Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Crowdsec decided today to start blocking my cell phone??
« previous
next »
Print
Pages: [
1
]
Author
Topic: Crowdsec decided today to start blocking my cell phone?? (Read 779 times)
colotroy
Newbie
Posts: 6
Karma: 0
Crowdsec decided today to start blocking my cell phone??
«
on:
September 22, 2024, 06:32:29 am »
This afternoon when my phone would connect to my WIFI it would be the connected without internet message. After some debugging it couldn't get to the gateway. I could ping the phone from any server and ping any server on my local network, but not the gateway. Other devices on the same WIFI Access Point could ping the gateway and get to the internet just fine.
I finally rebooted the OPNSense router and the pings started working from the phone seconds after the reboot started, then would stop during the actual reboot and pings would work after the reboot for about a minute then stop again. Ok, something on the router was blocking so I got in on the console and when I enter reboot one of the first services to stop is crowdsec, and when it stopped the pings started to work. Same on boot up, one of the last services to start is crowdsec on a couple seconds later the pings on my phone stopped working.
Ok, I got into crowdsec and clicked off the Enable Remediation Component (IPS) setting and my phone works now. If I check it my phone is blocked in a few seconds.
My question is, why would that block my phone and is there a log I can see to find what's up?? I can't find one.
Thanks!
Current crowdsec settings in attachment.
Logged
colotroy
Newbie
Posts: 6
Karma: 0
Re: Crowdsec decided today to start blocking my cell phone??
«
Reply #1 on:
September 22, 2024, 06:40:10 am »
Ok, I figured out how to turn on the verbose logging and see it in the firewall logs but I'm still not sure what's triggering crowdsec to block my phone all of a sudden. How do I track this down? The problem is once crowdsec blocks it, it blocks EVERYTHING from my phone. I can't tell what the trigger for this is.
«
Last Edit: September 22, 2024, 06:52:57 am by colotroy
»
Logged
colotroy
Newbie
Posts: 6
Karma: 0
Re: Crowdsec decided today to start blocking my cell phone??
«
Reply #2 on:
September 22, 2024, 07:08:57 am »
Ok, I figured it out. There was a "firewallservices/pf-scan-multi_ports" Reason in crowdsec that made a decision to ban my phone. I think this was from a unifi tool I use to scan the network to identify devices on the network. I figured out that I can remove that decision and all is right with the world with my phone with the crowdsec setting Enable Remediation Component (IPS) on.
Learned a lot...
Logged
Patrick M. Hausen
Hero Member
Posts: 6807
Karma: 572
Re: Crowdsec decided today to start blocking my cell phone??
«
Reply #3 on:
September 22, 2024, 11:11:37 am »
Did you disable the default whitelist for private IP addresses? Or are you using public addresses for your WiFi?
https://docs.crowdsec.net/u/getting_started/next_steps
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Baender
Full Member
Posts: 107
Karma: 4
Re: Crowdsec decided today to start blocking my cell phone??
«
Reply #4 on:
September 22, 2024, 09:09:35 pm »
It happened to me once, too. I used Vernet for Android pretty much in the past and the whitelist AddOn for crowdsec was not enabled. It resulted in an immediate ban. Fixed it by using the whitelisting.
Anyway, does it make sence, to ban local IPs? Like when you have a security issue and a bad guy starts a port scan from one of your infiltrated hosts?
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Crowdsec decided today to start blocking my cell phone??