Crowdsec openwrt 21.02.1 iptables ipset - package problems

1

i’ve build crowdsec and crowdsec-firewall-bouncer into 21.02.1

as there are no real help docs for openwrt, i’ve tried to follow the official crowdsec docs to setup ipsets via iptables

many of the crowdsec documents do not directly seem to apply… and firewall bouncer never starts nor creates any log files

i have the feeling there are issues with the package and as it differs from the official crowdsec setup process, there is absolutely nowhere to obtain help

i tried asking the maintainer of the package but it has been 3 months in the stable branch and setup still fails when included in the OS image and if installed afterwards

2

this is how a default install ends;

[root@dca632 /usbstick 61°] service | grep crowdsec
/etc/init.d/crowdsec          	   enabled	   stopped
/etc/init.d/crowdsec-firewall-bouncer	   enabled	   stopped

[root@dca632 /usbstick 61°] logread | grep crowdsec
                   
[root@dca632 /usbstick 63°] grep . /var/log/crowdsec*.log
/var/log/crowdsec-firewall-bouncer.log:time="13-01-2022 15:34:03" level=info msg="backend type : nftables"
/var/log/crowdsec-firewall-bouncer.log:time="13-01-2022 15:34:03" level=info msg="nftables initiated"
/var/log/crowdsec-firewall-bouncer.log:time="13-01-2022 15:34:03" level=info msg="Processing new and deleted decisions . . ."
/var/log/crowdsec-firewall-bouncer.log:time="13-01-2022 15:34:03" level=error msg="auth-api: auth with api key failed return nil response, error: dial tcp 127.0.0.1:8080: connect: network is unreachable"
/var/log/crowdsec-firewall-bouncer.log:time="13-01-2022 15:34:03" level=fatal msg="Get \"http://localhost:8080/v1/decisions/stream?startup=true\": dial tcp 127.0.0.1:8080: connect: network is unreachable"
/var/log/crowdsec-firewall-bouncer.log:time="13-01-2022 15:34:05" level=info msg="backend type : nftables"
/var/log/crowdsec-firewall-bouncer.log:time="13-01-2022 15:34:05" level=info msg="nftables initiated"
/var/log/crowdsec-firewall-bouncer.log:time="13-01-2022 15:34:05" level=info msg="Processing new and deleted decisions . . ."
/var/log/crowdsec-firewall-bouncer.log:time="13-01-2022 15:34:05" level=fatal msg="API error: access forbidden"
/var/log/crowdsec-firewall-bouncer.log:time="13-01-2022 15:34:38" level=info msg="backend type : nftables"
/var/log/crowdsec-firewall-bouncer.log:time="13-01-2022 15:34:38" level=info msg="nftables initiated"
/var/log/crowdsec-firewall-bouncer.log:time="13-01-2022 15:34:38" level=info msg="Processing new and deleted decisions . . ."
/var/log/crowdsec-firewall-bouncer.log:time="13-01-2022 15:34:38" level=fatal msg="API error: access forbidden"
/var/log/crowdsec-firewall-bouncer.log:time="13-01-2022 15:35:36" level=info msg="backend type : nftables"
/var/log/crowdsec-firewall-bouncer.log:time="13-01-2022 15:35:36" level=info msg="nftables initiated"
/var/log/crowdsec-firewall-bouncer.log:time="13-01-2022 15:35:36" level=info msg="Processing new and deleted decisions . . ."
/var/log/crowdsec-firewall-bouncer.log:time="13-01-2022 15:35:36" level=fatal msg="API error: access forbidden"
/var/log/crowdsec-firewall-bouncer.log:time="13-01-2022 15:35:37" level=info msg="backend type : nftables"
/var/log/crowdsec-firewall-bouncer.log:time="13-01-2022 15:35:37" level=info msg="nftables initiated"
/var/log/crowdsec-firewall-bouncer.log:time="13-01-2022 15:35:37" level=info msg="Processing new and deleted decisions . . ."
/var/log/crowdsec-firewall-bouncer.log:time="13-01-2022 15:35:37" level=fatal msg="API error: access forbidden"
/var/log/crowdsec.log:time="13-01-2022 15:34:03" level=info msg="Crowdsec v1.2.1-openwrt-openwrt"
/var/log/crowdsec.log:time="13-01-2022 15:34:03" level=info msg="Loading prometheus collectors"
/var/log/crowdsec.log:time="13-01-2022 15:34:03" level=warning msg="prometheus: listen tcp 127.0.0.1:6060: bind: cannot assign requested address"
/var/log/crowdsec.log:time="13-01-2022 15:34:03" level=info msg="Loading CAPI pusher"
/var/log/crowdsec.log:time="13-01-2022 15:34:03" level=info msg="start crowdsec api push (interval: 30s)"
/var/log/crowdsec.log:time="13-01-2022 15:34:03" level=info msg="start crowdsec api pull (interval: 2h)"
/var/log/crowdsec.log:time="13-01-2022 15:34:03" level=warning msg="scenario list is empty, will not pull yet"
/var/log/crowdsec.log:time="13-01-2022 15:34:03" level=fatal msg="listen tcp 127.0.0.1:8080: bind: cannot assign requested address"
/var/log/crowdsec.log:time="13-01-2022 15:34:05" level=info msg="Crowdsec v1.2.1-openwrt-openwrt"
/var/log/crowdsec.log:time="13-01-2022 15:34:05" level=info msg="Loading prometheus collectors"
/var/log/crowdsec.log:time="13-01-2022 15:34:05" level=info msg="Loading CAPI pusher"
/var/log/crowdsec.log:time="13-01-2022 15:34:05" level=info msg="start crowdsec api push (interval: 30s)"
/var/log/crowdsec.log:time="13-01-2022 15:34:05" level=info msg="start crowdsec api pull (interval: 2h)"
/var/log/crowdsec.log:time="13-01-2022 15:34:05" level=warning msg="scenario list is empty, will not pull yet"
/var/log/crowdsec.log:time="13-01-2022 15:34:05" level=error msg="unable to send metrics (Post \"https://api.crowdsec.net/v2/metrics/\": could not get jwt token: Post \"https://api.crowdsec.net/v2/watchers/login\": dial tcp: lookup api.crowdsec.net on [::1]:53: server misbehaving), will retry"
/var/log/crowdsec.log:time="13-01-2022 15:34:05" level=info msg="capi metrics: metrics sent successfully"
/var/log/crowdsec.log:time="13-01-2022 15:34:05" level=info msg="start crowdsec api send metrics (interval: 30m)"
/var/log/crowdsec.log:time="13-01-2022 15:34:05" level=info msg="Loading grok library /etc/crowdsec/patterns"
/var/log/crowdsec.log:time="13-01-2022 15:34:05" level=error msg="auth api key error: select bouncer: ent: bouncer not found: unable to query"
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=info msg="Loading enrich plugins"
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=error msg="unable to register plugin 'GeoIpCity': open /srv/crowdsec/data/GeoLite2-City.mmdb: no such file or directory"
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=error msg="unable to register plugin 'GeoIpASN': open /srv/crowdsec/data/GeoLite2-ASN.mmdb: no such file or directory"
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=error msg="unable to register plugin 'IpToRange': open /srv/crowdsec/data/GeoLite2-ASN.mmdb: no such file or directory"
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=info msg="Successfully registered enricher 'reverse_dns'"
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=info msg="Successfully registered enricher 'ParseDate'"
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=info msg="Loading parsers 5 stages"
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=info msg="Loaded 2 parser nodes" file=/etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=warning msg="the method 'GeoIpCity' doesn't exist or the plugin has not been initialized"
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=warning msg="the method 'GeoIpASN' doesn't exist or the plugin has not been initialized"
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=warning msg="the method 'IpToRange' doesn't exist or the plugin has not been initialized"
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=error msg="open /srv/crowdsec/data/GeoLite2-City.mmdb: no such file or directory"
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=error msg="open /srv/crowdsec/data/GeoLite2-ASN.mmdb: no such file or directory"
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/whitelists.yaml
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=info msg="Loaded 6 nodes, 3 stages"
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=info msg="Loading postoverflow Parsers"
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=info msg="Loaded 0 nodes, 0 stages"
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=info msg="Loading 2 scenario files"
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=info msg="Adding leaky bucket" cfg=holy-brook file=/etc/crowdsec/scenarios/ssh-slow-bf.yaml name=crowdsecurity/ssh-slow-bf
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=info msg="Adding leaky bucket" cfg=aged-water file=/etc/crowdsec/scenarios/ssh-slow-bf.yaml name=crowdsecurity/ssh-slow-bf_user-enum
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=info msg="Adding leaky bucket" cfg=nameless-shadow file=/etc/crowdsec/scenarios/ssh-bf.yaml name=crowdsecurity/ssh-bf
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=info msg="Adding leaky bucket" cfg=patient-silence file=/etc/crowdsec/scenarios/ssh-bf.yaml name=crowdsecurity/ssh-bf_user-enum
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=warning msg="Loaded 4 scenarios"
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=info msg="loading acquisition file : /etc/crowdsec/acquis.yaml"
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=warning msg="No matching files for pattern /var/log/nginx/*.log" type=file
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=warning msg="No matching files for pattern ./tests/nginx/nginx.log" type=file
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=warning msg="No matching files for pattern /var/log/auth.log" type=file
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=warning msg="No matching files for pattern /var/log/syslog" type=file
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=warning msg="No matching files for pattern /var/log/apache2/*.log" type=file
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=error msg="Failed to notify(sent: false): <nil>"
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=warning msg="Starting processing data"
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=info msg="Error machine login for 215b285b4abe4fc7a2b66089c460ae9dadrEYfHrDXaJB1J1 : ent: machine not found "
/var/log/crowdsec.log:time="13-01-2022 15:34:12" level=fatal msg="starting outputs error : authenticate watcher (215b285b4abe4fc7a2b66089c460ae9dadrEYfHrDXaJB1J1): Post \"http://127.0.0.1:8080/v1/watchers/login\": API error: ent: machine not found"
/var/log/crowdsec.log:time="13-01-2022 15:34:38" level=info msg="Crowdsec v1.2.1-openwrt-openwrt"
/var/log/crowdsec.log:time="13-01-2022 15:34:38" level=info msg="Loading prometheus collectors"
/var/log/crowdsec.log:time="13-01-2022 15:34:38" level=info msg="Loading CAPI pusher"
/var/log/crowdsec.log:time="13-01-2022 15:34:38" level=info msg="start crowdsec api push (interval: 30s)"
/var/log/crowdsec.log:time="13-01-2022 15:34:38" level=info msg="start crowdsec api pull (interval: 2h)"
/var/log/crowdsec.log:time="13-01-2022 15:34:38" level=warning msg="scenario list is empty, will not pull yet"
/var/log/crowdsec.log:time="13-01-2022 15:34:38" level=info msg="Loading grok library /etc/crowdsec/patterns"
/var/log/crowdsec.log:time="13-01-2022 15:34:38" level=error msg="auth api key error: select bouncer: ent: bouncer not found: unable to query"
/var/log/crowdsec.log:time="13-01-2022 15:34:41" level=info msg="capi metrics: metrics sent successfully"
/var/log/crowdsec.log:time="13-01-2022 15:34:41" level=info msg="start crowdsec api send metrics (interval: 30m)"
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=info msg="Loading enrich plugins"
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=error msg="unable to register plugin 'GeoIpCity': open /srv/crowdsec/data/GeoLite2-City.mmdb: no such file or directory"
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=error msg="unable to register plugin 'GeoIpASN': open /srv/crowdsec/data/GeoLite2-ASN.mmdb: no such file or directory"
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=error msg="unable to register plugin 'IpToRange': open /srv/crowdsec/data/GeoLite2-ASN.mmdb: no such file or directory"
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=info msg="Successfully registered enricher 'reverse_dns'"
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=info msg="Successfully registered enricher 'ParseDate'"
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=info msg="Loading parsers 5 stages"
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=info msg="Loaded 2 parser nodes" file=/etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=warning msg="the method 'GeoIpCity' doesn't exist or the plugin has not been initialized"
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=warning msg="the method 'GeoIpASN' doesn't exist or the plugin has not been initialized"
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=warning msg="the method 'IpToRange' doesn't exist or the plugin has not been initialized"
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=error msg="open /srv/crowdsec/data/GeoLite2-City.mmdb: no such file or directory"
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=error msg="open /srv/crowdsec/data/GeoLite2-ASN.mmdb: no such file or directory"
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/whitelists.yaml
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=info msg="Loaded 6 nodes, 3 stages"
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=info msg="Loading postoverflow Parsers"
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=info msg="Loaded 0 nodes, 0 stages"
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=info msg="Loading 2 scenario files"
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=info msg="Adding leaky bucket" cfg=falling-field file=/etc/crowdsec/scenarios/ssh-slow-bf.yaml name=crowdsecurity/ssh-slow-bf
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=info msg="Adding leaky bucket" cfg=quiet-night file=/etc/crowdsec/scenarios/ssh-slow-bf.yaml name=crowdsecurity/ssh-slow-bf_user-enum
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=info msg="Adding leaky bucket" cfg=empty-dust file=/etc/crowdsec/scenarios/ssh-bf.yaml name=crowdsecurity/ssh-bf
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=info msg="Adding leaky bucket" cfg=dry-dawn file=/etc/crowdsec/scenarios/ssh-bf.yaml name=crowdsecurity/ssh-bf_user-enum
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=warning msg="Loaded 4 scenarios"
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=info msg="loading acquisition file : /etc/crowdsec/acquis.yaml"
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=warning msg="No matching files for pattern /var/log/nginx/*.log" type=file
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=warning msg="No matching files for pattern ./tests/nginx/nginx.log" type=file
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=warning msg="No matching files for pattern /var/log/auth.log" type=file
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=warning msg="No matching files for pattern /var/log/syslog" type=file
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=warning msg="No matching files for pattern /var/log/apache2/*.log" type=file
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=error msg="Failed to notify(sent: false): <nil>"
/var/log/crowdsec.log:time="13-01-2022 15:34:45" level=warning msg="Starting processing data"
/var/log/crowdsec.log:time="13-01-2022 15:34:52" level=info msg="Error machine login for 215b285b4abe4fc7a2b66089c460ae9dadrEYfHrDXaJB1J1 : ent: machine not found "
/var/log/crowdsec.log:time="13-01-2022 15:34:52" level=fatal msg="starting outputs error : authenticate watcher (215b285b4abe4fc7a2b66089c460ae9dadrEYfHrDXaJB1J1): Post \"http://127.0.0.1:8080/v1/watchers/login\": API error: ent: machine not found"
/var/log/crowdsec.log:time="13-01-2022 15:35:36" level=info msg="Crowdsec v1.2.1-openwrt-openwrt"
/var/log/crowdsec.log:time="13-01-2022 15:35:36" level=info msg="Loading prometheus collectors"
/var/log/crowdsec.log:time="13-01-2022 15:35:36" level=info msg="Loading CAPI pusher"
/var/log/crowdsec.log:time="13-01-2022 15:35:36" level=info msg="start crowdsec api push (interval: 30s)"
/var/log/crowdsec.log:time="13-01-2022 15:35:36" level=info msg="start crowdsec api pull (interval: 2h)"
/var/log/crowdsec.log:time="13-01-2022 15:35:36" level=warning msg="scenario list is empty, will not pull yet"
/var/log/crowdsec.log:time="13-01-2022 15:35:36" level=info msg="Loading grok library /etc/crowdsec/patterns"
/var/log/crowdsec.log:time="13-01-2022 15:35:36" level=error msg="auth api key error: select bouncer: ent: bouncer not found: unable to query"
/var/log/crowdsec.log:time="13-01-2022 15:35:37" level=info msg="Crowdsec v1.2.1-openwrt-openwrt"
/var/log/crowdsec.log:time="13-01-2022 15:35:37" level=info msg="Loading prometheus collectors"
/var/log/crowdsec.log:time="13-01-2022 15:35:37" level=info msg="Loading CAPI pusher"
/var/log/crowdsec.log:time="13-01-2022 15:35:37" level=info msg="start crowdsec api push (interval: 30s)"
/var/log/crowdsec.log:time="13-01-2022 15:35:37" level=info msg="start crowdsec api pull (interval: 2h)"
/var/log/crowdsec.log:time="13-01-2022 15:35:37" level=warning msg="scenario list is empty, will not pull yet"
/var/log/crowdsec.log:time="13-01-2022 15:35:37" level=info msg="Loading grok library /etc/crowdsec/patterns"
/var/log/crowdsec.log:time="13-01-2022 15:35:37" level=error msg="auth api key error: select bouncer: ent: bouncer not found: unable to query"
/var/log/crowdsec.log:time="13-01-2022 15:35:39" level=info msg="capi metrics: metrics sent successfully"
/var/log/crowdsec.log:time="13-01-2022 15:35:39" level=info msg="start crowdsec api send metrics (interval: 30m)"
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=info msg="Loading enrich plugins"
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=error msg="unable to register plugin 'GeoIpCity': open /srv/crowdsec/data/GeoLite2-City.mmdb: no such file or directory"
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=error msg="unable to register plugin 'GeoIpASN': open /srv/crowdsec/data/GeoLite2-ASN.mmdb: no such file or directory"
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=error msg="unable to register plugin 'IpToRange': open /srv/crowdsec/data/GeoLite2-ASN.mmdb: no such file or directory"
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=info msg="Successfully registered enricher 'reverse_dns'"
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=info msg="Successfully registered enricher 'ParseDate'"
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=info msg="Loading parsers 5 stages"
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=info msg="Loaded 2 parser nodes" file=/etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=warning msg="the method 'GeoIpCity' doesn't exist or the plugin has not been initialized"
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=warning msg="the method 'GeoIpASN' doesn't exist or the plugin has not been initialized"
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=warning msg="the method 'IpToRange' doesn't exist or the plugin has not been initialized"
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=error msg="open /srv/crowdsec/data/GeoLite2-City.mmdb: no such file or directory"
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=error msg="open /srv/crowdsec/data/GeoLite2-ASN.mmdb: no such file or directory"
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/whitelists.yaml
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=info msg="Loaded 6 nodes, 3 stages"
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=info msg="Loading postoverflow Parsers"
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=info msg="Loaded 0 nodes, 0 stages"
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=info msg="Loading 2 scenario files"
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=info msg="Adding leaky bucket" cfg=nameless-brook file=/etc/crowdsec/scenarios/ssh-bf.yaml name=crowdsecurity/ssh-bf
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=info msg="Adding leaky bucket" cfg=green-butterfly file=/etc/crowdsec/scenarios/ssh-bf.yaml name=crowdsecurity/ssh-bf_user-enum
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=info msg="Adding leaky bucket" cfg=wispy-fog file=/etc/crowdsec/scenarios/ssh-slow-bf.yaml name=crowdsecurity/ssh-slow-bf
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=info msg="Adding leaky bucket" cfg=fragrant-surf file=/etc/crowdsec/scenarios/ssh-slow-bf.yaml name=crowdsecurity/ssh-slow-bf_user-enum
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=warning msg="Loaded 4 scenarios"
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=info msg="loading acquisition file : /etc/crowdsec/acquis.yaml"
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=warning msg="No matching files for pattern /var/log/nginx/*.log" type=file
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=warning msg="No matching files for pattern ./tests/nginx/nginx.log" type=file
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=warning msg="No matching files for pattern /var/log/auth.log" type=file
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=warning msg="No matching files for pattern /var/log/syslog" type=file
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=warning msg="No matching files for pattern /var/log/apache2/*.log" type=file
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=error msg="Failed to notify(sent: false): <nil>"
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=warning msg="Starting processing data"
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=info msg="Error machine login for 215b285b4abe4fc7a2b66089c460ae9dadrEYfHrDXaJB1J1 : ent: machine not found "
/var/log/crowdsec.log:time="13-01-2022 15:35:45" level=fatal msg="starting outputs error : authenticate watcher (215b285b4abe4fc7a2b66089c460ae9dadrEYfHrDXaJB1J1): Post \"http://127.0.0.1:8080/v1/watchers/login\": API error: ent: machine not found"
/var/log/crowdsec_api.log:time="13-01-2022 15:34:05" level=info msg="127.0.0.1 - [Thu, 13 Jan 2022 15:34:05 AEDT] \"GET /v1/decisions/stream?startup=true HTTP/1.1 403 1.65287ms \"crowdsec-firewall-bouncer/v0.0.18-openwrt\" \""
/var/log/crowdsec_api.log:time="13-01-2022 15:34:12" level=info msg="127.0.0.1 - [Thu, 13 Jan 2022 15:34:12 AEDT] \"POST /v1/watchers/login HTTP/1.1 401 1.9345ms \"crowdsec/v1.2.1-openwrt-openwrt\" \""
/var/log/crowdsec_api.log:time="13-01-2022 15:34:38" level=info msg="127.0.0.1 - [Thu, 13 Jan 2022 15:34:38 AEDT] \"GET /v1/decisions/stream?startup=true HTTP/1.1 403 1.598629ms \"crowdsec-firewall-bouncer/v0.0.18-openwrt\" \""
/var/log/crowdsec_api.log:time="13-01-2022 15:34:52" level=info msg="180.150.66.175 - [Thu, 13 Jan 2022 15:34:52 AEDT] \"POST /v1/watchers/login HTTP/1.1 401 1.581222ms \"crowdsec/v1.2.1-openwrt-openwrt\" \""
/var/log/crowdsec_api.log:time="13-01-2022 15:35:36" level=info msg="127.0.0.1 - [Thu, 13 Jan 2022 15:35:36 AEDT] \"GET /v1/decisions/stream?startup=true HTTP/1.1 403 1.516926ms \"crowdsec-firewall-bouncer/v0.0.18-openwrt\" \""
/var/log/crowdsec_api.log:time="13-01-2022 15:35:37" level=info msg="127.0.0.1 - [Thu, 13 Jan 2022 15:35:37 AEDT] \"GET /v1/decisions/stream?startup=true HTTP/1.1 403 1.427444ms \"crowdsec-firewall-bouncer/v0.0.18-openwrt\" \""
/var/log/crowdsec_api.log:time="13-01-2022 15:35:45" level=info msg="127.0.0.1 - [Thu, 13 Jan 2022 15:35:45 AEDT] \"POST /v1/watchers/login HTTP/1.1 401 1.536ms \"crowdsec/v1.2.1-openwrt-openwrt\" \""
           
[root@dca632 /usbstick 62°] grep . /etc/crowdsec/config.yaml 
common:
  daemonize: true
  pid_dir: /var/run/
  log_media: file
  log_level: info
  log_dir: /var/log/
  working_dir: .
config_paths:
  config_dir: /etc/crowdsec/
  data_dir: /srv/crowdsec/data
  simulation_path: /etc/crowdsec/simulation.yaml
  hub_dir: /etc/crowdsec/hub/
  index_path: /etc/crowdsec/hub/.index.json
  notification_dir: /etc/crowdsec/notifications/
  plugin_dir: /usr/local/lib/crowdsec/plugins/
crowdsec_service:
  acquisition_path: /etc/crowdsec/acquis.yaml
  parser_routines: 1
cscli:
  output: human
db_config:
  log_level: info
  type: sqlite
  db_path: /srv/crowdsec/data/crowdsec.db
  #user: 
  #password:
  #db_name:
  #host:
  #port:
  flush:
    max_items: 5000
    max_age: 7d
plugin_config:
  user: nobody # plugin process would be ran on behalf of this user
  group: nogroup # plugin process would be ran on behalf of this group
api:
  client:
    insecure_skip_verify: false
    credentials_path: /etc/crowdsec/local_api_credentials.yaml
  server:
    log_level: info
    listen_uri: 127.0.0.1:8080
    profiles_path: /etc/crowdsec/profiles.yaml
    online_client: # Central API credentials (to push signals and receive bad IPs)
      credentials_path: /etc/crowdsec/online_api_credentials.yaml
#    tls:
#      cert_file: /etc/crowdsec/ssl/cert.pem
#      key_file: /etc/crowdsec/ssl/key.pem
prometheus:
  enabled: true
  level: full
  listen_addr: 127.0.0.1
  listen_port: 6060
[root@dca632 /usbstick 60°] grep . /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml 
mode: ${BACKEND}
pid_dir: /var/run/
update_frequency: 10s
daemonize: true
log_mode: file
log_dir: /var/log/
log_level: info
api_url: http://localhost:8080/
api_key: ${API_KEY}
disable_ipv6: false
deny_action: DROP
deny_log: false
supported_decisions_types:
  - ban
#to change log prefix
#deny_log_prefix: "crowdsec: "
#to change the blacklists name
#blacklists_ipv4: crowdsec-blacklists
#blacklists_ipv6: crowdsec6-blacklists
#if present, insert rule in those chains
iptables_chains:
  - INPUT
  - FORWARD
#  - DOCKER-USER

[root@dca632 /usbstick 59°] ps www | grep -v grep | grep -E '(cs\-|crowd)'

would someone be able to point out what’s wrong vs what is just normal to setup for iptables ipset operation?

i’d hoped the setup bugs would be resolved by now but looks like we have to go the long way to get this running if possible?

i’d love to improve the wiki, but I think doing so before clearly identifying automated setup issues vs expected user actions would be a mistake…

3

so according to docs… I do;

  • cscli bouncer add

then add this to bouncer.yaml and change it to ipset and uncomment the set names…

[root@dca632 /usbstick 58°] grep . /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml 
mode: ipset
pid_dir: /var/run/
update_frequency: 10s
daemonize: true
log_mode: file
log_dir: /var/log/
log_level: info
api_url: http://localhost:8080/
api_key: ab317b204d675486dbad50d753dfb9d3
disable_ipv6: false
deny_action: DROP
deny_log: false
supported_decisions_types:
  - ban
#to change log prefix
#deny_log_prefix: "crowdsec: "
#to change the blacklists name
blacklists_ipv4: crowdsec-blacklists
blacklists_ipv6: crowdsec6-blacklists
#if present, insert rule in those chains
iptables_chains:
  - INPUT
  - FORWARD
#  - DOCKER-USER

then manually create the ipsets

ipset create crowdsec-blacklists hash:ip timeout 0 maxelem 150000
ipset create crowdsec6-blacklists hash:ip timeout 0 family inet6 maxelem 150000
iptables -I INPUT 1 -m set --match-set crowdsec-blacklists src -j DROP
ip6tables -I INPUT 1 -m set --match-set crowdsec6-blacklists src -j DROP

then I restart the service/s and get this;

time="13-01-2022 15:55:54" level=info msg="nftables initiated"
time="13-01-2022 15:55:54" level=info msg="Processing new and deleted decisions . . ."
time="13-01-2022 15:56:04" level=error msg="auth-api: auth with api key failed return nil response, error: dial tcp [::1]:8080: connect: connection refused"
time="13-01-2022 15:56:04" level=error msg="Get \"http://localhost:8080/v1/decisions/stream?startup=false\": dial tcp [::1]:8080: connect: connection refused"
[root@dca632 /usbstick 58°] ps www | grep -v grep | grep -E '(cs\-|crowd)'
13272 root      695m S    /usr/bin/cs-firewall-bouncer -c /var/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

[root@dca632 /usbstick 57°] ipset -L -n | grep crowd
crowdsec-blacklists
crowdsec6-blacklists
[root@dca632 /usbstick 57°] ipset -L crowdsec-blacklists
Name: crowdsec-blacklists
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 150000 timeout 0
Size in memory: 200
References: 1
Number of entries: 0
Members:
[root@dca632 /usbstick 57°] ipset -L crowdsec6-blacklists
Name: crowdsec6-blacklists
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 150000 timeout 0
Size in memory: 208
References: 1
Number of entries: 0
Members:

[root@dca632 /usbstick 56°] (ip6tables-save -c ;iptables-save -c) | grep -i crowd
[0:0] -A INPUT -m set --match-set crowdsec6-blacklists src -j DROP
[0:0] -A INPUT -m set --match-set crowdsec-blacklists src -j DROP

note: those instructions are cobbled together from 3 different sources…

i’ve tackled some hard services in my time… asterisk, radiusd, sophos puremessage… but this one surely should not be this difficult?

[root@dca632 /usbstick 58°] find /etc/crowdsec/
/etc/crowdsec/
/etc/crowdsec/acquis.yaml
/etc/crowdsec/bouncers
/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
/etc/crowdsec/collections
/etc/crowdsec/collections/linux.yaml
/etc/crowdsec/collections/sshd.yaml
/etc/crowdsec/config.yaml
/etc/crowdsec/dev.yaml
/etc/crowdsec/hub
/etc/crowdsec/hub/.index.json
/etc/crowdsec/hub/collections
/etc/crowdsec/hub/collections/crowdsecurity
/etc/crowdsec/hub/collections/crowdsecurity/linux.yaml
/etc/crowdsec/hub/collections/crowdsecurity/sshd.yaml
/etc/crowdsec/hub/parsers
/etc/crowdsec/hub/parsers/s00-raw
/etc/crowdsec/hub/parsers/s00-raw/crowdsecurity
/etc/crowdsec/hub/parsers/s00-raw/crowdsecurity/syslog-logs.yaml
/etc/crowdsec/hub/parsers/s01-parse
/etc/crowdsec/hub/parsers/s01-parse/crowdsecurity
/etc/crowdsec/hub/parsers/s01-parse/crowdsecurity/sshd-logs.yaml
/etc/crowdsec/hub/parsers/s02-enrich
/etc/crowdsec/hub/parsers/s02-enrich/crowdsecurity
/etc/crowdsec/hub/parsers/s02-enrich/crowdsecurity/dateparse-enrich.yaml
/etc/crowdsec/hub/parsers/s02-enrich/crowdsecurity/geoip-enrich.yaml
/etc/crowdsec/hub/parsers/s02-enrich/crowdsecurity/whitelists.yaml
/etc/crowdsec/hub/scenarios
/etc/crowdsec/hub/scenarios/crowdsecurity
/etc/crowdsec/hub/scenarios/crowdsecurity/ssh-bf.yaml
/etc/crowdsec/hub/scenarios/crowdsecurity/ssh-slow-bf.yaml
/etc/crowdsec/local_api_credentials.yaml
/etc/crowdsec/online_api_credentials.yaml
/etc/crowdsec/patterns
/etc/crowdsec/patterns/aws
/etc/crowdsec/patterns/bacula
/etc/crowdsec/patterns/bro
/etc/crowdsec/patterns/cowrie_honeypot
/etc/crowdsec/patterns/exim
/etc/crowdsec/patterns/firewalls
/etc/crowdsec/patterns/haproxy
/etc/crowdsec/patterns/java
/etc/crowdsec/patterns/junos
/etc/crowdsec/patterns/linux-syslog
/etc/crowdsec/patterns/mcollective
/etc/crowdsec/patterns/modsecurity
/etc/crowdsec/patterns/mongodb
/etc/crowdsec/patterns/mysql
/etc/crowdsec/patterns/nagios
/etc/crowdsec/patterns/nginx
/etc/crowdsec/patterns/paths
/etc/crowdsec/patterns/postgresql
/etc/crowdsec/patterns/rails
/etc/crowdsec/patterns/redis
/etc/crowdsec/patterns/ruby
/etc/crowdsec/patterns/smb
/etc/crowdsec/patterns/ssh
/etc/crowdsec/patterns/tcpdump
/etc/crowdsec/postoverflows
/etc/crowdsec/profiles.yaml
/etc/crowdsec/scenarios
/etc/crowdsec/scenarios/ssh-bf.yaml
/etc/crowdsec/scenarios/ssh-slow-bf.yaml
/etc/crowdsec/simulation.yaml
/etc/crowdsec/user.yaml
/etc/crowdsec/parsers
/etc/crowdsec/parsers/s00-raw
/etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
/etc/crowdsec/parsers/s01-parse
/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
/etc/crowdsec/parsers/s02-enrich
/etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
/etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
/etc/crowdsec/parsers/s02-enrich/whitelists.yaml

[root@dca632 /usbstick 57°] cat /etc/config/crowdsec 
config crowdsec 'crowdsec'
	option data_dir '/srv/crowdsec/data'
	option db_path '/srv/crowdsec/data/crowdsec.db'

[root@dca632 /usbstick 57°] find /srv/crowdsec/
/srv/crowdsec/
/srv/crowdsec/data
/srv/crowdsec/data/crowdsec.db

[root@dca632 /usbstick 58°] lsof -i -nP | grep -E '(8080|6060)'
[empty]

[root@dca632 /usbstick 58°] tail -n5 /var/log/crowdsec.log 
time="13-01-2022 15:55:57" level=warning msg="No matching files for pattern /var/log/apache2/*.log" type=file
time="13-01-2022 15:55:57" level=error msg="Failed to notify(sent: false): <nil>"
time="13-01-2022 15:55:57" level=warning msg="Starting processing data"
time="13-01-2022 15:55:57" level=info msg="Error machine login for 215b285b4abe4fc7a2b66089c460ae9dadrEYfHrDXaJB1J1 : ent: machine not found "
time="13-01-2022 15:55:57" level=fatal msg="starting outputs error : authenticate watcher (215b285b4abe4fc7a2b66089c460ae9dadrEYfHrDXaJB1J1): Post \"http://127.0.0.1:8080/v1/watchers/login\": API error: ent: machine not found"

[root@dca632 /usbstick 58°] crowdsec -version
2022/01/13 16:22:43 version: v1.2.1-openwrt
2022/01/13 16:22:43 Codename: alphaga
2022/01/13 16:22:43 BuildDate: 1641673875
2022/01/13 16:22:43 GoVersion: 
2022/01/13 16:22:43 Constraint_parser: >= 1.0, <= 2.0
2022/01/13 16:22:43 Constraint_scenario: >= 1.0, < 3.0
2022/01/13 16:22:43 Constraint_api: v1
2022/01/13 16:22:43 Constraint_acquis: >= 1.0, < 2.0

[root@dca632 /usbstick 57°] cs-firewall-bouncer -V
version: v0.0.18-openwrt
BuildDate: 
GoVersion:
4

wow… switched over to debian took 1 minute…!

no problems there…

root@peanut:/home/vert# ipset -L crowdsec-blacklists | head -n20; ipset -L crowdsec-blacklists | wc -l
Name: crowdsec-blacklists
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 timeout 300
Size in memory: 87320
References: 2
Number of entries: 1934
Members:
209.141.55.199 timeout 597467
104.244.78.160 timeout 579468
141.239.152.254 timeout 410268
104.244.74.28 timeout 597467
176.199.17.180 timeout 374269
202.21.97.46 timeout 345469
129.205.102.242 timeout 255469
60.30.98.194 timeout 565068
115.29.7.45 timeout 525468
117.111.1.116 timeout 327469
43.154.33.183 timeout 7069
218.60.2.173 timeout 334669
1942

i think i’ll just curl this to client sites > ipsets … openwrt package is way too problematic for now

5

Original topic: Crowdsec packages for OpenWrt - #102 by erdoukki - For Developers - OpenWrt Forum
issue: crowdsec-firewall-bouncer: API error: access forbidden when bouncer is not correctly registered · Issue #17804 · openwrt/packages · GitHub
PR: crowdsec-firewall-bouncer: fix API error by erdoukki · Pull Request #17805 · openwrt/packages · GitHub