Alerts, rules applied but "no active decisions"

Hi,

I install Crowdsec on every server I put in production and everithing is generally fine. But, on a proxmox host, I’ve some issues with decisions.

I install nftables bouncer, when I list ruleset :

   223.244.25.69 timeout 6d22h33m25s352ms expires 6d22h23m40s716ms, 223.244.27.97 timeout 5d15h33m25s352ms expires 5d15h23m40s708ms,
                             223.244.89.57 timeout 5d17h33m27s352ms expires 5d17h23m42s728ms, 223.244.253.16 timeout 6d13h33m25s348ms expires 6d13h23m40s692ms,
                             223.247.33.150 timeout 6d19h33m25s348ms expires 6d19h23m40s692ms, 223.247.96.150 timeout 5d17h33m27s352ms expires 5d17h23m42s712ms,
                             223.247.134.165 timeout 6d21h33m25s348ms expires 6d21h23m40s688ms, 223.247.145.226 timeout 6d19h33m25s348ms expires 6d19h23m40s692ms,
                             223.247.150.123 timeout 6d19h33m25s348ms expires 6d19h23m40s704ms, 223.247.179.157 timeout 6d33m25s344ms expires 6d23m40s724ms,
                             223.247.188.6 timeout 6d21h33m25s348ms expires 6d21h23m40s700ms, 223.247.207.189 timeout 6d21h33m25s348ms expires 6d21h23m40s712ms,
                             223.247.213.152 timeout 6d17h33m25s348ms expires 6d17h23m40s720ms, 223.247.218.112 timeout 6d17h33m25s348ms expires 6d17h23m40s700ms 

So, rules seems to be applied (but like pregenerated IP list).

If I check LAPI status :

INFO[2024-04-29T09:05:21+02:00] Loaded credentials from /etc/crowdsec/local_api_credentials.yaml
INFO[2024-04-29T09:05:21+02:00] Trying to authenticate with username 5fe7d4621cc342c1a1b060b5f6a03dcaunIM9NIg6lurd82Y on http://127.0.0.1:8080/
INFO[2024-04-29T09:05:21+02:00] You can successfully interact with Local API (LAPI)

So, I can deduce that API seems to work.

Now, the strange things :

cscli alerts list
╭────┬────────────────────┬───────────────────────────┬─────────┬─────────────────────────────────────────────┬───────────┬─────────────────────────────────────────╮
│ ID │       value        │          reason           │ country │                     as                      │ decisions │               created_at                │
├────┼────────────────────┼───────────────────────────┼─────────┼─────────────────────────────────────────────┼───────────┼─────────────────────────────────────────┤
│ 71 │ Ip:93.121.195.234  │ crowdsecurity/ssh-bf      │ GP      │ 21351 Canal + Telecom SAS                   │ ban:1     │ 2024-04-29 01:05:14.744603776 +0000 UTC │
│ 70 │ Ip:93.121.195.234  │ crowdsecurity/ssh-slow-bf │ GP      │ 21351 Canal + Telecom SAS                   │ ban:1     │ 2024-04-29 01:05:14.744563133 +0000 UTC │
│ 68 │ Ip:5.188.3.242     │ crowdsecurity/ssh-slow-bf │ RU      │ 210756 EdgeCenter LLC                       │ ban:1     │ 2024-04-28 22:06:52.24268983 +0000 UTC  │
│ 63 │ Ip:170.64.184.228  │ crowdsecurity/ssh-bf      │ AU      │ 14061 DIGITALOCEAN-ASN                      │ ban:1     │ 2024-04-28 16:22:26.243222669 +0000 UTC │
│ 60 │ Ip:165.227.121.55  │ crowdsecurity/ssh-bf      │ US      │ 14061 DIGITALOCEAN-ASN                      │ ban:1     │ 2024-04-28 11:35:40.744495503 +0000 UTC │
│ 55 │ Ip:103.91.64.25    │ crowdsecurity/ssh-slow-bf │ MY      │ 55720 Gigabit Hosting Sdn Bhd               │ ban:1     │ 2024-04-28 00:41:37.491354269 +0000 UTC │
│ 54 │ Ip:154.92.14.17    │ crowdsecurity/ssh-slow-bf │ HK      │ 142403 YISU CLOUD LTD                       │ ban:1     │ 2024-04-28 00:37:42.74702933 +0000 UTC  │
│ 44 │ Ip:47.236.205.68   │ crowdsecurity/ssh-slow-bf │ SG      │ 45102 Alibaba US Technology Co., Ltd.       │ ban:1     │ 2024-04-27 07:23:35.992429368 +0000 UTC │

And…

cscli decisions list
No active decisions

If I check logs :

time="29-04-2024 08:54:22" level=info msg="Starting crowdsec-firewall-bouncer v0.0.28-debian-pragmatic-af6e7e25822c2b1a02168b99ebbf8458bc6728e5"
time="29-04-2024 08:54:22" level=info msg="backend type : nftables"
time="29-04-2024 08:54:22" level=info msg="nftables initiated"
time="29-04-2024 08:54:22" level=info msg="Using API key auth"
time="29-04-2024 08:54:22" level=info msg="config is valid"
time="29-04-2024 08:54:22" level=info msg="Shutting down backend"
time="29-04-2024 08:54:22" level=info msg="removing 'crowdsec' table"
time="29-04-2024 08:54:22" level=info msg="removing 'crowdsec6' table"
time="29-04-2024 08:54:22" level=info msg="Starting crowdsec-firewall-bouncer v0.0.28-debian-pragmatic-af6e7e25822c2b1a02168b99ebbf8458bc6728e5"
time="29-04-2024 08:54:22" level=info msg="backend type : nftables"
time="29-04-2024 08:54:22" level=info msg="nftables initiated"
time="29-04-2024 08:54:22" level=info msg="Using API key auth"
time="29-04-2024 08:54:22" level=info msg="Processing new and deleted decisions . . ."
time="29-04-2024 08:54:22" level=info msg="95 decisions deleted"
time="29-04-2024 08:54:22" level=info msg="20563 decisions added"
time="29-04-2024 09:01:22" level=error msg="auth-api: auth with api key failed return nil response, error: dial tcp 127.0.0.1:8080: connect: connection refused"
time="29-04-2024 09:01:22" level=error msg="Get \"http://127.0.0.1:8080/v1/decisions/stream?\": dial tcp 127.0.0.1:8080: connect: connection refused"

And netstat output :

tcp        0      0 127.0.0.1:50626         127.0.0.1:8080          ESTABLISHED 756193/crowdsec-fir  keepalive (16.57/0/0)

So LAPI OK but not really OK??
No decisions seems to be applied, instead of preconfigured IP list from Crowdsec.

I’ve tried to register bouncer again, restarted bouncer and crowdsec engine, but no changes.

Any ideas on what is going on?

what are you expecting to see? because what i can see is the community blocklist has been pulled but cscli decisions list hide these unless you provide the -a flag. The other alerts seen via cscli alerts list are local alerts but the decision has most likely expired by default we issue a 4h ban unless you customize it.

Hi,

Yes, I see…
In fact, I’m so used to servers with the SSH port open being stormed by bots that I foolishly thought Crowdsec wasn’t working (I always have 3 to 5 active bans). So no worries really. I tested a connection from another server 10 times in a row and the ban appeared and was active.

My apologies for the silly question.