Block duration from profiles.yaml not applied after reload

Hi! I use crowdsec with postfix-logs parser and cs-firewall-bouncer.
For blocking I use iptables+ipset.

Default ban duration is 4h.
I set duration: 23h at /etc/crowdsec/profiles.yaml

name: default_ip_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
 - type: ban
   duration: 23h
on_success: break

Reload services:
systemctl reload crowdsec
service cs-firewall-bouncer restart

But it had no effect. For new records at decisions list I see expiration about 3h59m.

How change ban duration?

Hello, can you try restarting crowdsec instead of just reload ? I’m not sure profiles are re-read at reload time :sweat_smile:

Thank you, it worked!

1 Like

One more question.
I add decision from cscli:
cscli decisions add --range 45.142.120.0/24

But it not shown at crowdsec-blacklists by
ipset -L crowdsec-blacklists

Is this how it should be?

In decision list this range had added successfully.

Hello,

No, it should be shown in your blacklist :slight_smile: Is your bouncer receiving other decisions ?

Yes.
ipset -L crowdsec-blacklists
and
cscli decisions list
contain the same IP addresses.
For example now 23 baned IP.

Hello,

Just tried locally and I can’t manage to reproduce :

▶ sudo cscli decisions add -r 2.2.2.0/24
INFO[22-03-2021 03:26:27 PM] Decision successfully added        
▶ sudo ipset -L | grep 2.2.2
...
2.2.2.0/24 timeout 14390

Can you share more info about version & os ?

I removed the decision and added it again, but now everything worked out. The range was added to the crowdsec-blacklists.
I don’t understand why the decision wasn’t added in the crowdsec-blacklists for the first time.
Thank you so much for your help. Now everything works perfect.

I found the reason why the “cscli decisions add --range” doesn’t always work.The reason for this is constraint of the timeout value for the ipset. The largest possible timeout value is 2147483 (in seconds).
[Man page of IPSET]
If duration value in “–duration string” lager then max value of timeout for ipset when in decision list range will be added, but in crowdsec-blacklists not.