Crowdsec ban NethVoice wizard and janus #7259
Description
Some (wrong) api calls from NethVoice wizard triggers alerts on crowdsec that lead to an ip ban. There are three separate issue:
- 401 from login page
- 404 from user configuration page
- CTI user errors and failed attempt shouldn't ban the IP because usually more users connect from same IP and an user causing issue shouldn't disrupt a whole company phone service
- Janus user errors and failed attempt shouldn't ban the IP because usually more users connect from same IP and an user causing issue shouldn't disrupt a whole company phone service
1 - 401
Steps to reproduce
- open NethVoice wizard login page
- just idle there without attemptin login
- some request are made to CTI that fails with 401:
- /webrest/users/endpoints/all
- /webrest/astproxy/extensions
- /webrest/astproxy/trunks
Expected behavior
- API calls shouldn't be made if the user isn't authenticated
Solution
Fix UI[edit] workaround on crowdsec
2 - 404
when configuring wizard, a lot of 404 are seen by crowdsec as http probe
Steps to reproduce
- on nethvoice wizard open configuration-> users page then a user tab
- multiple 404 are returned for unconfigured devices:
- /freepbx/rest/webrtc/201
- /freepbx/rest/mobiles/foo1
- /freepbx/rest/nethlink/201
- /freepbx/rest/mobileapp/201
Expected behavior
unconfigured device should be returned as 200 null
Solution
- Fix backend
- mdify UI accordingly
3 and 4 - CTI and Janus
CTI and Janus user errors and failed attempt shouldn't ban the IP because usually more users connect from same IP and an user causing issue shouldn't disrupt a whole company phone service
Steps to reproduce
here some example of failed authentication on CTI
- POST /webrest/authentication/login HTTP/2.0" 401
- GET /janus/
- TODO add more example here
Expected behavior
Users error shouldn't trigger ban
Solution
- Exclude /webrest /janus /socket.io (...) from crowdsec
See also
https://mattermost.nethesis.it/nethesis/pl/o1j6tygsqbggdrfpyiuqfwikfo