CrowdSec on my Ubuntu 20.04LTS Unifi Controller

levidholman · December 3, 2021, 8:53am

Just tried to use CrowdSec on my Ubuntu 20.04LTS Unifi Controller server (SuperServer E102-9AP-L, SoC) and my Unifi web access stopped working, after doing some debugging, if I uninstalled/removed CrowdSec from the server, my Unifi Controller web access was working again, strangely though, I could still SSH into the server while CrowdSec was installed. Anyone any thoughts? After doing some research, I found out that I had to change the default port to 7070 and, it seems that my Supremicro SuperServer E102-9AP-L (Soc) doesn’t work well CrowdSec or the Bouncer.

klausagnoletti · December 7, 2021, 9:40am

Hey. Sorry for the time lag in terms of replies.

From your description it’s hard to help without any details. So could you paste relevant input from /var/log/crowdsec.log. Also what does it mean when you say “Unifi web access stopped working”? Couldn’t you connect to the login? Or were you unable to login? What does the unifi log say?

Also when you say that your Supermicro server doesn’t work very well with CrowdSec, could you please elaborate what that means? What doesn’t work and what are the symptoms?

levidholman · December 14, 2021, 10:49pm

Hi, sorry for taking so long to reply back, I got frustrated with my whole system and took a break from it, but I’m back now.

Here’s the info you requested:
time=“25-11-2021 18:43:41” level=warning msg=“SIGTERM received, shutting down”
time=“25-11-2021 18:43:41” level=info msg=“Crowdsec engine shutting down”
time=“25-11-2021 18:43:41” level=info msg=“File datasource /var/log/auth.log stopping” tail=/var/log/auth.log type=file
time=“25-11-2021 18:43:41” level=info msg=“File datasource /var/log/syslog stopping” tail=/var/log/syslog type=file
time=“25-11-2021 18:43:41” level=info msg=“File datasource /var/log/kern.log stopping” tail=/var/log/kern.log type=file
time=“25-11-2021 18:43:41” level=info msg=“Killing parser routines”
time=“25-11-2021 18:43:42” level=info msg=“Bucket routine exiting”
time=“25-11-2021 18:43:43” level=info msg=“serve: shutting down api server”
time=“25-11-2021 18:43:43” level=info msg=“killing all plugins”
time=“25-11-2021 18:43:43” level=info msg=“push tomb is dying, sending cache (0 elements) before exiting”
time=“25-11-2021 18:43:43” level=warning msg=“Crowdsec service shutting down”
time=“25-11-2021 18:46:43” level=info msg=“Crowdsec v1.2.1-debian-pragmatic-linux-dd03d073558e380c283afe66942f537c3da647ff”
time=“25-11-2021 18:46:43” level=info msg=“Loading prometheus collectors”
time=“25-11-2021 18:46:43” level=info msg=“Loading CAPI pusher”
time=“25-11-2021 18:46:43” level=info msg=“Loading grok library /etc/crowdsec/patterns”
time=“25-11-2021 18:46:49” level=info msg=“Loading enrich plugins”
time=“25-11-2021 18:46:49” level=info msg=“Successfully registered enricher ‘GeoIpCity’”
time=“25-11-2021 18:46:49” level=info msg=“Successfully registered enricher ‘GeoIpASN’”
time=“25-11-2021 18:46:49” level=info msg=“Successfully registered enricher ‘IpToRange’”
time=“25-11-2021 18:46:49” level=info msg=“Successfully registered enricher ‘reverse_dns’”
time=“25-11-2021 18:46:49” level=info msg=“Successfully registered enricher ‘ParseDate’”
time=“25-11-2021 18:46:49” level=info msg=“Loading parsers 5 stages”
time=“25-11-2021 18:46:49” level=info msg=“Loaded 2 parser nodes” file=/etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
time=“25-11-2021 18:46:49” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
time=“25-11-2021 18:46:49” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
time=“25-11-2021 18:46:49” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
time=“25-11-2021 18:46:49” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s02-enrich/whitelists.yaml
time=“25-11-2021 18:46:49” level=info msg=“Loaded 6 nodes, 3 stages”
time=“25-11-2021 18:46:49” level=info msg=“Loading postoverflow Parsers”
time=“25-11-2021 18:46:49” level=info msg=“Loaded 0 nodes, 0 stages”
time=“25-11-2021 18:46:49” level=info msg=“Loading 2 scenario files”
time=“25-11-2021 18:46:49” level=info msg=“Adding leaky bucket” cfg=black-moon file=/etc/crowdsec/scenarios/ssh-slow-bf.yaml name=crowdsecurity/ssh-slow-bf
time=“25-11-2021 18:46:49” level=info msg=“Adding leaky bucket” cfg=twilight-sky file=/etc/crowdsec/scenarios/ssh-slow-bf.yaml name=crowdsecurity/ssh-slow-bf_user-enum
time=“25-11-2021 18:46:49” level=info msg=“Adding leaky bucket” cfg=fragrant-pond file=/etc/crowdsec/scenarios/ssh-bf.yaml name=crowdsecurity/ssh-bf
time=“25-11-2021 18:46:49” level=info msg=“Adding leaky bucket” cfg=bitter-grass file=/etc/crowdsec/scenarios/ssh-bf.yaml name=crowdsecurity/ssh-bf_user-enum
time=“25-11-2021 18:46:49” level=warning msg=“Loaded 4 scenarios”
time=“25-11-2021 18:46:49” level=info msg=“loading acquisition file : /etc/crowdsec/acquis.yaml”
time=“25-11-2021 18:46:49” level=info msg=“Adding file /var/log/auth.log to datasources” type=file
time=“25-11-2021 18:46:49” level=info msg=“Adding file /var/log/syslog to datasources” type=file
time=“25-11-2021 18:46:49” level=info msg=“Adding file /var/log/kern.log to datasources” type=file
time=“25-11-2021 18:46:49” level=info msg=“test done”
time=“25-11-2021 18:46:49” level=info msg=“Crowdsec v1.2.1-debian-pragmatic-linux-dd03d073558e380c283afe66942f537c3da647ff”
time=“25-11-2021 18:46:49” level=info msg=“Loading prometheus collectors”
time=“25-11-2021 18:46:49” level=info msg=“Loading CAPI pusher”
time=“25-11-2021 18:46:49” level=info msg=“Loading grok library /etc/crowdsec/patterns”
time=“25-11-2021 18:46:49” level=info msg=“start crowdsec api push (interval: 30s)”
time=“25-11-2021 18:46:49” level=info msg=“start crowdsec api pull (interval: 2h)”
time=“25-11-2021 18:46:49” level=info msg=“last CAPI pull is newer than 1h30, skip.”
time=“25-11-2021 18:46:51” level=info msg=“capi metrics: metrics sent successfully”
time=“25-11-2021 18:46:51” level=info msg=“start crowdsec api send metrics (interval: 30m)”
time=“25-11-2021 18:46:53” level=info msg=“Loading enrich plugins”
time=“25-11-2021 18:46:53” level=info msg=“Successfully registered enricher ‘GeoIpCity’”
time=“25-11-2021 18:46:53” level=info msg=“Successfully registered enricher ‘GeoIpASN’”
time=“25-11-2021 18:46:53” level=info msg=“Successfully registered enricher ‘IpToRange’”
time=“25-11-2021 18:46:53” level=info msg=“Successfully registered enricher ‘reverse_dns’”
time=“25-11-2021 18:46:53” level=info msg=“Successfully registered enricher ‘ParseDate’”
time=“25-11-2021 18:46:53” level=info msg=“Loading parsers 5 stages”
time=“25-11-2021 18:46:53” level=info msg=“Loaded 2 parser nodes” file=/etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
time=“25-11-2021 18:46:53” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
time=“25-11-2021 18:46:53” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
time=“25-11-2021 18:46:53” level=info msg=“Loaded 1 parser nodes” file=/etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml

And, about the my UniFi controller access issue, I solved that by changing Crowdsec listening port to 7070.

For my Supermicro server matter, it’s a System on chip and I was wondering if that has something to do with the bouncer not working right,

And finally, I’m new to all of this as you can probably tell, but it’s really interesting to me I want to learn much more about IT and IT Security stuff.

klausagnoletti · December 15, 2021, 7:27am

Hey and thanks!

I get you - who doesn’t need a break from the bleeping computers every now and then?

Anyways as I understand it, the proble with Unifi is solved, right?

In terms of the problem with your supermicro server I can’t really see a connection; if it’s an IPMI (which I assume) then it’s more or less a separate computer that doesn’t have anything to do with the ‘real’ server, so to speak. Also it’s not very clear to me which problems you are experiencing in relation to it. Could you please elaborate on that?

dguy · December 17, 2021, 12:56am

I’m having the same issue with installing crowdsec on a Unifi Network Application Server (Ubuntu 20.04).

It appears that crowdsec uses port 8080, which is already being used by the Unifi App.

I changed the ports in the yaml files and can get it installed, along with the firewall (also change ports), but the bouncer does not show in the Beta Dashboard.

It also shows that “unknown v1.2.1 available!” in the Dashboard for the agent even though it is version 1.2.1 already installed.

klausagnoletti · December 17, 2021, 8:20am

Thanks for your post. Which files did you change port number in? Just want to make sure you did it properly

Topic		Replies	Views
New user, my feedbacks and problems crowdsec	10	1234	September 7, 2021
Crowdesc service crashes when fetching decisions list crowdsec	4	753	February 15, 2023
Crowdsec Stopped Working on my Raspberry Pi (ARM?) crowdsec	5	690	February 6, 2023
\|\| Installation Not Successfull \|\| crowdsec	1	576	May 26, 2021
127.0.0.1:8080: connect: connection refused crowdsec	1	1361	February 28, 2022

CrowdSec on my Ubuntu 20.04LTS Unifi Controller

Related Topics