npm-connect:
default:
npm-extern:
ipv4_address: 10.10.15.4
environment:
DB_MYSQL_HOST: "db"
DB_MYSQL_PORT: 3306
DB_MYSQL_USER: „XXXXX“
DB_MYSQL_PASSWORD: "XXXXX"
DB_MYSQL_NAME: "XXXXX"
ADMIN_PANEL_LOG: "1"
CROWDSEC_BOUNCER: "1"
OPENRESTY_DEBUG: "0"

  CROWDSEC_LAPI: "http://crowdsec:8080"
  CROWDSEC_KEY: "XXXXXXXXXXXXXXXXXXXXXXXXX"
volumes:
  - data:/data
  - letsencrypt:/etc/letsencrypt
depends_on:
  - db

db:
image: 'jc21/mariadb-aria:latest'
restart: unless-stopped
environment:
MYSQL_ROOT_PASSWORD: 'XXXXX'
MYSQL_DATABASE: 'XXXXX'
MYSQL_USER: 'XXXXX'
MYSQL_PASSWORD: 'XXXXX'
volumes:
- mysql:/var/lib/mysql
networks:
default:
aliases:
- db

crowdsec:
image: 'crowdsecurity/crowdsec:latest'
restart: always
environment:
COLLECTIONS: "crowdsecurity/nginx"
GID: "${GID-1000}"
volumes:
- crowdsec-db:/var/lib/crowdsec/data/
- crowdsec-config:/etc/crowdsec/
- /var/run/docker.sock:/var/run/docker.sock
`

Container log

log for crowdsec:

ime="2024-08-27T16:01:17Z" level=info msg="(localhost/cscli) manual 'ban' from 'localhost' by ip 95.33.12.148 : 4h ban on Ip 95.33.12.148"
9672
time="2024-08-27T16:01:17Z" level=info msg="127.0.0.1 - [Tue, 27 Aug 2024 16:01:17 UTC] \"POST /v1/alerts HTTP/1.1 201 125.832548ms \"crowdsec/v1.6.2-16bfab86-docker\" \""
9673
time="2024-08-27T16:01:25Z" level=info msg="Signal push: 1 signals to push"
9676
time="2024-08-27T16:01:52Z" level=info msg="172.21.0.4 - [Tue, 27 Aug 2024 16:01:52 UTC] \"GET /v1/decisions?ip=95.33.12.148 HTTP/1.1 200 1.511162907s \"crowdsec-openresty-bouncer/v1.0.2\" \""

Container inspect

No response

Anything else?

Iam not sure if it is really a bug as I assume that port streams are not really manageable but hope for it.
At least a info in the docs would be nice, that is you are using crowdsec and streamed ports you may have a security hole

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions