Hello,
I have set up crowdsec 1.6.2 as multiserver setup on debian servers and installed the crowdsecurity/linux collection (which includes sshd) and the iptables firewall bouncer. When I try to ssh into a non existent user on a client server often enough, I get banned. However, this ban does not show up in the output of cscli decisions list regardless of if I run it on the client server or the lapi server. I also tried using the --all flag or cscli alerts list, but it showed up in none of these. I always get No active decisions.
Am I doing something wrong? is there another way to show active bans?
Thank you in advance
Tammes
Edit: I temporally removedthis post because I had been banned by fail2ban, not crowdsec. However, I now uninstalled fail2ban and now I am able to get myself banned by crowdsec on the lapi server. Still no decisions or alerts show up, but my IP does in the crowdsec-blacklists ip set. Weirdly, this does not work on the client server. I am not banned together with the lapi server ban and if I do a bunch of invalid login tries, I don’t get banned either. cscli lapi status reports that everything is fine though. I am confused…
Yes I did. And I also just looked into my database and in the ‘decisions’ table, there are over 3000 bans for my IP with ‘until’ in the future. But cscli decisions list shows nothing.
one server not banning was caused by not restarting the bouncer though. So the only problem that is left now is that the decisions are not being listed.
after all this time, I have a similar problem again, but slightly different. I am now running crowdsec 1.7.6. in a customized multiserver setup where crowdsec runs on Debian Bookworm as a Systemd DynamicUser and the Lapi talks to an external MariaDB-Cluster. This is combined with the nftables-firewall-bouncer. I didn’t really test if decisions worked correctly in the mean time, so they might have been this way since 2024.
If I now trigger Scenarios by failing ssh-logins, the respective IP does show up in cscli decisions list (-a) and in the nft set crowdsec-blacklists-crowdsec. However, if I then get another IP banned as well, only that one shows up in cscli decisions list (-a) and the first one disappears, but stays in the nft set(both on the lapi-server and other clients). I took a look into the decisions table of the database and noticed that for each Scenario, a db entry gets created every second with the one IP that was banned at last. Is this the intended behaviour? Shouldn’t cscli decisions list list all currently active decisions?
More Details: cscli decisions list still shows nothing. But if I cscli decisions delete -i <banned IP>, many decisions (accumulating, approximately one per second per scenario) get deletet, but nftables still banns the IP. And if I delete the decision a few seconds later, there are new decisions that get deletet without effect again.