CrownSec Just not log my failed attemps

Hi
My first day with crowdsec and I´m starting bad.
I running Ubuntu 20.04 lts
I have install has basic install on website

But not block or detect anything.

I´m running on my local network

ssh failed attemps are in /var/log/auth.log
but nothing on /var/log/crowdsec.log

service is running but I have WARNINGS

Dec 09 19:40:48 systemd[1]: Starting Crowdsec agent…
Dec 09 19:40:48 crowdsec[59171]: time=“2022-12-09T19:40:48Z” level=warning msg="You are using sqlite without WAL, this can have an impact of performance. If you do not store the>
Dec 09 19:40:48 crowdsec[59171]: time=“2022-12-09T19:40:48Z” level=warning msg=“Deprecation warning: the pid_dir config can be safely removed and is not required”
Dec 09 19:40:50 crowdsec[59221]: time=“2022-12-09T19:40:50Z” level=warning msg="You are using sqlite without WAL, this can have an impact of performance. If you do not store the>
Dec 09 19:40:50 j crowdsec[59221]: time=“2022-12-09T19:40:50Z” level=warning msg=“Deprecation warning: the pid_dir config can be safely removed and is not required”
Dec 09 19:40:51 systemd[1]: Started Crowdsec agent.

bing
time="09-12-2022 19:40:51" level=info msg="Adding leaky bucket" cfg=red-sun file=/etc/crowdsec/scenarios/http-sqli-probing.yaml name=crowdsecurity/http-sqli-probbing-detection
time="09-12-2022 19:40:51" level=info msg="Adding trigger bucket" cfg=late-resonance file=/etc/crowdsec/scenarios/pulse-secure-sslvpn-cve-2019-11510.yaml name=crowdsecurity/pulse-secure-sslvpn-cve-2019-11510
time="09-12-2022 19:40:51" level=info msg="Adding leaky bucket" cfg=silent-sound file=/etc/crowdsec/scenarios/http-backdoors-attempts.yaml name=crowdsecurity/http-backdoors-attempts
time="09-12-2022 19:40:51" level=info msg="Adding trigger bucket" cfg=damp-shape file=/etc/crowdsec/scenarios/f5-big-ip-cve-2020-5902.yaml name=crowdsecurity/f5-big-ip-cve-2020-5902
time="09-12-2022 19:40:51" level=info msg="Adding trigger bucket" cfg=proud-fire file=/etc/crowdsec/scenarios/grafana-cve-2021-43798.yaml name=crowdsecurity/grafana-cve-2021-43798
time="09-12-2022 19:40:51" level=info msg="Adding trigger bucket" cfg=blue-snowflake file=/etc/crowdsec/scenarios/CVE-2022-26134.yaml name=crowdsecurity/CVE-2022-26134
time="09-12-2022 19:40:51" level=info msg="Adding trigger bucket" cfg=spring-dew file=/etc/crowdsec/scenarios/apache_log4j2_cve-2021-44228.yaml name=crowdsecurity/apache_log4j2_cve-2021-44228
time="09-12-2022 19:40:51" level=info msg="Adding trigger bucket" cfg=spring-flower file=/etc/crowdsec/scenarios/http-cve-2021-41773.yaml name=crowdsecurity/http-cve-2021-41773
time="09-12-2022 19:40:51" level=info msg="Adding trigger bucket" cfg=spring-sound file=/etc/crowdsec/scenarios/http-cve-2021-42013.yaml name=crowdsecurity/http-cve-2021-42013
time="09-12-2022 19:40:51" level=info msg="Adding leaky bucket" cfg=fragrant-sun file=/etc/crowdsec/scenarios/http-generic-bf.yaml name=crowdsecurity/http-generic-bf
time="09-12-2022 19:40:51" level=info msg="Adding leaky bucket" cfg=dry-dream file=/etc/crowdsec/scenarios/http-generic-bf.yaml name=LePresidente/http-generic-401-bf
time="09-12-2022 19:40:51" level=info msg="Adding trigger bucket" cfg=damp-dew file=/etc/crowdsec/scenarios/CVE-2022-41082.yaml name=crowdsecurity/CVE-2022-41082
time="09-12-2022 19:40:51" level=info msg="Adding trigger bucket" cfg=misty-flower file=/etc/crowdsec/scenarios/fortinet-cve-2018-13379.yaml name=crowdsecurity/fortinet-cve-2018-13379
time="09-12-2022 19:40:51" level=info msg="Adding leaky bucket" cfg=silent-star file=/etc/crowdsec/scenarios/ssh-slow-bf.yaml name=crowdsecurity/ssh-slow-bf
time="09-12-2022 19:40:51" level=info msg="Adding leaky bucket" cfg=red-smoke file=/etc/crowdsec/scenarios/ssh-slow-bf.yaml name=crowdsecurity/ssh-slow-bf_user-enum
time="09-12-2022 19:40:51" level=info msg="Adding trigger bucket" cfg=autumn-fog file=/etc/crowdsec/scenarios/http-w00tw00t.yaml name=ltsich/http-w00tw00t
time="09-12-2022 19:40:51" level=info msg="Adding trigger bucket" cfg=lingering-surf file=/etc/crowdsec/scenarios/CVE-2022-37042.yaml name=crowdsecurity/CVE-2022-37042
time="09-12-2022 19:40:51" level=info msg="Adding trigger bucket" cfg=long-darkness file=/etc/crowdsec/scenarios/vmware-cve-2022-22954.yaml name=crowdsecurity/vmware-cve-2022-22954
time="09-12-2022 19:40:51" level=info msg="Adding leaky bucket" cfg=nameless-paper file=/etc/crowdsec/scenarios/http-probing.yaml name=crowdsecurity/http-probing
time="09-12-2022 19:40:51" level=info msg="Adding trigger bucket" cfg=bold-fog file=/etc/crowdsec/scenarios/thinkphp-cve-2018-20062.yaml name=crowdsecurity/thinkphp-cve-2018-20062
time="09-12-2022 19:40:51" level=info msg="Adding leaky bucket" cfg=young-butterfly file=/etc/crowdsec/scenarios/http-xss-probing.yaml name=crowdsecurity/http-xss-probbing
time="09-12-2022 19:40:51" level=info msg="Adding trigger bucket" cfg=billowing-voice file=/etc/crowdsec/scenarios/jira_cve-2021-26086.yaml name=crowdsecurity/jira_cve-2021-26086
time="09-12-2022 19:40:51" level=info msg="Adding leaky bucket" cfg=withered-dew file=/etc/crowdsec/scenarios/mysql-bf.yaml name=crowdsecurity/mysql-bf
time="09-12-2022 19:40:51" level=info msg="Adding trigger bucket" cfg=patient-pond file=/etc/crowdsec/scenarios/spring4shell_cve-2022-22965.yaml name=crowdsecurity/spring4shell_cve-2022-22965
time="09-12-2022 19:40:51" level=info msg="Adding leaky bucket" cfg=frosty-silence file=/etc/crowdsec/scenarios/http-bad-user-agent.yaml name=crowdsecurity/http-bad-user-agent
time="09-12-2022 19:40:51" level=info msg="Adding trigger bucket" cfg=lingering-field file=/etc/crowdsec/scenarios/http-open-proxy.yaml name=crowdsecurity/http-open-proxy
time="09-12-2022 19:40:51" level=info msg="Adding trigger bucket" cfg=nameless-sky file=/etc/crowdsec/scenarios/CVE-2022-35914.yaml name=crowdsecurity/CVE-2022-35914
time="09-12-2022 19:40:51" level=info msg="Adding leaky bucket" cfg=shy-resonance file=/etc/crowdsec/scenarios/http-crawl-non_statics.yaml name=crowdsecurity/http-crawl-non_statics
time="09-12-2022 19:40:51" level=info msg="Adding trigger bucket" cfg=dry-tree file=/etc/crowdsec/scenarios/CVE-2022-40684.yaml name=crowdsecurity/fortinet-cve-2022-40684
time="09-12-2022 19:40:51" level=warning msg="Loaded 35 scenarios"
time="09-12-2022 19:40:51" level=info msg="loading acquisition file : /etc/crowdsec/acquis.yaml"
time="09-12-2022 19:40:51" level=info msg="Adding file /var/log/auth.log to datasources" type=file
time="09-12-2022 19:40:51" level=info msg="Adding file /var/log/mysql/error.log to datasources" type=file
time="09-12-2022 19:40:51" level=info msg="Adding file /var/log/syslog to datasources" type=file
time="09-12-2022 19:40:51" level=info msg="Adding file /var/log/kern.log to datasources" type=file
time="09-12-2022 19:40:51" level=info msg="Starting processing data"
time="09-12-2022 19:40:51" level=info msg="Running journalctl command: /usr/bin/journalctl [journalctl --follow -n 0 _SYSTEMD_UNIT=apache2.service]" src="journalctl-_SYSTEMD_UNIT=apache2.service" type=journalctl
time="09-12-2022 19:58:11" level=info msg="capi metrics: metrics sent successfully"
time="09-12-2022 20:28:11" level=info msg="capi metrics: metrics sent successfully"

I have fix SQLITE WARNINGS. in this post

But i still not have any fail logs in /var/log/crowdsec.log

time=“09-12-2022 20:48:24” level=info msg=“Adding trigger bucket” cfg=frosty-snowflake file=/etc/crowdsec/scenarios/http-cve-2021-42013.yaml name=crowdsecurity/http-cve-2021-42013
time=“09-12-2022 20:48:24” level=info msg=“Adding leaky bucket” cfg=wispy-night file=/etc/crowdsec/scenarios/http-generic-bf.yaml name=crowdsecurity/http-generic-bf
time=“09-12-2022 20:48:24” level=info msg=“Adding leaky bucket” cfg=black-firefly file=/etc/crowdsec/scenarios/http-generic-bf.yaml name=LePresidente/http-generic-401-bf
time=“09-12-2022 20:48:24” level=info msg=“Adding trigger bucket” cfg=lingering-smoke file=/etc/crowdsec/scenarios/CVE-2022-42889.yaml name=crowdsecurity/CVE-2022-42889
time=“09-12-2022 20:48:24” level=info msg=“Adding trigger bucket” cfg=dry-water file=/etc/crowdsec/scenarios/CVE-2022-26134.yaml name=crowdsecurity/CVE-2022-26134
time=“09-12-2022 20:48:24” level=info msg=“Adding trigger bucket” cfg=small-brook file=/etc/crowdsec/scenarios/http-w00tw00t.yaml name=ltsich/http-w00tw00t
time=“09-12-2022 20:48:24” level=info msg=“Adding trigger bucket” cfg=nameless-water file=/etc/crowdsec/scenarios/CVE-2022-40684.yaml name=crowdsecurity/fortinet-cve-2022-40684
time=“09-12-2022 20:48:24” level=info msg=“Adding leaky bucket” cfg=lively-frog file=/etc/crowdsec/scenarios/http-crawl-non_statics.yaml name=crowdsecurity/http-crawl-non_statics
time=“09-12-2022 20:48:24” level=info msg=“Adding trigger bucket” cfg=snowy-pond file=/etc/crowdsec/scenarios/http-open-proxy.yaml name=crowdsecurity/http-open-proxy
time=“09-12-2022 20:48:24” level=warning msg=“Loaded 35 scenarios”
time=“09-12-2022 20:48:24” level=info msg=“loading acquisition file : /etc/crowdsec/acquis.yaml”
time=“09-12-2022 20:48:24” level=info msg=“Adding file /var/log/auth.log to datasources” type=file
time=“09-12-2022 20:48:24” level=info msg=“Adding file /var/log/mysql/error.log to datasources” type=file
time=“09-12-2022 20:48:24” level=info msg=“Adding file /var/log/syslog to datasources” type=file
time=“09-12-2022 20:48:24” level=info msg=“Adding file /var/log/kern.log to datasources” type=file
time=“09-12-2022 20:48:24” level=info msg=“Starting processing data”
time=“09-12-2022 20:48:24” level=info msg=“Running journalctl command: /usr/bin/journalctl [journalctl --follow -n 0 _SYSTEMD_UNIT=apache2.service]” src=“journalctl-_SYSTEMD_UNIT=apache2.service” type=journalctl

here is /var/log/auth.log

Connection closed by authenticating user test 10.0.5.30 port 61027 [preauth]
Dec 9 20:50:08 localhost sshd[60108]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.5.30 user=test
Dec 9 20:50:10 localhost sshd[60108]: Failed password for test from 10.0.5.30 port 61028 ssh2
Dec 9 20:50:19 localhost sshd[60108]: message repeated 2 times: [ Failed password for test from 10.0.5.30 port 61028 ssh2]
Dec 9 20:50:20 localhost sshd[60108]: Connection closed by authenticating user test 10.0.5.30 port 61028 [preauth]
Dec 9 20:50:20 localhost sshd[60108]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.5.30 user=test

I found is ignoring local network ips.
Maybe is configured on some white list.

I try with public Ip and it logs the events, BUT FIREWALL NOT BLOCK

ID │ value │ reason │ country │ as │ decisions │ created_at │
├────┼────────────────────┼───────────────────────────┼─────────┼─────────────────────────────────────────────────┼───────────┼─────────────────────────────────────────┤
│ 19 │ Ip:187.251.XXX.XXX │ crowdsecurity/ssh-bf │ PT │ SERVER COMUNICATIONS │ ban:1 │ 2022-12-10 15:01:23.225230862 +0000 UTC │
│ 17 │ Ip:187.251.XXX.XXX │ crowdsecurity/ssh-slow-bf │ PT │ SERVER COMUNICATIONS │ ban:1 │ 2022-12-10 14:58:17.919907487 +0000 UTC │
│ 16 │ Ip:187.251.XXX.XXX │ crowdsecurity/ssh-bf │ PT │ SERVER COMUNICATIONS │ ban:1 │ 2022-12-10 14:58:17.91969405 +0000 UTC │
│ 14 │ Ip:187.251.XXX.XXX │ crowdsecurity/ssh-slow-bf │ PT │ SERVER COMUNICATIONS │ ban:1 │ 2022-12-10 12:22:05.205924747 +0000 UTC │
│ 13 │ Ip:187.251.XXX.XXX │ crowdsecurity/ssh-bf │ PT │ SERVER COMUNICATIONS │ ban:1 │ 2022-12-10 12:21:43.647429458 +0000 UTC │
│ 12 │ Ip:187.251.XXX.XXX │ crowdsecurity/ssh-slow-bf │ PT │ SERVER COMUNICATIONS │ ban:1 │ 2022-12-10 12:18:05.501869155 +0000 UTC │
│ 11 │ Ip:187.251.XXX.XXX │ crowdsecurity/ssh-bf │ PT │ SERVER COMUNICATIONS │ ban:1 │ 2022-12-10 12:19:53.813939841 +0000 UTC │
│ 10 │ Ip:187.251.XXX.XXX │ crowdsecurity/ssh-slow-bf │ PT │ SERVER COMUNICATIONS │ ban:1 │ 2022-12-10 12:17:02.053858489 +0000 UTC │
│ 9 │ Ip:187.251.XXX.XXX │ crowdsecurity/ssh-bf │ PT │ SERVER COMUNICATIONS │ ban:1 │ 2022-12-10 12:17:02.053481961 +0000 UTC │
╰────┴────────────────────┴───────────────────────────┴─────────┴─────────────────────────────────────────────────┴───────────┴─────────────────────────────────────────╯
root@j:~# cscli bouncers list
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Name IP Address Valid Last API pull Type Version Auth Type
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
FirewallBouncer-1670627190 127.0.0.1 2022-12-10T15:02:54Z crowdsec-firewall-bouncer v0.0.24-debian-pragmatic-8e00af2c9e83af22deab8c0c49a4ad9b8fc57a3f api-key
wordpress-bouncer 127.0.0.1 2022-12-10T15:02:52Z WordPress CrowdSec Bouncer v1.10.0 api-key

I have a look at
#iptables - L

and I not found any entry.

I have found it not logs local ip address, like 1.0.5.1/16
Maybe have some whitelist.

But with public IP it logs and Ban, but ban, not workiing.
Nothing happens in Iptables and I still can try logins.

ID │ value │ reason │ country │ as │ decisions │ created_at │
├────┼────────────────────┼───────────────────────────┼─────────┼─────────────────────────────────────────────────┼───────────┼─────────────────────────────────────────┤
│ 19 │ Ip:187.251.XXX.XXX │ crowdsecurity/ssh-bf │ PT │ SERVER COMUNICATIONS │ ban:1 │ 2022-12-10 15:01:23.225230862 +0000 UTC │
│ 17 │ Ip:187.251.XXX.XXX │ crowdsecurity/ssh-slow-bf │ PT │ SERVER COMUNICATIONS │ ban:1 │ 2022-12-10 14:58:17.919907487 +0000 UTC │
│ 16 │ Ip:187.251.XXX.XXX │ crowdsecurity/ssh-bf │ PT │ SERVER COMUNICATIONS │ ban:1 │ 2022-12-10 14:58:17.91969405 +0000 UTC │
│ 14 │ Ip:187.251.XXX.XXX │ crowdsecurity/ssh-slow-bf │ PT │ SERVER COMUNICATIONS │ ban:1 │ 2022-12-10 12:22:05.205924747 +0000 UTC │
│ 13 │ Ip:187.251.XXX.XXX │ crowdsecurity/ssh-bf │ PT │ SERVER COMUNICATIONS │ ban:1 │ 2022-12-10 12:21:43.647429458 +0000 UTC │
│ 12 │ Ip:187.251.XXX.XXX │ crowdsecurity/ssh-slow-bf │ PT │ SERVER COMUNICATIONS │ ban:1 │ 2022-12-10 12:18:05.501869155 +0000 UTC │
│ 11 │ Ip:187.251.XXX.XXX │ crowdsecurity/ssh-bf │ PT │ SERVER COMUNICATIONS │ ban:1 │ 2022-12-10 12:19:53.813939841 +0000 UTC │
│ 10 │ Ip:187.251.XXX.XXX │ crowdsecurity/ssh-slow-bf │ PT │ SERVER COMUNICATIONS │ ban:1 │ 2022-12-10 12:17:02.053858489 +0000 UTC │
│ 9 │ Ip:187.251.XXX.XXX │ crowdsecurity/ssh-bf │ PT │ SERVER COMUNICATIONS │ ban:1 │ 2022-12-10 12:17:02.053481961 +0000 UTC │
╰────┴────────────────────┴───────────────────────────┴─────────┴─────────────────────────────────────────────────┴───────────┴─────────────────────────────────────────╯
root@j:~# cscli bouncers list
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Name IP Address Valid Last API pull Type Version Auth Type
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
FirewallBouncer-1670627190 127.0.0.1 2022-12-10T15:02:54Z crowdsec-firewall-bouncer v0.0.24-debian-pragmatic-8e00af2c9e83af22deab8c0c49a4ad9b8fc57a3f api-key
wordpress-bouncer 127.0.0.1 2022-12-10T15:02:52Z WordPress CrowdSec Bouncer v1.10.0 api-key

Hi,
What’s in Firewall Bouncer log?
Is it started (systemctl status crowdsec-firewall-bouncer)?

Hi
Yes it is started.
I fix it to block ssh by cleaning all entrys.
First i run

cscli decisions list --all

I see lots of entrys
I decide clean all

cscli decisions delete --all

After this it start blocking

but is strange i can´t see any DROP in Iptables running

iptables -L

And only blocks non local network ips. I not make any whitelist. Maybe is config default for not block myself?

By default crowdsec comes with private ip whitelist cause normally attackers are outside your network. You can either alter /etc/crowdsec/parsers/s02-enrich/whitelists.yaml or run cscli parsers remove crowdsecurity/whitelists. For the bouncer what it does is manage a ipset and inserts a line in INPUT chain stating drop if within the ipset so you wont see hundreds of entries just the one at the top of input. If you need to add other chains you can add them to the config file.

Thank you for explanation!