Crowdsec does not monitor the network traffic directly but continuously reads the logs of different programs like apache or traefik and tries to spot suspicious behaviour. One such pattern is an IP getting multiple 404 or 403 errors in a short time (probably assuming that such a behaviour is normally seen with bots trying to find weak URLs in something like wordpress). This pattern (or scenario as crowdsec calls it) is triggered by the current 5.2.2 desktop client of mattermost and leads to 4h bans of the IP by crowdsec.
Hey laurence from Crowdsec support 
I read through this thread and are interested in helping. If you have an alert you can run cscli alerts list find the alert ID and then run cscli alerts inspect -d ID which will inform you what lines were poured to the bucket.
With this information we can create a whitelist to prevent such things from happening again as clearly these are false positives
Looking forward to resolving this๐ฆ
1 Like
Ah, ok. That wonโt work for me. I think I will revive the case I had with the Crowdsec folks to see what they recommend.
Hi Laurence and many thanks for jumping in here!
Hope to see this getting resolved for the users - Iโm also in touch with the developers to fix the 404s here, but it would be very good to know what the default triggers are and how Mattermost could avoid hitting them in the future.
Thanks a lot for chipping in Laurence, right now I have two entries in my list, both US based which I think are โgoodโ alerts because all my users are based in Germany.
sudo cscli alerts list
โญโโโโโโโฌโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ ID โ value โ reason โ country โ as โ decisions โ created_at โ
โโโโโโโโผโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ 5191 โ Ip:167.248.133.60 โ crowdsecurity/http-bad-user-agent โ US โ 209 Qwest Communications Company, LLC โ ban:1 โ 2023-01-26 23:22:27.270542082 +0000 UTC โ
โ 5146 โ Ip:167.94.138.117 โ crowdsecurity/http-bad-user-agent โ US โ โ ban:1 โ 2023-01-23 06:54:31.467374265 +0000 UTC โ
โฐโโโโโโโดโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
senak at senak in ~
$ sudo cscli alerts inspect 5191
################################################################################################
- ID : 5191
- Date : 2023-01-26T23:22:27Z
- Machine : 0e3d250410884be59518cfc258721f09SOi3m6X3BxkJgxga
- Simulation : false
- Reason : crowdsecurity/http-bad-user-agent
- Events Count : 2
- Scope:Value: Ip:167.248.133.60
- Country : US
- AS : Qwest Communications Company, LLC
- Begin : 2023-01-26 23:22:27.270542082 +0000 UTC
- End : 2023-01-26 23:22:27.3226857 +0000 UTC
senak at senak in ~
$ sudo cscli alerts inspect 5146
################################################################################################
- ID : 5146
- Date : 2023-01-23T06:54:31Z
- Machine : 0e3d250410884be59518cfc258721f09SOi3m6X3BxkJgxga
- Simulation : false
- Reason : crowdsecurity/http-bad-user-agent
- Events Count : 2
- Scope:Value: Ip:167.94.138.117
- Country : US
- AS :
- Begin : 2023-01-23 06:54:31.467374265 +0000 UTC
- End : 2023-01-23 06:54:31.469600491 +0000 UTC
I think will set up script which will continuously check the cscli alerts and alerts me as soon as an entry with country tag โDEโ shows up.