Decisions not applied

teol · June 7, 2021, 8:35am

Hi,

I’ve been using crowdsec for months now but I’ve noticed that decisions don’t seem to work on my server.
I even tried to reinstall my iptables bouncer but it didn’t help.

When I test simple scenarios like ssh-bf or basicauth-bf I can see that I trigger alerts and decisions, but the attacking IP doesn’t really get banned so can keep attacking forever.

Can someone help me fix this please?

Thank you

thibault · June 8, 2021, 6:55am

Hello @teol !

Can you try to take a look at your firewall bouncer logs /var/log/cs-firewall-bouncer.log ? It should give us some hints about what is going on !

teol · June 8, 2021, 10:09am

Hi @thibault

So I just checked and found this:

time="26-05-2021 21:40:05" level=info msg="Checking existing set"
time="26-05-2021 21:40:05" level=info msg="ipset set-up : /usr/sbin/ipset -exist create crowdsec6-blacklists nethash timeout 300 family inet6"
time="26-05-2021 21:40:06" level=info msg="Rule doesn't exist (/usr/sbin/ip6tables -C INPUT -m set --match-set crowdsec6-blacklists src -j DROP)"
time="26-05-2021 21:40:06" level=info msg="iptables set-up : /usr/sbin/ip6tables -I INPUT -m set --match-set crowdsec6-blacklists src -j DROP"
time="26-05-2021 21:40:06" level=info msg="Processing new and deleted decisions . . ."
time="26-05-2021 21:40:06" level=error msg="auth-api: auth with api key failed return nil response, error: dial tcp 127.0.0.1:8080: connect: connection refused"
time="26-05-2021 21:40:06" level=fatal msg="Get http://localhost:8080/v1/decisions/stream?startup=true: dial tcp 127.0.0.1:8080: connect: connection refused"

I didn’t know there was this logfile but now it’s very interesting because I don’t know why http://localhost:8080/ wouldn’t be available, I can see the service running right now on port 8080.

I remember switching the database from SQLite to MySQL a few weeks ago, I don’t know if it could be related but I made sure to migrate all the data properly.

Any idea?

UPDATE:
So I just restarted the bouncer and now it seems to work:

time="08-06-2021 12:14:41" level=info msg="deleting '4798' decisions"
time="08-06-2021 12:14:45" level=info msg="adding '842' decisions"

It seems that the error happens when my server starts up and maybe at this time the api isn’t available yet… But then after failing it never tries to restart and try again.

thibault · June 8, 2021, 1:35pm

Hello @teol , thanks for the update !

Yes, if at bouncer startup the API isn’t available, it will fail and not retry. However, if the API fails at runtime, it will retry on a regular basis. Might surprise at first, but we didn’t want the service to be “pretending” to run while actually not being able to speak to the API.

Topic		Replies	Views
The bouncer decision would overwrite the manual decision? crowdsec	7	354	January 13, 2024
Decisions list not updated	8	1603	April 28, 2022
Alerts, rules applied but "no active decisions" crowdsec	2	1159	May 1, 2024
Decision not listed crowdsec	8	48	July 31, 2024
Servers IP Banned, cannot access decisions due to JWT error crowdsec	1	14	October 2, 2024

Decisions not applied

Related Topics