ARM (Raspberry) builds updated for bullseye?

Hi there!

Some weeks ago, I successfully installed Crowdsec on a RPI Zero 2 W using this tutorial: https://www.crowdsec.net/blog/how-to-secure-your-raspberry-pi-with-crowdsec.
It’s running fine

Many thanks for that, CrowdSec is awesome and you guys rocks!

But today, running a cscli hup update, I got this:

WARN[22-10-2023 06:40:35] Crowdsec is not the latest version. Current version is ‘v1.5.2’ and the latest stable version is ‘v1.5.4’. Please update it!
WARN[22-10-2023 06:40:35] As a result, you will not be able to use parsers/scenarios/collections added to Crowdsec Hub after CrowdSec v1.5.4

Okay, classic stuff. Ran apt update, CrowdSec repo is configured OK:

Hit:5 https://packagecloud.io/crowdsec/crowdsec/raspbian bullseye InRelease

But then, no new CrowdSec package is listed with apt list --upgradable
So, the package has probably not been updated (or not available anymore) on the repository.

Will arm Raspbian builds get maintained, updated for bullseye?
Should I switch to bookworm, althrough it is not listed here: packagecloud Documentation - Documentation for the Command-Line Interface (CLI) and automation tools, forget about pre-built CrowdSec Raspbian packages,…?
I can see that debian builds for bullseye are getting updated: debian/bullseye/crowdsec_1.5.4_arm64.deb - crowdsec/crowdsec · packagecloud.

Thanks in advance for any clue

Hi,

We just had an issue when we released 1.5.4 with armhf builds, so to not delay the release we decided to ship it without armhf packages (raspberry builds). We are about to ship 1.5.5 in a short time, and this one will be shipped without armhf packages as well, but I intend to fix it in the forthcoming weeks. As soon as the build issue is fixed, armhf packages will be released as well.

So tl,dr, armhf build will be there, but you have to be a bit more patient
Sorry and thanks for using CrowdSec,

Thanks @sabban for your comprehensive reply!
Knowing that this format is not discontinued I’ll wait patiently, no problem.
I wish you luck and success with the builds!

Meanwhile, Raspberry OS bullseye has been overtaken by bookworm (Operating system images – Raspberry Pi). Will you publish for bookworm as well?

Yes, we already publish for bookworm, so most likely we will support this also.

That’s very good news, thanks!

I just uploaded a version for armhf in the crowdsec-testing repository: crowdsec/crowdsec-testing - Packages · packagecloud
Sorry for the delay, it was a bit tricky to achieve. And, I want it to be a bit tested before pushing it to the stable repository.

Thank you for patience !

Hi @sabban, and thanks for the follow-up!
Do you want me to help with testing? Only HTTP Nginx is exposed on this device…

Hi,
We usually use this https://github.com/crowdsecurity/crowdsec/tree/master/test to internally test crowdsec releases, but I’ve not any full armhf devices to test the release on. OTOH I’ll gladly have a look into any issues that would be reported on this

Hi,

Upgraded successfully by adding “crowdsec-testing” repo.
Firewall bouncer came with a new configuration file, no big deal. I just had to delete previous bouncer.

No issue to report, I could run every command (except “simulation”) and update everything, without error.
I could add some scenarios I previously deleted (VCSA, Fortinet), install/remove a collection, etc.

Version and metrics so far:

root@pi:~# cscli version
2023/11/22 06:02:25 version: v1.5.5-debian-pragmatic-arm-d2d788c5dc0a9e387635276623c6781774a9dfd4
2023/11/22 06:02:25 Codename: alphaga
2023/11/22 06:02:25 BuildDate: 2023-11-21_09:48:21
2023/11/22 06:02:25 GoVersion: 1.21.3
2023/11/22 06:02:25 Platform: linux
2023/11/22 06:02:25 libre2: C++
2023/11/22 06:02:25 Constraint_parser: >= 1.0, <= 2.0
2023/11/22 06:02:25 Constraint_scenario: >= 1.0, < 3.0
2023/11/22 06:02:25 Constraint_api: v1
2023/11/22 06:02:25 Constraint_acquis: >= 1.0, < 2.0

root@pi:~# crowdsec-firewall-bouncer -V
version: v0.0.28~rc1-debian-pragmatic-c8322311d6486a54ff8791930d9735f8700bd296
BuildDate: 2023-06-19_09:23:47
GoVersion: 1.20.1

root@pi:~# cscli metrics

Acquisition Metrics:
╭────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────╮
│             Source             │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │
├────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┤
│ file:/var/log/nginx/access.log │ 4          │ 3            │ 1              │ 1                      │
│ file:/var/log/syslog           │ 4          │ -            │ 4              │ -                      │
╰────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────╯

Bucket Metrics:
╭──────────────────────────────────────┬───────────────┬───────────┬──────────────┬────────┬─────────╮
│                Bucket                │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │
├──────────────────────────────────────┼───────────────┼───────────┼──────────────┼────────┼─────────┤
│ crowdsecurity/http-crawl-non_statics │ -             │ -         │ 1            │ 1      │ 1       │
╰──────────────────────────────────────┴───────────────┴───────────┴──────────────┴────────┴─────────╯

Parser Metrics:
╭─────────────────────────────────┬──────┬────────┬──────────╮
│             Parsers             │ Hits │ Parsed │ Unparsed │
├─────────────────────────────────┼──────┼────────┼──────────┤
│ child-crowdsecurity/http-logs   │ 9    │ 6      │ 3        │
│ child-crowdsecurity/nginx-logs  │ 5    │ 3      │ 2        │
│ child-crowdsecurity/syslog-logs │ 4    │ 4      │ -        │
│ crowdsecurity/dateparse-enrich  │ 3    │ 3      │ -        │
│ crowdsecurity/geoip-enrich      │ 3    │ 3      │ -        │
│ crowdsecurity/http-logs         │ 3    │ 3      │ -        │
│ crowdsecurity/nginx-logs        │ 4    │ 3      │ 1        │
│ crowdsecurity/non-syslog        │ 4    │ 4      │ -        │
│ crowdsecurity/syslog-logs       │ 4    │ 4      │ -        │
│ crowdsecurity/whitelists        │ 3    │ 3      │ -        │
╰─────────────────────────────────┴──────┴────────┴──────────╯

Local API Metrics:
╭──────────────────────┬────────┬──────╮
│        Route         │ Method │ Hits │
├──────────────────────┼────────┼──────┤
│ /v1/alerts           │ GET    │ 2    │
│ /v1/decisions/stream │ GET    │ 25   │
│ /v1/heartbeat        │ GET    │ 7    │
│ /v1/watchers/login   │ POST   │ 4    │
╰──────────────────────┴────────┴──────╯

Local API Machines Metrics:
╭──────────────────────────────────────────────────┬───────────────┬────────┬──────╮
│                     Machine                      │     Route     │ Method │ Hits │
├──────────────────────────────────────────────────┼───────────────┼────────┼──────┤
│ ------------------------------------------------ │ /v1/alerts    │ GET    │ 2    │
│ ------------------------------------------------ │ /v1/heartbeat │ GET    │ 7    │
╰──────────────────────────────────────────────────┴───────────────┴────────┴──────╯

Local API Bouncers Metrics:
╭────────────────────────────────┬──────────────────────┬────────┬──────╮
│            Bouncer             │        Route         │ Method │ Hits │
├────────────────────────────────┼──────────────────────┼────────┼──────┤
│ cs-firewall-bouncer-1700627702 │ /v1/decisions/stream │ GET    │ 25   │
╰────────────────────────────────┴──────────────────────┴────────┴──────╯

Local API Decisions:
╭────────────────────────────────────────────┬──────────┬────────┬───────╮
│                   Reason                   │  Origin  │ Action │ Count │
├────────────────────────────────────────────┼──────────┼────────┼───────┤
│ crowdsecurity/http-backdoors-attempts      │ CAPI     │ ban    │ 866   │
│ crowdsecurity/http-sensitive-files         │ CAPI     │ ban    │ 19    │
│ crowdsecurity/ssh-bf                       │ CAPI     │ ban    │ 17264 │
│ crowdsecurity/apache_log4j2_cve-2021-44228 │ CAPI     │ ban    │ 380   │
│ crowdsecurity/http-bad-user-agent          │ CAPI     │ ban    │ 6150  │
│ crowdsecurity/http-bad-user-agent          │ crowdsec │ ban    │ 11    │
│ crowdsecurity/ssh-slow-bf                  │ CAPI     │ ban    │ 50    │
│ crowdsecurity/CVE-2022-41082               │ CAPI     │ ban    │ 1025  │
│ crowdsecurity/CVE-2023-22515               │ CAPI     │ ban    │ 5     │
│ crowdsecurity/http-cve-2021-41773          │ CAPI     │ ban    │ 42    │
│ crowdsecurity/http-open-proxy              │ CAPI     │ ban    │ 600   │
│ crowdsecurity/http-open-proxy              │ crowdsec │ ban    │ 1     │
│ crowdsecurity/http-probing                 │ CAPI     │ ban    │ 1892  │
│ crowdsecurity/http-probing                 │ crowdsec │ ban    │ 5     │
│ crowdsecurity/CVE-2022-26134               │ CAPI     │ ban    │ 213   │
│ crowdsecurity/http-crawl-non_statics       │ CAPI     │ ban    │ 432   │
│ crowdsecurity/http-crawl-non_statics       │ crowdsec │ ban    │ 2     │
│ crowdsecurity/thinkphp-cve-2018-20062      │ CAPI     │ ban    │ 48    │
│ crowdsecurity/CVE-2022-35914               │ CAPI     │ ban    │ 55    │
│ crowdsecurity/http-generic-bf              │ CAPI     │ ban    │ 19    │
│ firehol_cruzit_web_attacks                 │ lists    │ ban    │ 13167 │
│ firehol_greensnow                          │ lists    │ ban    │ 7034  │
│ crowdsecurity/CVE-2022-37042               │ CAPI     │ ban    │ 17    │
│ crowdsecurity/CVE-2022-42889               │ CAPI     │ ban    │ 13    │
│ crowdsecurity/grafana-cve-2021-43798       │ CAPI     │ ban    │ 66    │
│ crowdsecurity/http-path-traversal-probing  │ CAPI     │ ban    │ 71    │
│ crowdsecurity/CVE-2019-18935               │ CAPI     │ ban    │ 65    │
│ crowdsecurity/CVE-2023-22518               │ CAPI     │ ban    │ 14    │
│ crowdsecurity/nginx-req-limit-exceeded     │ CAPI     │ ban    │ 114   │
│ ltsich/http-w00tw00t                       │ CAPI     │ ban    │ 1     │
│ firehol_botscout_7d                        │ lists    │ ban    │ 3025  │
╰────────────────────────────────────────────┴──────────┴────────┴───────╯

Local API Alerts:
╭──────────────────────────────────────┬───────╮
│                Reason                │ Count │
├──────────────────────────────────────┼───────┤
│ crowdsecurity/http-probing           │ 5     │
│ crowdsecurity/http-bad-user-agent    │ 11    │
│ crowdsecurity/http-crawl-non_statics │ 2     │
│ crowdsecurity/http-open-proxy        │ 1     │
╰──────────────────────────────────────┴───────╯

On console everything looks fine:

image681×1454 109 KB

Thanks for the awesome work!

Thanks for the report !