Ban list location path

Hello. how can check log file with banned ip in server?

The log file for CrowSec is different depending on the platform you can view the default locations here

You can filter the log file you will see entries like

grep performed /var/log/crowdsec.log

time="2024-03-23T07:44:25Z" level=info msg="Ip 192.168.1.1 performed 'crowdsecurity/endlessh-bf' (6 events over 55.815407421s) at 2024-03-23 07:44:25.896865151 +0000 UTC"

I changed the ip address within the example for PII sake

However, you can also query the decisions and alerts using cscli binary

cscli decisions list

List active decisions docs

cscli alerts list

List all alerts inc active decisions docs

Hope this helps

at me, there is no any list.
root@observer ~ # cscli decisions list
No active decisions

this is from log. grep -E “level=(error|fatal)” /var/log/crowdsec.log

time=“2024-03-20T19:51:27+01:00” level=fatal msg=“while starting API server: listening on 127.0.0.1:8080: listen tcp 127.0.0.1:8080: bind: address already in use”
time=“2024-03-20T19:52:30+01:00” level=fatal msg=“while starting API server: listening on 127.0.0.1:8080: listen tcp 127.0.0.1:8080: bind: address already in use”
time=“2024-03-20T19:53:34+01:00” level=fatal msg=“while starting API server: listening on 127.0.0.1:8080: listen tcp 127.0.0.1:8080: bind: address already in use”
time=“2024-03-20T19:54:37+01:00” level=fatal msg=“while starting API server: listening on 127.0.0.1:8080: listen tcp 127.0.0.1:8080: bind: address already in use”
time=“2024-03-20T19:55:40+01:00” level=fatal msg=“while starting API server: listening on 127.0.0.1:8080: listen tcp 127.0.0.1:8080: bind: address already in use”
time=“2024-03-20T19:56:44+01:00” level=fatal msg=“while starting API server: listening on 127.0.0.1:8080: listen tcp 127.0.0.1:8080: bind: address already in use”
time=“2024-03-20T19:57:47+01:00” level=fatal msg=“while starting API server: listening on 127.0.0.1:8080: listen tcp 127.0.0.1:8080: bind: address already in use”
time=“2024-03-20T19:58:51+01:00” level=fatal msg=“while starting API server: listening on 127.0.0.1:8080: listen tcp 127.0.0.1:8080: bind: address already in use”
time=“2024-03-20T19:59:54+01:00” level=fatal msg=“while starting API server: listening on 127.0.0.1:8081: listen tcp 127.0.0.1:8081: bind: address already in use”
time=“2024-03-20T20:00:58+01:00” level=fatal msg=“while starting API server: listening on 127.0.0.1:8081: listen tcp 127.0.0.1:8081: bind: address already in use”
time=“2024-03-20T20:02:01+01:00” level=fatal msg=“while starting API server: listening on 127.0.0.1:8081: listen tcp 127.0.0.1:8081: bind: address already in use”
time=“2024-03-20T20:03:05+01:00” level=fatal msg=“starting outputs error : authenticate watcher (fab9f9341e3747c5b7db6620482b614ditu8O7eMDzQIsSr2): API error: http code 400, no error message”
time=“2024-03-20T20:04:09+01:00” level=fatal msg=“starting outputs error : authenticate watcher (fab9f9341e3747c5b7db6620482b614ditu8O7eMDzQIsSr2): API error: http code 400, no error message”
time=“2024-03-20T20:05:14+01:00” level=fatal msg=“starting outputs error : authenticate watcher (fab9f9341e3747c5b7db6620482b614ditu8O7eMDzQIsSr2): API error: http code 400, no error message”
time=“2024-03-20T20:06:18+01:00” level=fatal msg=“starting outputs error : authenticate watcher (fab9f9341e3747c5b7db6620482b614ditu8O7eMDzQIsSr2): API error: http code 400, no error message”
time=“2024-03-20T20:07:23+01:00” level=fatal msg=“starting outputs error : authenticate watcher (fab9f9341e3747c5b7db6620482b614ditu8O7eMDzQIsSr2): API error: http code 400, no error message”
time=“2024-03-20T20:08:27+01:00” level=fatal msg=“starting outputs error : authenticate watcher (fab9f9341e3747c5b7db6620482b614ditu8O7eMDzQIsSr2): API error: http code 400, no error message”
time=“2024-03-20T20:09:31+01:00” level=fatal msg=“starting outputs error : authenticate watcher (fab9f9341e3747c5b7db6620482b614ditu8O7eMDzQIsSr2): API error: http code 400, no error message”
time=“2024-03-20T20:10:36+01:00” level=fatal msg=“starting outputs error : authenticate watcher (fab9f9341e3747c5b7db6620482b614ditu8O7eMDzQIsSr2): API error: http code 400, no error message”
time=“2024-03-20T20:11:40+01:00” level=fatal msg=“starting outputs error : authenticate watcher (fab9f9341e3747c5b7db6620482b614ditu8O7eMDzQIsSr2): API error: http code 400, no error message”
time=“2024-03-20T20:12:44+01:00” level=fatal msg=“starting outputs error : authenticate watcher (fab9f9341e3747c5b7db6620482b614ditu8O7eMDzQIsSr2): API error: http code 400, no error message”
time=“2024-03-21T03:53:36+01:00” level=error msg=“sending signal to central API: while performing request: API error: Unauthorized”
time=“2024-03-21T11:24:17+01:00” level=error msg=“sending signal to central API: while performing request: API error: Unauthorized”
time=“2024-03-23T08:15:16+01:00” level=fatal msg=“-dsn requires a -type argument”
time=“2024-03-23T09:00:44+01:00” level=error msg=“capi metrics: failed: API error: Unauthorized”

But i changer port to 7188 because 8080 is busy by other.
netstat -tulpn | grep :8080
tcp6 0 0 :::8080 :::* LISTEN 22745/agent
root@observer ~ # netstat -tulpn | grep :7188
tcp 0 0 127.0.0.1:7188 0.0.0.0:* LISTEN 176406/crowdsec netstat -tulpn | grep :8080
tcp6 0 0 :::8080 :::* LISTEN 22745/agent
root@observer ~ # netstat -tulpn | grep :7188
tcp 0 0 127.0.0.1:7188 0.0.0.0:* LISTEN 176406/crowdsec

Also this command show. cscli alerts list

seems all works and scanned ip is banned.?

cscli decisions list

root@observer ~ # cscli decisions list
No active decisions

They did have an active decision, however, the default ban timer of 4 hours has now expired, so yes the detection is working and as long as you installed a remediation component it should be actively enforcing it.

Im guessing you resolve the port conflict errors?

How add more ban time. For example 36hr or 1 year ?

With port correction yes. its solved.

CrowdSec is designed to provision small timely bans as IP addresses are dynamic in nature you can alter the behaviour via profiles

Thanks. U are the bet.
Now solved.