Couple months after setting up Crowdsec it stopped working

Hi,

I’m new obviously. A few months ago I followed the instructions on the website to install and setup crowdsec (on an Ubuntu server). Wasn’t easy, but went fairly smoothly. I was seeing alerts in the web portal and could confirm on my server that IPs were being blocked.

But today (3 months later) I just signed on to see how things were going and if I go to Security Engines - it shows that my engine has been archived. I have no alerts and no decisions. Besides normal server updates I can’t think of what could have changed.

I just ran composer update to make sure that was up to date.

sudo systemctl status crowdsec shows it is enabled

but running things like sudo cscli decisions list gives a connection error:

 ERROR error while performing request: dial tcp 127.0.0.1:8080: connect: connection refused

I read this, which addresses this issue: Troubleshooting Security Engine | CrowdSec

I confirmed that /etc/crowdsec/local_api_credentials.yaml is set to use 127.0.0.1:8080

sudo systemctl restart crowdsec is actually giving an error and when I do journalctl -xeu crowdsec.service I see:

crowdsec[89861]: FATAL while loading profiles for LAPI: while decoding /etc/crowdsec/profiles.yaml: yaml: unmarshal errors:
crowdsec[89861]:   line 3: field duration_expr not found in type models.Decision
systemd[1]: crowdsec.service: Control process exited, code=exited, status=1/FAILURE

I checked /etc/crowdsec/profiles.yaml and that setting seems to be the default from the docs:

duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)

So that’s as far as I got with my debugging. I don’t really understand all the moving parts with crowdsec, so I may be missing something obvious. But it seems like it just stopped working a month ago or so for some reason.

Can you paste your full profiles?

Either the duration is indented too much as it’s a top level property or you have auto update enabled, and the Ubuntu package has been installed over our version.

name: default_ip_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
 - type: ban
   duration: 8h
   duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
# notifications:
#   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
#   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
#   - http_default   # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
#   - email_default  # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break
---
name: default_range_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Range"
decisions:
 - type: ban
   duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
# notifications:
#   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
#   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
#   - http_default   # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
#   - email_default  # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break

Sorry didn’t see your reply, yes so the issue is duration_expr is not a nested property so your profiles should look like:

name: default_ip_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
 - type: ban
   duration: 8h
duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
# notifications:
#   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
#   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
#   - http_default   # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
#   - email_default  # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break
---
name: default_range_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Range"
decisions:
 - type: ban
   duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
# notifications:
#   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
#   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
#   - http_default   # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
#   - email_default  # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break

Note the duration_expr is not under decisions but a top level property.