Crowdsec views Mattermost clients as attackers

Troubleshooting
1

For the last couple of weeks I have been getting user complaints about not being able to logon. Highly erratic behaviour where login wasn’t possible with service not found messages and a few hours later things would work again.
Well, to cut a somewhat long troubleshooting story short, it turned out to be my Intrusion Protection System, https://crowdsec.net/ which all of a sudden views Mattermost clients looking for backend services as attackers and blocks the IP for 4 hours.


sudo cscli decisions list
+----------+----------+-------------------+--------------------------------------+--------+---------+----------
|    ID    |  SOURCE  |    SCOPE:VALUE    |                REASON                | ACTION
| 11870524 | crowdsec | Ip:149.172.x.y    | crowdsecurity/http-crawl-non_statics | ban

Now, I don’t know if this behaviour is due to some recent changes in how MM clients communicate or if it’s Crowdsec which changed. I will take this up with Crowdsec but I thought I make you aware.

2

I am having a similar problem since a few days. But for me it is http-probing which triggers. MM and Clients are up to date.

3

Hi Twilek,

any specific details on the http probing? The client tries to connect to some Mattermost servers upon start to find out if there’s a working internet connection and updates available. If that’s identified as HTTP probing, then we might have the reason here. Is it possible to put specific domains on an ignore list or somthing like that for your IPS to not trigger on such actions?

4

Hi,
http probing is when someone tries to access URLs on the server and gets a 403 or 404 in return. If this happens too often in a certain time it gets flagged. I am using the docker team edition which is up to date. It is only the Windows Desktop Client which has the problem (althought this is the only Desktop Client used by the users, I am running a very small instance of mattermost). The mobile clients (ios and android) do not have this problem. The Desktop Client was always the latest version 5.2.2. I have now removed the mattermost server from the monitoring by crowdsec as it was unusable. I have tried to pinpoint the problem in the logs and it seems that the clients tried to access thumbnail pictures and emojjis which weren´t there. Althought there where no missing graphics visible in the clients. What is interesting is that this behaviour started about 2 or 3 weeks ago. Before that Mattermost, Crowdsec and the Desktop Clients ran toghether without any problems.

5

Hi Twilek,

thanks for the additional details, so to summarize:

  • Desktop client was always 5.2.2 and never a different version
  • Server version was always the same (which one?)
  • Where is Crowdsec running? On the client with the desktop app or on the server? By looking at the command cscli decisions list I think it’s running on the server, but just trying to understand the scope here fully.

I’m not sure what requests really cause issues there, it could well be that the client tries to load deleted emojis or profile pictures for bots who don’t have one, so it would be interesting to get a list of all 404s and 403s on your system when the desktop app starts, so we can further analyze where they’re coming from.
It could also be a cached channel in the client where the client does not have access to anymore or anything else cache-related, very hard to guess here without seeing the details in the logs and requests.

6

Always 5.2.2. One user completely deinstalled and reinstalled the app so cache should not be the problem.
I updated the server multiple times during that time
Crowdsec is running as a traefik middleware on the server.

Here is the traefik log of one of the clients which where banned (IP was redacted) showing all 404 and 403 errors, not all log entries. Althought crowdsec does not tell me that those were the erros wihich triggered it, but they probably were.

130.x.x.x - - [20/Jan/2023:08:35:33 +0000] "GET /plugins/boards/api/v2/clientConfig HTTP/2.0" 404 19 "-" "-" 1103 "mattermost-secure@docker" "http://192.168.48.8:8065" 9ms
130.x.x.x - - [20/Jan/2023:08:35:33 +0000] "GET /api/v4/system/notices/?client=desktop&clientVersion=5.2.2 HTTP/2.0" 404 260 "-" "-" 1113 "mattermost-secure@docker" "http://192.168.48.8:8065" 12ms
130.x.x.x - - [20/Jan/2023:08:35:33 +0000] "GET /plugins/boards/api/v2/teams HTTP/2.0" 404 19 "-" "-" 1118 "mattermost-secure@docker" "http://192.168.48.8:8065" 15ms
130.x.x.x - - [20/Jan/2023:08:35:33 +0000] "GET /plugins/boards/api/v2/teams/okaw5md83f8i7dff8suxfdyd8c HTTP/2.0" 404 19 "-" "-" 1117 "mattermost-secure@docker" "http://192.168.48.8:8065" 16ms
130.x.x.x - - [20/Jan/2023:08:35:33 +0000] "GET /plugins/boards/api/v2/teams/okaw5md83f8i7dff8suxfdyd8c/boards HTTP/2.0" 404 19 "-" "-" 1119 "mattermost-secure@docker" "http://192.168.48.8:8065" 18ms
130.x.x.x - - [20/Jan/2023:08:35:33 +0000] "GET /plugins/boards/api/v2/users/me/memberships HTTP/2.0" 404 19 "-" "-" 1120 "mattermost-secure@docker" "http://192.168.48.8:8065" 26ms
130.x.x.x - - [20/Jan/2023:08:35:33 +0000] "GET /plugins/boards/api/v2/users/me HTTP/2.0" 404 19 "-" "-" 1115 "mattermost-secure@docker" "http://192.168.48.8:8065" 32ms
130.x.x.x - - [20/Jan/2023:08:35:33 +0000] "GET /plugins/boards/api/v2/users/me/config HTTP/2.0" 404 19 "-" "-" 1116 "mattermost-secure@docker" "http://192.168.48.8:8065" 37ms
130.x.x.x - - [20/Jan/2023:08:35:33 +0000] "GET /plugins/boards/api/v2/teams/okaw5md83f8i7dff8suxfdyd8c/templates HTTP/2.0" 404 19 "-" "-" 1121 "mattermost-secure@docker" "http://192.168.48.8:8065" 34ms
130.x.x.x - - [20/Jan/2023:08:35:33 +0000] "GET /plugins/boards/api/v2/limits HTTP/2.0" 404 19 "-" "-" 1122 "mattermost-secure@docker" "http://192.168.48.8:8065" 38ms
130.x.x.x - - [20/Jan/2023:12:59:49 +0000] "GET /api/v4/channels/4gwcworn6bb69g4s3mbde7ksxw/posts?since=1674042054627&skipFetchThreads=false&collapsedThreads=false&collapsedThreadsExtended=false HTTP/2.0" 200 2490 "-" "-" 19694 "mattermost-secure@docker" "http://192.168.48.8:8065" 35ms
130.x.x.x - - [20/Jan/2023:17:54:27 +0000] "GET /api/v4/channels/4gwcworn6bb69g4s3mbde7ksxw/posts?since=1674042054627&skipFetchThreads=false&collapsedThreads=false&collapsedThreadsExtended=false HTTP/2.0" 200 2649 "-" "-" 22276 "mattermost-secure@docker" "http://192.168.48.8:8065" 17ms
130.x.x.x - - [20/Jan/2023:18:21:05 +0000] "GET /api/v4/channels/4gwcworn6bb69g4s3mbde7ksxw/posts?since=1674042054627&skipFetchThreads=false&collapsedThreads=false&collapsedThreadsExtended=false HTTP/2.0" 200 2822 "-" "-" 25569 "mattermost-secure@docker" "http://192.168.48.8:8065" 14ms
130.x.x.x - - [20/Jan/2023:19:49:08 +0000] "GET /api/v4/channels/4gwcworn6bb69g4s3mbde7ksxw/posts?since=1674042054627&skipFetchThreads=false&collapsedThreads=false&collapsedThreadsExtended=false HTTP/2.0" 200 3829 "-" "-" 31793 "mattermost-secure@docker" "http://192.168.48.8:8065" 34ms
130.x.x.x - - [20/Jan/2023:20:20:06 +0000] "GET /plugins/boards/api/v2/clientConfig HTTP/2.0" 404 19 "-" "-" 31903 "mattermost-secure@docker" "http://192.168.48.8:8065" 9ms
130.x.x.x - - [20/Jan/2023:20:20:06 +0000] "GET /api/v4/system/notices/?client=desktop&clientVersion=5.2.2 HTTP/2.0" 404 260 "-" "-" 31909 "mattermost-secure@docker" "http://192.168.48.8:8065" 11ms
130.x.x.x - - [20/Jan/2023:20:20:06 +0000] "GET /plugins/boards/api/v2/users/me HTTP/2.0" 404 19 "-" "-" 31912 "mattermost-secure@docker" "http://192.168.48.8:8065" 16ms
130.x.x.x - - [20/Jan/2023:20:20:06 +0000] "GET /plugins/boards/api/v2/limits HTTP/2.0" 404 19 "-" "-" 31917 "mattermost-secure@docker" "http://192.168.48.8:8065" 17ms
130.x.x.x - - [20/Jan/2023:20:20:06 +0000] "GET /plugins/boards/api/v2/users/me/config HTTP/2.0" 404 19 "-" "-" 31913 "mattermost-secure@docker" "http://192.168.48.8:8065" 27ms
130.x.x.x - - [20/Jan/2023:20:20:06 +0000] "GET /plugins/boards/api/v2/users/me/memberships HTTP/2.0" 404 19 "-" "-" 31914 "mattermost-secure@docker" "http://192.168.48.8:8065" 33ms
130.x.x.x - - [20/Jan/2023:20:20:06 +0000] "GET /plugins/boards/api/v2/teams/okaw5md83f8i7dff8suxfdyd8c/boards HTTP/2.0" 404 19 "-" "-" 31921 "mattermost-secure@docker" "http://192.168.48.8:8065" 38ms
130.x.x.x - - [20/Jan/2023:20:20:06 +0000] "GET /plugins/boards/api/v2/teams HTTP/2.0" 404 19 "-" "-" 31922 "mattermost-secure@docker" "http://192.168.48.8:8065" 39ms
130.x.x.x - - [20/Jan/2023:20:20:06 +0000] "GET /plugins/boards/api/v2/teams/okaw5md83f8i7dff8suxfdyd8c/templates HTTP/2.0" 404 19 "-" "-" 31916 "mattermost-secure@docker" "http://192.168.48.8:8065" 48ms
130.x.x.x - - [20/Jan/2023:20:20:06 +0000] "GET /plugins/boards/api/v2/teams/okaw5md83f8i7dff8suxfdyd8c HTTP/2.0" 404 19 "-" "-" 31920 "mattermost-secure@docker" "http://192.168.48.8:8065" 49ms
130.x.x.x - - [21/Jan/2023:06:58:48 +0000] "GET /plugins/boards/api/v2/clientConfig HTTP/2.0" 404 19 "-" "-" 63196 "mattermost-secure@docker" "http://192.168.48.8:8065" 10ms
130.x.x.x - - [21/Jan/2023:06:58:49 +0000] "GET /api/v4/system/notices/?client=desktop&clientVersion=5.2.2 HTTP/2.0" 404 260 "-" "-" 63201 "mattermost-secure@docker" "http://192.168.48.8:8065" 9ms
130.x.x.x - - [21/Jan/2023:06:58:49 +0000] "GET /plugins/boards/api/v2/users/me HTTP/2.0" 404 19 "-" "-" 63205 "mattermost-secure@docker" "http://192.168.48.8:8065" 9ms
130.x.x.x - - [21/Jan/2023:06:58:49 +0000] "GET /plugins/boards/api/v2/teams/okaw5md83f8i7dff8suxfdyd8c HTTP/2.0" 404 19 "-" "-" 63207 "mattermost-secure@docker" "http://192.168.48.8:8065" 10ms
130.x.x.x - - [21/Jan/2023:06:58:49 +0000] "GET /plugins/boards/api/v2/users/me/config HTTP/2.0" 404 19 "-" "-" 63206 "mattermost-secure@docker" "http://192.168.48.8:8065" 11ms
130.x.x.x - - [21/Jan/2023:06:58:49 +0000] "GET /plugins/boards/api/v2/teams/okaw5md83f8i7dff8suxfdyd8c/boards HTTP/2.0" 404 19 "-" "-" 63208 "mattermost-secure@docker" "http://192.168.48.8:8065" 14ms
130.x.x.x - - [21/Jan/2023:06:58:49 +0000] "GET /plugins/boards/api/v2/users/me/memberships HTTP/2.0" 404 19 "-" "-" 63210 "mattermost-secure@docker" "http://192.168.48.8:8065" 27ms
130.x.x.x - - [21/Jan/2023:06:58:49 +0000] "GET /plugins/boards/api/v2/teams/okaw5md83f8i7dff8suxfdyd8c/templates HTTP/2.0" 404 19 "-" "-" 63211 "mattermost-secure@docker" "http://192.168.48.8:8065" 33ms
130.x.x.x - - [21/Jan/2023:06:58:49 +0000] "GET /plugins/boards/api/v2/limits HTTP/2.0" 404 19 "-" "-" 63214 "mattermost-secure@docker" "http://192.168.48.8:8065" 33ms
130.x.x.x - - [21/Jan/2023:06:58:49 +0000] "GET /plugins/boards/api/v2/teams HTTP/2.0" 404 19 "-" "-" 63209 "mattermost-secure@docker" "http://192.168.48.8:8065" 38ms
130.x.x.x - - [21/Jan/2023:08:35:49 +0000] "POST /api/v4/users/status/ids HTTP/2.0" 200 998 "-" "-" 64045 "mattermost-secure@docker" "http://192.168.48.8:8065" 14ms
130.x.x.x - - [21/Jan/2023:08:35:49 +0000] "POST /api/v4/users/ids?since=1674286717450 HTTP/2.0" 200 2 "-" "-" 64040 "mattermost-secure@docker" "http://192.168.48.8:8065" 31ms
130.x.x.x - - [21/Jan/2023:08:35:49 +0000] "GET /api/v4/channels/1zc3ns1nkjbg3mq16ct1iq5quy/posts?since=1674287138403&skipFetchThreads=false&collapsedThreads=false&collapsedThreadsExtended=false HTTP/2.0" 200 110 "-" "-" 64042 "mattermost-secure@docker" "http://192.168.48.8:8065" 32ms
130.x.x.x - - [21/Jan/2023:08:35:49 +0000] "GET /api/v4/users/me/teams/unread?include_collapsed_threads=false HTTP/2.0" 200 190 "-" "-" 64041 "mattermost-secure@docker" "http://192.168.48.8:8065" 36ms
130.x.x.x - - [21/Jan/2023:08:35:49 +0000] "GET /plugins/com.github.moussetc.mattermost.plugin.spoiler/config HTTP/2.0" 200 26 "-" "-" 64044 "mattermost-secure@docker" "http://192.168.48.8:8065" 36ms
130.x.x.x - - [21/Jan/2023:08:35:49 +0000] "GET /api/v4/plugins/webapp HTTP/2.0" 200 867 "-" "-" 64043 "mattermost-secure@docker" "http://192.168.48.8:8065" 38ms
130.x.x.x - - [21/Jan/2023:09:32:19 +0000] "GET /plugins/boards/api/v2/clientConfig HTTP/2.0" 404 19 "-" "-" 64716 "mattermost-secure@docker" "http://192.168.48.8:8065" 10ms
130.x.x.x - - [21/Jan/2023:09:32:19 +0000] "GET /api/v4/system/notices/?client=desktop&clientVersion=5.2.2 HTTP/2.0" 404 260 "-" "-" 64720 "mattermost-secure@docker" "http://192.168.48.8:8065" 12ms
130.x.x.x - - [21/Jan/2023:09:32:19 +0000] "GET /plugins/boards/api/v2/users/me/memberships HTTP/2.0" 404 19 "-" "-" 64730 "mattermost-secure@docker" "http://192.168.48.8:8065" 25ms
130.x.x.x - - [21/Jan/2023:09:32:19 +0000] "GET /plugins/boards/api/v2/teams/okaw5md83f8i7dff8suxfdyd8c/boards HTTP/2.0" 404 19 "-" "-" 64727 "mattermost-secure@docker" "http://192.168.48.8:8065" 27ms
130.x.x.x - - [21/Jan/2023:09:32:19 +0000] "GET /plugins/boards/api/v2/users/me HTTP/2.0" 404 19 "-" "-" 64725 "mattermost-secure@docker" "http://192.168.48.8:8065" 48ms
130.x.x.x - - [21/Jan/2023:09:32:19 +0000] "GET /plugins/boards/api/v2/users/me/config HTTP/2.0" 404 19 "-" "-" 64726 "mattermost-secure@docker" "http://192.168.48.8:8065" 51ms
130.x.x.x - - [21/Jan/2023:09:32:19 +0000] "GET /plugins/boards/api/v2/teams/okaw5md83f8i7dff8suxfdyd8c HTTP/2.0" 404 19 "-" "-" 64728 "mattermost-secure@docker" "http://192.168.48.8:8065" 54ms
130.x.x.x - - [21/Jan/2023:09:32:19 +0000] "GET /plugins/boards/api/v2/teams HTTP/2.0" 404 19 "-" "-" 64729 "mattermost-secure@docker" "http://192.168.48.8:8065" 54ms
130.x.x.x - - [21/Jan/2023:09:32:19 +0000] "GET /plugins/boards/api/v2/limits HTTP/2.0" 404 19 "-" "-" 64731 "mattermost-secure@docker" "http://192.168.48.8:8065" 56ms
130.x.x.x - - [21/Jan/2023:09:32:19 +0000] "GET /plugins/boards/api/v2/teams/okaw5md83f8i7dff8suxfdyd8c/templates HTTP/2.0" 404 19 "-" "-" 64732 "mattermost-secure@docker" "http://192.168.48.8:8065" 56ms
130.x.x.x - - [21/Jan/2023:10:45:18 +0000] "GET /api/v4/channels/4gwcworn6bb69g4s3mbde7ksxw/members/me HTTP/2.0" 200 448 "-" "-" 65404 "mattermost-secure@docker" "http://192.168.48.8:8065" 11ms
130.x.x.x - - [21/Jan/2023:11:26:49 +0000] "POST /api/v4/users/status/ids HTTP/2.0" 200 1000 "-" "-" 69404 "mattermost-secure@docker" "http://192.168.48.8:8065" 23ms
130.x.x.x - - [21/Jan/2023:14:02:49 +0000] "GET /api/v4/users/me/teams/unread?include_collapsed_threads=false HTTP/2.0" 200 190 "-" "-" 82404 "mattermost-secure@docker" "http://192.168.48.8:8065" 34ms
130.x.x.x - - [21/Jan/2023:16:08:55 +0000] "POST /api/v4/notifications/ack HTTP/2.0" 200 15 "-" "-" 404 "mattermost-secure@docker" "http://192.168.48.8:8065" 102ms
7

Oops there are some valid rqequests there, I just grepped for the string “404”

8

Same thing for 403 errors:

130.x.x.x - - [21/Jan/2023:13:44:11 +0000] "GET /static/remote_entry.js?bt=1674243206021 HTTP/2.0" 200 8403 "-" "-" 81947 "mattermost-secure@docker" "http://192.168.48.8:8065" 22ms
130.x.x.x - - [21/Jan/2023:13:44:12 +0000] "GET /api/v4/trial-license/prev HTTP/2.0" 403 202 "-" "-" 82006 "mattermost-secure@docker" "http://192.168.48.8:8065" 13ms
130.x.x.x - - [21/Jan/2023:13:44:13 +0000] "GET /api/v4/files/7chypxhtfbnc9c9g6d6cf6snua/thumbnail HTTP/2.0" 403 9 "-" "-" 82067 "mattermost-secure@docker" "-" 39ms
130.x.x.x - - [21/Jan/2023:13:44:13 +0000] "GET /api/v4/files/emiz7jy9wfr3fcuz9ckzjfsgse/thumbnail HTTP/2.0" 403 9 "-" "-" 82070 "mattermost-secure@docker" "-" 68ms
130.x.x.x - - [21/Jan/2023:13:44:13 +0000] "GET /api/v4/files/wc94qxicufrxmbn53x8umfbmce/thumbnail HTTP/2.0" 403 9 "-" "-" 82072 "mattermost-secure@docker" "-" 67ms
130.x.x.x - - [21/Jan/2023:13:44:13 +0000] "GET /api/v4/files/dw6zuxpf7tdftgk75sbi9j9dxh/thumbnail HTTP/2.0" 403 9 "-" "-" 82066 "mattermost-secure@docker" "-" 93ms
130.x.x.x - - [21/Jan/2023:13:44:13 +0000] "GET /api/v4/files/ncwe5nedubyijpfwqafap8squr/thumbnail HTTP/2.0" 403 9 "-" "-" 82071 "mattermost-secure@docker" "-" 88ms
130.x.x.x - - [21/Jan/2023:13:44:13 +0000] "GET /api/v4/files/uusnp37id38uudojeq1jgi4bfy/thumbnail HTTP/2.0" 403 9 "-" "-" 82069 "mattermost-secure@docker" "-" 98ms
130.x.x.x - - [21/Jan/2023:13:44:13 +0000] "GET /api/v4/files/8qmutfysa7rg5fojtm5smiyuey/thumbnail HTTP/2.0" 403 9 "-" "-" 82068 "mattermost-secure@docker" "-" 104ms
130.x.x.x - - [21/Jan/2023:13:44:13 +0000] "GET /api/v4/files/7dedstjagtdmfypxsgm11qg4ga/thumbnail HTTP/2.0" 403 9 "-" "-" 82065 "mattermost-secure@docker" "-" 112ms
130.x.x.x - - [21/Jan/2023:13:44:13 +0000] "GET /api/v4/files/xpp8s5w6qtyc3y8xzd1oq9mg1w/thumbnail HTTP/2.0" 403 9 "-" "-" 82073 "mattermost-secure@docker" "-" 90ms
130.x.x.x - - [21/Jan/2023:13:44:13 +0000] "GET /api/v4/files/7dedstjagtdmfypxsgm11qg4ga/thumbnail HTTP/2.0" 403 9 "-" "-" 82074 "mattermost-secure@docker" "-" 10ms
130.x.x.x - - [21/Jan/2023:13:44:14 +0000] "GET /api/v4/channels/fgftqoabwife9dch5j5ngshcha/stats HTTP/2.0" 403 9 "-" "-" 82075 "mattermost-secure@docker" "-" 11ms
130.x.x.x - - [21/Jan/2023:13:44:14 +0000] "GET /plugins/com.mattermost.apps/api/v1/bindings?user_id=qt7zbkei3bdppgxna1x7byb6do&channel_id=fgftqoabwife9dch5j5ngshcha&team_id=okaw5md83f8i7dff8suxfdyd8c&user_agent=webapp HTTP/2.0" 403 9 "-" "-" 82076 "mattermost-secure@docker" "-" 13ms
130.x.x.x - - [21/Jan/2023:13:44:14 +0000] "GET /api/v4/users/qt7zbkei3bdppgxna1x7byb6do/channels/fgftqoabwife9dch5j5ngshcha/posts/unread?limit_after=30&limit_before=30&skipFetchThreads=false&collapsedThreads=false&collapsedThreadsExtended=false HTTP/2.0" 403 9 "-" "-" 82077 "mattermost-secure@docker" "-" 13ms
130.x.x.x - - [21/Jan/2023:13:44:14 +0000] "POST /api/v4/channels/members/me/view HTTP/2.0" 403 9 "-" "-" 82078 "mattermost-secure@docker" "-" 9ms
130.x.x.x - - [21/Jan/2023:13:44:30 +0000] "GET /api/v4/channels/4ucdhcudu7rm5fn15rgphrikse/stats HTTP/2.0" 403 9 "-" "-" 82080 "mattermost-secure@docker" "-" 14ms
130.x.x.x - - [21/Jan/2023:13:44:30 +0000] "GET /api/v4/users/qt7zbkei3bdppgxna1x7byb6do/channels/4ucdhcudu7rm5fn15rgphrikse/posts/unread?limit_after=30&limit_before=30&skipFetchThreads=false&collapsedThreads=false&collapsedThreadsExtended=false HTTP/2.0" 403 9 "-" "-" 82081 "mattermost-secure@docker" "-" 11ms
130.x.x.x - - [21/Jan/2023:13:44:30 +0000] "POST /api/v4/channels/members/me/view HTTP/2.0" 403 9 "-" "-" 82082 "mattermost-secure@docker" "-" 10ms
130.x.x.x - - [21/Jan/2023:13:44:32 +0000] "GET /api/v4/channels/fgftqoabwife9dch5j5ngshcha/stats HTTP/2.0" 403 9 "-" "-" 82083 "mattermost-secure@docker" "-" 11ms
130.x.x.x - - [21/Jan/2023:13:44:32 +0000] "GET /api/v4/users/qt7zbkei3bdppgxna1x7byb6do/channels/fgftqoabwife9dch5j5ngshcha/posts/unread?limit_after=30&limit_before=30&skipFetchThreads=false&collapsedThreads=false&collapsedThreadsExtended=false HTTP/2.0" 403 9 "-" "-" 82084 "mattermost-secure@docker" "-" 10ms
130.x.x.x - - [21/Jan/2023:13:44:32 +0000] "POST /api/v4/channels/members/me/view HTTP/2.0" 403 9 "-" "-" 82085 "mattermost-secure@docker" "-" 9ms
130.x.x.x - - [21/Jan/2023:13:44:45 +0000] "GET /api/v4/license/client?format=old HTTP/2.0" 403 9 "-" "-" 82087 "mattermost-secure@docker" "-" 13ms
130.x.x.x - - [21/Jan/2023:13:44:45 +0000] "GET /api/v4/config/client?format=old HTTP/2.0" 403 9 "-" "-" 82086 "mattermost-secure@docker" "-" 13ms
130.x.x.x - - [21/Jan/2023:13:44:45 +0000] "PUT /api/v4/users/sessions/device HTTP/2.0" 403 9 "-" "-" 82088 "mattermost-secure@docker" "-" 16ms
130.x.x.x - - [21/Jan/2023:13:44:45 +0000] "GET /api/v4/users/me/preferences HTTP/2.0" 403 9 "-" "-" 82089 "mattermost-secure@docker" "-" 10ms
130.x.x.x - - [21/Jan/2023:13:44:46 +0000] "GET /api/v4/users/me/teams HTTP/2.0" 403 9 "-" "-" 82090 "mattermost-secure@docker" "-" 9ms
130.x.x.x - - [21/Jan/2023:13:44:46 +0000] "GET /api/v4/users/me/teams/members HTTP/2.0" 403 9 "-" "-" 82091 "mattermost-secure@docker" "-" 8ms
130.x.x.x - - [21/Jan/2023:13:44:46 +0000] "GET /api/v4/users/me HTTP/2.0" 403 9 "-" "-" 82092 "mattermost-secure@docker" "-" 10ms
130.x.x.x - - [21/Jan/2023:13:44:46 +0000] "GET /api/v4/users/me/teams/okaw5md83f8i7dff8suxfdyd8c/channels/members HTTP/2.0" 403 9 "-" "-" 82094 "mattermost-secure@docker" "-" 11ms
130.x.x.x - - [21/Jan/2023:13:44:46 +0000] "GET /api/v4/users/me/status HTTP/2.0" 403 9 "-" "-" 82093 "mattermost-secure@docker" "-" 18ms
130.x.x.x - - [21/Jan/2023:13:44:46 +0000] "GET /api/v4/users/me/teams/okaw5md83f8i7dff8suxfdyd8c/channels?include_deleted=true&last_delete_at=0 HTTP/2.0" 403 9 "-" "-" 82096 "mattermost-secure@docker" "-" 19ms
130.x.x.x - - [21/Jan/2023:13:44:46 +0000] "GET /api/v4/users/me/teams/okaw5md83f8i7dff8suxfdyd8c/channels/categories HTTP/2.0" 403 9 "-" "-" 82095 "mattermost-secure@docker" "-" 19ms
130.x.x.x - - [21/Jan/2023:13:44:46 +0000] "GET /api/v4/websocket HTTP/1.1" 403 9 "-" "-" 82097 "mattermost-secure@docker" "-" 12ms
130.x.x.x - - [21/Jan/2023:13:44:48 +0000] "GET /api/v4/channels/fgftqoabwife9dch5j5ngshcha/posts?since=1674203114051&collapsedThreads=false&collapsedThreadsExtended=false HTTP/2.0" 403 9 "-" "-" 82098 "mattermost-secure@docker" "-" 10ms
130.x.x.x - - [21/Jan/2023:13:44:48 +0000] "GET /plugins/com.mattermost.apps/api/v1/bindings?user_id=qt7zbkei3bdppgxna1x7byb6do&channel_id=fgftqoabwife9dch5j5ngshcha&team_id=okaw5md83f8i7dff8suxfdyd8c&user_agent=mobile HTTP/2.0" 403 9 "-" "-" 82099 "mattermost-secure@docker" "-" 10ms
130.x.x.x - - [21/Jan/2023:13:44:48 +0000] "POST /api/v4/channels/members/me/view HTTP/2.0" 403 9 "-" "-" 82100 "mattermost-secure@docker" "-" 9ms
130.x.x.x - - [21/Jan/2023:13:44:48 +0000] "GET /api/v4/channels/fgftqoabwife9dch5j5ngshcha/stats HTTP/2.0" 403 9 "-" "-" 82101 "mattermost-secure@docker" "-" 12ms
130.x.x.x - - [21/Jan/2023:13:44:48 +0000] "GET /api/v4/channels/fgftqoabwife9dch5j5ngshcha/timezones HTTP/2.0" 403 9 "-" "-" 82102 "mattermost-secure@docker" "-" 11ms
130.x.x.x - - [21/Jan/2023:13:44:49 +0000] "GET /api/v4/emoji/name/%F0%9F%98%81 HTTP/2.0" 403 9 "-" "-" 82105 "mattermost-secure@docker" "-" 14ms
130.x.x.x - - [21/Jan/2023:13:44:50 +0000] "GET /api/v4/emoji/name/%F0%9F%98%B3 HTTP/2.0" 403 9 "-" "-" 82106 "mattermost-secure@docker" "-" 11ms
130.x.x.x - - [21/Jan/2023:13:45:12 +0000] "POST /api/v4/users/status/ids HTTP/2.0" 403 9 "-" "-" 82108 "mattermost-secure@docker" "-" 10ms
130.x.x.x - - [21/Jan/2023:13:45:21 +0000] "GET /api/v4/users/me/sessions HTTP/2.0" 403 9 "-" "-" 82110 "mattermost-secure@docker" "-" 9ms
130.x.x.x - - [21/Jan/2023:13:45:52 +0000] "GET /api/v4/websocket HTTP/1.1" 403 9 "-" "-" 82113 "mattermost-secure@docker" "-" 10ms
130.x.x.x - - [21/Jan/2023:13:45:52 +0000] "GET /api/v4/emoji/name/%F0%9F%98%81 HTTP/2.0" 403 9 "-" "-" 82114 "mattermost-secure@docker" "-" 11ms
130.x.x.x - - [21/Jan/2023:13:45:52 +0000] "GET /api/v4/emoji/name/%F0%9F%98%B3 HTTP/2.0" 403 9 "-" "-" 82115 "mattermost-secure@docker" "-" 10ms
130.x.x.x - - [21/Jan/2023:13:46:12 +0000] "POST /api/v4/users/status/ids HTTP/2.0" 403 9 "-" "-" 82117 "mattermost-secure@docker" "-" 10ms
130.x.x.x - - [21/Jan/2023:13:46:21 +0000] "GET /api/v4/users/me/sessions HTTP/2.0" 403 9 "-" "-" 82119 "mattermost-secure@docker" "-" 14ms
130.x.x.x - - [21/Jan/2023:13:46:25 +0000] "PUT /api/v4/users/qt7zbkei3bdppgxna1x7byb6do/preferences HTTP/2.0" 403 9 "-" "-" 82120 "mattermost-secure@docker" "-" 12ms
130.x.x.x - - [21/Jan/2023:13:46:25 +0000] "POST /api/v4/channels/members/me/view HTTP/2.0" 403 9 "-" "-" 82121 "mattermost-secure@docker" "-" 19ms
130.x.x.x - - [21/Jan/2023:13:46:25 +0000] "POST /api/v4/channels/members/me/view HTTP/2.0" 403 9 "-" "-" 82123 "mattermost-secure@docker" "-" 9ms
130.x.x.x - - [21/Jan/2023:13:46:25 +0000] "PUT /api/v4/users/qt7zbkei3bdppgxna1x7byb6do/preferences HTTP/2.0" 403 9 "-" "-" 82122 "mattermost-secure@docker" "-" 9ms
130.x.x.x - - [21/Jan/2023:13:50:01 +0000] "GET /api/v4/emoji/name/%F0%9F%98%81 HTTP/2.0" 403 9 "-" "-" 82146 "mattermost-secure@docker" "-" 27ms
130.x.x.x - - [21/Jan/2023:13:50:01 +0000] "GET /api/v4/emoji/name/%F0%9F%98%B3 HTTP/2.0" 403 9 "-" "-" 82147 "mattermost-secure@docker" "-" 28ms
130.x.x.x - - [21/Jan/2023:13:50:06 +0000] "GET /api/v4/channels/xkwyfcw5q7gszbts5nui664bkw/posts?since=1674303372158&collapsedThreads=false&collapsedThreadsExtended=false HTTP/2.0" 403 9 "-" "-" 82148 "mattermost-secure@docker" "-" 10ms
130.x.x.x - - [21/Jan/2023:13:50:06 +0000] "POST /api/v4/channels/members/me/view HTTP/2.0" 403 9 "-" "-" 82149 "mattermost-secure@docker" "-" 10ms
130.x.x.x - - [21/Jan/2023:13:50:06 +0000] "GET /api/v4/channels/xkwyfcw5q7gszbts5nui664bkw/stats HTTP/2.0" 403 9 "-" "-" 82151 "mattermost-secure@docker" "-" 10ms
130.x.x.x - - [21/Jan/2023:13:50:06 +0000] "PUT /api/v4/users/qt7zbkei3bdppgxna1x7byb6do/preferences HTTP/2.0" 403 9 "-" "-" 82150 "mattermost-secure@docker" "-" 10ms
130.x.x.x - - [21/Jan/2023:13:50:06 +0000] "GET /api/v4/channels/xkwyfcw5q7gszbts5nui664bkw/timezones HTTP/2.0" 403 9 "-" "-" 82152 "mattermost-secure@docker" "-" 12ms
130.x.x.x - - [21/Jan/2023:13:50:07 +0000] "GET /api/v4/emoji/name/%F0%9F%98%82 HTTP/2.0" 403 9 "-" "-" 82153 "mattermost-secure@docker" "-" 12ms
130.x.x.x - - [21/Jan/2023:13:50:07 +0000] "GET /api/v4/emoji/name/%F0%9F%91%8D HTTP/2.0" 403 9 "-" "-" 82154 "mattermost-secure@docker" "-" 11ms
130.x.x.x - - [21/Jan/2023:13:50:35 +0000] "GET /api/v4/websocket HTTP/1.1" 403 9 "-" "-" 82157 "mattermost-secure@docker" "-" 9ms
130.x.x.x - - [21/Jan/2023:13:50:40 +0000] "GET /api/v4/websocket HTTP/1.1" 403 9 "-" "-" 82158 "mattermost-secure@docker" "-" 14ms
130.x.x.x - - [21/Jan/2023:13:50:45 +0000] "GET /api/v4/websocket HTTP/1.1" 403 9 "-" "-" 82159 "mattermost-secure@docker" "-" 9ms
130.x.x.x - - [21/Jan/2023:13:50:51 +0000] "GET /api/v4/websocket HTTP/1.1" 403 9 "-" "-" 82162 "mattermost-secure@docker" "-" 12ms
130.x.x.x - - [21/Jan/2023:13:50:59 +0000] "GET /api/v4/websocket HTTP/1.1" 403 9 "-" "-" 82163 "mattermost-secure@docker" "-" 9ms
130.x.x.x - - [21/Jan/2023:13:51:06 +0000] "GET /api/v4/websocket HTTP/1.1" 403 9 "-" "-" 82164 "mattermost-secure@docker" "-" 11ms
130.x.x.x - - [21/Jan/2023:13:51:07 +0000] "POST /api/v4/posts HTTP/2.0" 403 9 "-" "-" 82165 "mattermost-secure@docker" "-" 12ms
130.x.x.x - - [21/Jan/2023:13:51:07 +0000] "GET /api/v4/emoji/name/%F0%9F%98%82 HTTP/2.0" 403 9 "-" "-" 82166 "mattermost-secure@docker" "-" 9ms
130.x.x.x - - [21/Jan/2023:13:51:12 +0000] "GET /api/v4/users/me/sessions HTTP/2.0" 403 9 "-" "-" 82167 "mattermost-secure@docker" "-" 9ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/plugins/webapp HTTP/2.0" 403 9 "-" "-" 83465 "mattermost-secure@docker" "-" 13ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/config/client?format=old HTTP/2.0" 403 9 "-" "-" 83464 "mattermost-secure@docker" "-" 15ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET / HTTP/2.0" 403 9 "-" "-" 83466 "mattermost-secure@docker" "-" 15ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/plugins/webapp HTTP/2.0" 403 9 "-" "-" 83467 "mattermost-secure@docker" "-" 11ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/config/client?format=old HTTP/2.0" 403 9 "-" "-" 83468 "mattermost-secure@docker" "-" 12ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/plugins/webapp HTTP/2.0" 403 9 "-" "-" 83469 "mattermost-secure@docker" "-" 13ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/config/client?format=old HTTP/2.0" 403 9 "-" "-" 83470 "mattermost-secure@docker" "-" 11ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/plugins/webapp HTTP/2.0" 403 9 "-" "-" 83471 "mattermost-secure@docker" "-" 10ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/config/client?format=old HTTP/2.0" 403 9 "-" "-" 83472 "mattermost-secure@docker" "-" 10ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/plugins/webapp HTTP/2.0" 403 9 "-" "-" 83473 "mattermost-secure@docker" "-" 10ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/config/client?format=old HTTP/2.0" 403 9 "-" "-" 83474 "mattermost-secure@docker" "-" 10ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/config/client?format=old HTTP/2.0" 403 9 "-" "-" 83476 "mattermost-secure@docker" "-" 9ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/plugins/webapp HTTP/2.0" 403 9 "-" "-" 83475 "mattermost-secure@docker" "-" 10ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/config/client?format=old HTTP/2.0" 403 9 "-" "-" 83477 "mattermost-secure@docker" "-" 10ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/plugins/webapp HTTP/2.0" 403 9 "-" "-" 83478 "mattermost-secure@docker" "-" 13ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/config/client?format=old HTTP/2.0" 403 9 "-" "-" 83479 "mattermost-secure@docker" "-" 9ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/plugins/webapp HTTP/2.0" 403 9 "-" "-" 83480 "mattermost-secure@docker" "-" 10ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/config/client?format=old HTTP/2.0" 403 9 "-" "-" 83481 "mattermost-secure@docker" "-" 9ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/plugins/webapp HTTP/2.0" 403 9 "-" "-" 83482 "mattermost-secure@docker" "-" 9ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/config/client?format=old HTTP/2.0" 403 9 "-" "-" 83483 "mattermost-secure@docker" "-" 9ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/plugins/webapp HTTP/2.0" 403 9 "-" "-" 83484 "mattermost-secure@docker" "-" 8ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/plugins/webapp HTTP/2.0" 403 9 "-" "-" 83486 "mattermost-secure@docker" "-" 9ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/config/client?format=old HTTP/2.0" 403 9 "-" "-" 83485 "mattermost-secure@docker" "-" 11ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/config/client?format=old HTTP/2.0" 403 9 "-" "-" 83488 "mattermost-secure@docker" "-" 9ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/plugins/webapp HTTP/2.0" 403 9 "-" "-" 83487 "mattermost-secure@docker" "-" 12ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/config/client?format=old HTTP/2.0" 403 9 "-" "-" 83489 "mattermost-secure@docker" "-" 12ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/plugins/webapp HTTP/2.0" 403 9 "-" "-" 83490 "mattermost-secure@docker" "-" 12ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/plugins/webapp HTTP/2.0" 403 9 "-" "-" 83491 "mattermost-secure@docker" "-" 9ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/config/client?format=old HTTP/2.0" 403 9 "-" "-" 83492 "mattermost-secure@docker" "-" 11ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/config/client?format=old HTTP/2.0" 403 9 "-" "-" 83494 "mattermost-secure@docker" "-" 8ms
130.x.x.x - - [21/Jan/2023:15:57:21 +0000] "GET /api/v4/plugins/webapp HTTP/2.0" 403 9 "-" "-" 83493 "mattermost-secure@docker" "-" 12ms
130.x.x.x - - [21/Jan/2023:15:57:31 +0000] "GET / HTTP/2.0" 403 9 "-" "-" 83495 "mattermost-secure@docker" "-" 9ms
130.x.x.x - - [21/Jan/2023:16:06:25 +0000] "GET /static/remote_entry.js?bt=1674243206021 HTTP/2.0" 200 8403 "-" "-" 104 "mattermost-secure@docker" "http://192.168.48.8:8065" 2ms
130.x.x.x - - [21/Jan/2023:16:06:27 +0000] "GET /static/files/code_themes/170be9f6403a22cef635144efcae4d89.css HTTP/2.0" 200 790 "-" "-" 166 "mattermost-secure@docker" "http://192.168.48.8:8065" 0ms
130.x.x.x - - [21/Jan/2023:16:06:27 +0000] "GET /api/v4/trial-license/prev HTTP/2.0" 403 202 "-" "-" 203 "mattermost-secure@docker" "http://192.168.48.8:8065" 1ms
130.x.x.x - - [21/Jan/2023:16:06:36 +0000] "GET /static/files/code_themes/170be9f6403a22cef635144efcae4d89.css HTTP/2.0" 200 790 "-" "-" 279 "mattermost-secure@docker" "http://192.168.48.8:8065" 0ms
130.x.x.x - - [21/Jan/2023:16:06:37 +0000] "GET /api/v4/trial-license/prev HTTP/2.0" 403 202 "-" "-" 299 "mattermost-secure@docker" "http://192.168.48.8:8065" 1ms
9

Thanks,

for the 404s, it boils down to the Boards plugin mainly and to some notification-related requests, but the gross amount comes from the boards plugin.

Do you actively use Mattermost Boards (aka the Focalboard plugin)? Getting 404s here looks like the plugin might have been disabled but the clients still have preferences set to connect to some of the boards.

With regards to these requests, they’re simply wrong and are missing the teamID:

130.x.x.x - - [20/Jan/2023:08:35:33 +0000] "GET /api/v4/system/notices/?client=desktop&clientVersion=5.2.2 HTTP/2.0" 404 260 "-" "-" 1113 "mattermost-secure@docker" "http://192.168.48.8:8065" 12ms
130.x.x.x - - [20/Jan/2023:20:20:06 +0000] "GET /api/v4/system/notices/?client=desktop&clientVersion=5.2.2 HTTP/2.0" 404 260 "-" "-" 31909 "mattermost-secure@docker" "http://192.168.48.8:8065" 11ms
130.x.x.x - - [21/Jan/2023:06:58:49 +0000] "GET /api/v4/system/notices/?client=desktop&clientVersion=5.2.2 HTTP/2.0" 404 260 "-" "-" 63201 "mattermost-secure@docker" "http://192.168.48.8:8065" 9ms
130.x.x.x - - [21/Jan/2023:09:32:19 +0000] "GET /api/v4/system/notices/?client=desktop&clientVersion=5.2.2 HTTP/2.0" 404 260 "-" "-" 64720 "mattermost-secure@docker" "http://192.168.48.8:8065" 12ms

see Mattermost API Reference

And I cannot find a related API call for:

130.x.x.x - - [21/Jan/2023:16:08:55 +0000] "POST /api/v4/notifications/ack HTTP/2.0" 200 15 "-" "-" 404 "mattermost-secure@docker" "http://192.168.48.8:8065" 102ms

With regards to the 403s, there are also publicly available URLs in there that your server responsde with 403 to, f.ex. /api/v4/config/client?format=old. This is a URL that is publicly available on every Mattermost installation, you can check that on the Community server f.ex.:

https://community.mattermost.com/api/v4/config/client?format=old

So whatever blocks this request, it’s not Mattermost - maybe anything else on your infrastructure that blocks it or a result of an already existing block then?

10

I indeed have disabled the boards plugin as I don´t use it. Would reenabling it solve the issue?

11

Uhm I tried reinstalling and reenabling the Boards Plugin but I just get
Facalboard

12

But even with a disabled Boards Plugin the Option to go to boards is still available in the desktop client, but going there produces an error.

13

Is the environment variable MM_FEATUREFLAGS_BoardsProduct set to false?

14

cc @agnivade not sure if there is a bug where BoardsProduct feature flags somehow gets enabled?

15

Well, it would get rid of the 404s because the plugin is back online then, but if you do not want to use it, I think we should find a better way to get rid of it. It seems as if the desktop apps cache the information that the boards plugin was there and try to refresh views that they can’t refresh anymore. I’m not sure how to tell the desktop client to ignore the plugin, to be honest, I’d have to ask around, will take some time.

16

Setting the feature flag seems to have turned off the boards plugin now. When I have time I will check wether the 404s have gone away.

17

@amy.blais That feature flag is on-by-default in 7.7, so they’d explicitly have to set it to be false to disable Boards

18

@hmhealey It was disabled for v7.7 mattermost-server/feature_flags.go at release-7.7 · mattermost/mattermost-server · GitHub.

19

Oh, I missed that we ended up reverting that. Sorry about that.

@Twilek When you get a chance, could you send us a screenshot of the About Mattermost modal so that we can confirm the version that this is affecting? It’s accessed from the Channels dropdown in the top left of the app, and it’s got some commit hashes at the bottom that’ll let us check exactly what version of the code that you’re running

20

Screenshot 2023-01-24 182158
Screenshot 2023-01-24 182158579×530 28.3 KB

Is that what you need to know?