Decisions not applied


I’ve been using crowdsec for months now but I’ve noticed that decisions don’t seem to work on my server.
I even tried to reinstall my iptables bouncer but it didn’t help.

When I test simple scenarios like ssh-bf or basicauth-bf I can see that I trigger alerts and decisions, but the attacking IP doesn’t really get banned so can keep attacking forever.

Can someone help me fix this please?

Thank you

Hello @teol !

Can you try to take a look at your firewall bouncer logs /var/log/cs-firewall-bouncer.log ? It should give us some hints about what is going on !

Hi @thibault :slight_smile:

So I just checked and found this:

time="26-05-2021 21:40:05" level=info msg="Checking existing set"
time="26-05-2021 21:40:05" level=info msg="ipset set-up : /usr/sbin/ipset -exist create crowdsec6-blacklists nethash timeout 300 family inet6"
time="26-05-2021 21:40:06" level=info msg="Rule doesn't exist (/usr/sbin/ip6tables -C INPUT -m set --match-set crowdsec6-blacklists src -j DROP)"
time="26-05-2021 21:40:06" level=info msg="iptables set-up : /usr/sbin/ip6tables -I INPUT -m set --match-set crowdsec6-blacklists src -j DROP"
time="26-05-2021 21:40:06" level=info msg="Processing new and deleted decisions . . ."
time="26-05-2021 21:40:06" level=error msg="auth-api: auth with api key failed return nil response, error: dial tcp connect: connection refused"
time="26-05-2021 21:40:06" level=fatal msg="Get http://localhost:8080/v1/decisions/stream?startup=true: dial tcp connect: connection refused"

I didn’t know there was this logfile but now it’s very interesting because I don’t know why http://localhost:8080/ wouldn’t be available, I can see the service running right now on port 8080.

I remember switching the database from SQLite to MySQL a few weeks ago, I don’t know if it could be related but I made sure to migrate all the data properly.

Any idea?

So I just restarted the bouncer and now it seems to work:

time="08-06-2021 12:14:41" level=info msg="deleting '4798' decisions"
time="08-06-2021 12:14:45" level=info msg="adding '842' decisions"

It seems that the error happens when my server starts up and maybe at this time the api isn’t available yet… But then after failing it never tries to restart and try again.

Hello @teol , thanks for the update !

Yes, if at bouncer startup the API isn’t available, it will fail and not retry. However, if the API fails at runtime, it will retry on a regular basis. Might surprise at first, but we didn’t want the service to be “pretending” to run while actually not being able to speak to the API.