can't make friends with haproxy

[glebkhil]

installed haproxy, installed crowdsec, installed a parser for haproxy, but nothing wants to work, where am I doing something wrong?

[AlteredCoder]

Hello @glebkhil ,

Can you give us more info please?

• Your crowdsec version
• What did you do ?
• What doesn't work and why do you think it doesn't work ?

[glebkhil]

Hello

1. version 1.2
2. installed haproxy collections, base-http-scenarios, cs-firewall-bouncer (nftables mod), changed haproxy.conf with recommendations in the haproxy file pattern
3. i try to ddos with stresser, but not one IP address has been blocked

[AlteredCoder]

Did you configure your /etc/crowdsec/acquis.yaml file to read logs from haproxy ?
If yes, can you paste the output of cscli metrics please?

[glebkhil]

root@1stfront:~# cscli metrics
INFO[20-09-2021 02:32:22 PM] Buckets Metrics:
+--------------------------------------+---------------+-----------+--------------+--------+---------+
|                BUCKET                | CURRENT COUNT | OVERFLOWS | INSTANCIATED | POURED | EXPIRED |
+--------------------------------------+---------------+-----------+--------------+--------+---------+
| crowdsecurity/http-crawl-non_statics |             8 | -         |          742 |    742 |     734 |
| crowdsecurity/http-probing           |             2 | -         |           31 |     36 |      29 |
| crowdsecurity/ssh-bf                 | -             | -         |            2 |     11 |       2 |
| crowdsecurity/ssh-bf_user-enum       | -             | -         |            3 |      6 |       3 |
+--------------------------------------+---------------+-----------+--------------+--------+---------+
INFO[20-09-2021 02:32:22 PM] Acquisition Metrics:
+---------------------------+------------+--------------+----------------+------------------------+
|          SOURCE           | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
+---------------------------+------------+--------------+----------------+------------------------+
| file:/var/log/auth.log    |         38 |           11 |             27 |                     17 |
| file:/var/log/haproxy.log |      19561 |        11594 |           7965 |                    778 |
| file:/var/log/syslog      |      17433 | -            |          17431 | -                      |
+---------------------------+------------+--------------+----------------+------------------------+
INFO[20-09-2021 02:32:22 PM] Parser Metrics:
+--------------------------------+-------+--------+----------+
|            PARSERS             | HITS  | PARSED | UNPARSED |
+--------------------------------+-------+--------+----------+
| child-crowdsecurity/http-logs  | 34782 |  11594 |    23186 |
| child-crowdsecurity/sshd-logs  |    91 |     11 |       80 |
| crowdsecurity/dateparse-enrich | 11605 |  11605 | -        |
| crowdsecurity/geoip-enrich     | 11605 |  11605 | -        |
| crowdsecurity/haproxy-logs     | 19561 |  11594 |     7965 |
| crowdsecurity/http-logs        | 11594 | -      |    11593 |
| crowdsecurity/sshd-logs        |    21 |     11 |       10 |
| crowdsecurity/syslog-logs      | 37032 |  37032 | -        |
| crowdsecurity/whitelists       | 11605 |  11605 | -        |
+--------------------------------+-------+--------+----------+

INFO[20-09-2021 02:32:22 PM] Local Api Metrics:
+----------------------+--------+--------+
|        ROUTE         | METHOD |  HITS  |
+----------------------+--------+--------+
| /v1/decisions        | GET    | 107340 |
| /v1/decisions/stream | GET    |     18 |
| /v1/watchers/login   | POST   |      2 |
+----------------------+--------+--------+
INFO[20-09-2021 02:32:22 PM] Local Api Bouncers Metrics:
+----------------------------+----------------------+--------+-------+
|          BOUNCER           |        ROUTE         | METHOD | HITS  |
+----------------------------+----------------------+--------+-------+
| FirewallBouncer-1631870100 | /v1/decisions/stream | GET    |    17 |
| cs_bouncer.lua             | /v1/decisions        | GET    | 66273 |
+----------------------------+----------------------+--------+-------+
INFO[20-09-2021 02:32:22 PM] Local Api Bouncers Decisions:
+----------------+---------------+-------------------+
|    BOUNCER     | EMPTY ANSWERS | NON-EMPTY ANSWERS |
+----------------+---------------+-------------------+
| cs_bouncer.lua |         63547 |                 0

[AlteredCoder]

Furthermore, currently we don't have dedicated scenario in the Hub to protect against DDOS (user should make them for the moment, but we can help). Also, the firewall-bouncer will only let you to block IP address (and not country or AS).

[AlteredCoder]

From what i see from your cscli metrics, everything seems to work well. The problem is that you haven't any scenario that can detect a DDOS.

How distributed is your DDOS stresser ?

Here is an article on how we mitigate a distributed DDOS with crowdsec and cloudflare bouncer: https://crowdsec.net/how-to-beat-application-ddos/

[glebkhil]

thanks, I will experiment, I want to bump up the server on your service, which will cover the entire network. Recently installed and started to understand, your application will run into a lot.

[AlteredCoder]

Ok @glebkhil

Don't hesitate to reach us on Gitter if you need any help :)

[glebkhil]

Thanks again. But most of you expect protection from DDoS. Probably this scenario should have been done initially first.

[buixor]

crowdsecurity/hub#260