Matrix Synapse genuine traffic banned #1546
Description
I utilise Element (web and app) for me and some friends. They get banned for either http probing or http crawl non statics when just using the app. I have been getting round the issue with whitelisting their public IPs but this isn't a great long term solution. Could someone point me in right direction how to resolve? I have amended and removed IPs, domains etc.
Example http_probing alert:
/ # cscli alert inspect 7661
################################################################################################
- ID : 7661
- Date : 2025-10-21T19:38:10Z
- Machine : localhost
- Simulation : false
- Remediation : true
- Reason : crowdsecurity/http-probing
- Events Count : 12
- Scope:Value : Ip:
- Country :
- AS :
- Begin : 2025-10-21T19:37:57Z
- End : 2025-10-21T19:38:09Z
- UUID :
╭───────────────────────────────────────────────────────────────────────────╮
│ Active Decisions │
├──────────┬───────────────────┬────────┬────────────┬──────────────────────┤
│ ID │ scope:value │ action │ expiration │ created_at │
├──────────┼───────────────────┼────────┼────────────┼──────────────────────┤
│ 83320323 │ Ip:address │ ban │ 3h58m18s │ 2025-10-21T19:38:10Z │
╰──────────┴───────────────────┴────────┴────────────┴──────────────────────╯
- Context :
╭────────────┬──────────────────────────────────────────────────────────────╮
│ Key │ Value │
├────────────┼──────────────────────────────────────────────────────────────┤
│ method │ GET │
│ status │ 404 │
│ target_uri │ /_matrix/client/unstable/org.matrix.msc2965/auth_metadata │
│ target_uri │ /_matrix/client/unstable/org.matrix.msc2965/auth_issuer │
│ target_uri │ /_matrix/client/unstable/org.matrix.msc3814.v1/dehydrated_de │
│ │ vice │
│ target_uri │ /.well-known/matrix/client │
│ target_uri │ /_matrix/client/v3/profile/domain.com/us.cloke.m │
│ │ sc4175.tz │
│ target_uri │ /config.element.domain.com.json?cachebuster= │
│ target_uri │ /config.element.domain.com.json?cachebuster= │
│ target_uri │ /config.element.domain.com.json?cachebuster= │
│ target_uri │ /config.element.domain.com.json?cachebuster= │
│ target_uri │ /config.element.domain.com.json?cachebuster= │
│ target_uri │ /config.element.domain.com.json?cachebuster=
Any help would be greatly appreciated. I don't unfortunately have logs for the http crawl non statics but can get if the http probing one can be fixed as this seems to be the one that always triggers.