Decision not listed

Tammes · July 26, 2024, 12:28pm

Hello,
I have set up crowdsec 1.6.2 as multiserver setup on debian servers and installed the crowdsecurity/linux collection (which includes sshd) and the iptables firewall bouncer. When I try to ssh into a non existent user on a client server often enough, I get banned. However, this ban does not show up in the output of cscli decisions list regardless of if I run it on the client server or the lapi server. I also tried using the --all flag or cscli alerts list, but it showed up in none of these. I always get No active decisions.

Am I doing something wrong? is there another way to show active bans?

Thank you in advance
Tammes

Edit: I temporally removedthis post because I had been banned by fail2ban, not crowdsec. However, I now uninstalled fail2ban and now I am able to get myself banned by crowdsec on the lapi server. Still no decisions or alerts show up, but my IP does in the crowdsec-blacklists ip set. Weirdly, this does not work on the client server. I am not banned together with the lapi server ban and if I do a bunch of invalid login tries, I don’t get banned either. cscli lapi status reports that everything is fine though. I am confused…

Tammes · July 26, 2024, 2:45pm

The failed logins on the client server do show up in its metrics:

Scenario Metrics:
╭─────────────────────────────────────┬───────────────┬───────────┬──────────────┬────────┬─────────╮
│               Scenario              │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │
├─────────────────────────────────────┼───────────────┼───────────┼──────────────┼────────┼─────────┤
│ crowdsecurity/ssh-bf                │ 6             │ 30        │ 36           │ 188    │ -       │
│ crowdsecurity/ssh-bf_user-enum      │ 1             │ -         │ 1            │ 1      │ -       │
│ crowdsecurity/ssh-slow-bf           │ 4             │ 16        │ 20           │ 188    │ -       │
│ crowdsecurity/ssh-slow-bf_user-enum │ 1             │ -         │ 1            │ 1      │ -       │

iiAmLoz · July 29, 2024, 8:05am

So since updating CrowdSec to point towards another LAPI, did you restart the service?

Tammes · July 30, 2024, 1:04pm

Yes I did. And I also just looked into my database and in the ‘decisions’ table, there are over 3000 bans for my IP with ‘until’ in the future. But cscli decisions list shows nothing.

Tammes · July 30, 2024, 1:27pm

one server not banning was caused by not restarting the bouncer though. So the only problem that is left now is that the decisions are not being listed.

iiAmLoz · July 30, 2024, 2:07pm

This only shows local decisions by default to show the “rest” you need to pass the -a flag

Tammes · July 30, 2024, 2:13pm

That also shows nothing

iiAmLoz · July 31, 2024, 8:03am

And cscli lapi status shows the correct URL running it from the machine?

Tammes · July 31, 2024, 12:54pm

Yes it does, on both machines. The url looks like https://crowdsec-lapi.my.tld:8080/

Tammes · November 11, 2024, 2:22pm

I don’t know what changed, but this is fixed now

Topic		Replies	Views
Decisions list not updated	8	1676	April 28, 2022
Decisions are not blocked in pf crowdsec	2	736	July 24, 2022
Decisions not applied crowdsec	3	2969	June 8, 2021
[docker setup] local bouncer on host doesn't ban IPs	3	1155	September 30, 2023
My ip is in the decisions list	6	563	February 20, 2024

Decision not listed

Related topics