Text only | Text with Images

OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: colotroy on September 22, 2024, 06:32:29 AM

Title: Crowdsec decided today to start blocking my cell phone??
Post by: colotroy on September 22, 2024, 06:32:29 AM
This afternoon when my phone would connect to my WIFI it would be the connected without internet message.   After some debugging it couldn't get to the gateway.   I could ping the phone from any server and ping any server on my local network, but not the gateway.   Other devices on the same WIFI Access Point could ping the gateway and get to the internet just fine.

I finally rebooted the OPNSense router and the pings started working from the phone seconds after the reboot started, then would stop during the actual reboot and pings would work after the reboot for about a minute then stop again.  Ok, something on the router was blocking so I got in on the console and when I enter reboot one of the first services to stop is crowdsec, and when it stopped the pings started to work.   Same on boot up, one of the last services to start is crowdsec on a couple seconds later the pings on my phone stopped working.

Ok, I got into crowdsec and clicked off the Enable Remediation Component (IPS) setting and my phone works now.   If I check it my phone is blocked in a few seconds. 

My question is, why would that block my phone and is there a log I can see to find what's up??   I can't find one.

Thanks!

Current crowdsec settings in attachment.
Title: Re: Crowdsec decided today to start blocking my cell phone??
Post by: colotroy on September 22, 2024, 06:40:10 AM
Ok, I figured out how to turn on the verbose logging and see it in the firewall logs but I'm still not sure what's triggering crowdsec to block my phone all of a sudden.   How do I track this down?   The problem is once crowdsec blocks it, it blocks EVERYTHING from my phone.   I can't tell what the trigger for this is.
Title: Re: Crowdsec decided today to start blocking my cell phone??
Post by: colotroy on September 22, 2024, 07:08:57 AM
Ok, I figured it out.   There was a "firewallservices/pf-scan-multi_ports" Reason in crowdsec that made a decision to ban my phone.   I think this was from a unifi tool I use to scan the network to identify devices on the network.   I figured out that I can remove that decision and all is right with the world with my phone with the crowdsec setting  Enable Remediation Component (IPS) on.

Learned a lot...
Title: Re: Crowdsec decided today to start blocking my cell phone??
Post by: Patrick M. Hausen on September 22, 2024, 11:11:37 AM
Did you disable the default whitelist for private IP addresses? Or are you using public addresses for your WiFi?

https://docs.crowdsec.net/u/getting_started/next_steps
Title: Re: Crowdsec decided today to start blocking my cell phone??
Post by: Baender on September 22, 2024, 09:09:35 PM
It happened to me once, too. I used Vernet for Android pretty much in the past and the whitelist AddOn for crowdsec was not enabled. It resulted in an immediate ban. Fixed it by using the whitelisting.

Anyway, does it make sence, to ban local IPs? Like when you have a security issue and a bad guy starts a port scan from one of your infiltrated hosts?
Text only | Text with Images