Crowdsec ban NethVoice wizard and janus

[Stell0]

Some (wrong) api calls from NethVoice wizard triggers alerts on crowdsec that lead to an ip ban. There are three separate issue:

1. 401 from login page
2. 404 from user configuration page
3. CTI user errors and failed attempt shouldn't ban the IP because usually more users connect from same IP and an user causing issue shouldn't disrupt a whole company phone service
4. Janus user errors and failed attempt shouldn't ban the IP because usually more users connect from same IP and an user causing issue shouldn't disrupt a whole company phone service

1 - 401

Steps to reproduce

• open NethVoice wizard login page
• just idle there without attemptin login
• some request are made to CTI that fails with 401:
  • /webrest/users/endpoints/all
  • /webrest/astproxy/extensions
  • /webrest/astproxy/trunks

Expected behavior

• API calls shouldn't be made if the user isn't authenticated

Solution

• Fix UI [edit] workaround on crowdsec

2 - 404

when configuring wizard, a lot of 404 are seen by crowdsec as http probe

Steps to reproduce

• on nethvoice wizard open configuration-> users page then a user tab
• multiple 404 are returned for unconfigured devices:
  • /freepbx/rest/webrtc/201
  • /freepbx/rest/mobiles/foo1
  • /freepbx/rest/nethlink/201
  • /freepbx/rest/mobileapp/201

Expected behavior

unconfigured device should be returned as 200 null

Solution

• Fix backend
• mdify UI accordingly

3 and 4 - CTI and Janus

CTI and Janus user errors and failed attempt shouldn't ban the IP because usually more users connect from same IP and an user causing issue shouldn't disrupt a whole company phone service

Steps to reproduce

here some example of failed authentication on CTI

• POST /webrest/authentication/login HTTP/2.0" 401
• GET /janus/
• TODO add more example here

Expected behavior

Users error shouldn't trigger ban

Solution

• Exclude /webrest /janus /socket.io (...) from crowdsec

See also

https://mattermost.nethesis.it/nethesis/pl/o1j6tygsqbggdrfpyiuqfwikfo

[stephdl]

point 4 workaround, whitelist the IP of the head office

[stephdl]

for any points we needs complete log traces to try to whitelist

[Stell0]

Test case:

version to test : ghcr.io/nethserver/crowdsec:1.0.13-dev.1

• Install nethvoice + crowdsec on NS8

1. Idle on nethvoice wizard login page and verify that you're not banned

• Open and close user's device tabs on user's configuration page on a user without configured devices. Verify that you aren't banned
• Make sure that devices (web phone, webrtc phone, mobile app, mobile) works as expected

3. Fail to authenticate on cti multiple times and verify you aren't banned
4. play around on cti interface trying to do illicit stuff and make sure you aren't banned
5. try to be banned with a simple jail like ssh
6. verify user devices switches on nethvoice wizard wirks as intended