Email notification not sent

dev-mansonthomas · September 21, 2024, 4:45pm

Hi,
I’m trying to configure crowdsec for the first time on Ubuntu 24.04.1 (ARM), and while there’s no error in the logs, I can’t get an email notification.

here is what I did :

apt install crowdsec
cscli collections install crowdsecurity/sshd
curl -s https://install.crowdsec.net | sh
apt install crowdsec-firewall-bouncer-nftables

vi /etc/crowsec/profiles.yaml

remove # and enable debug :
#notifications:
#- email_default

name: default_ip_remediation
debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
 - type: ban
   duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
notifications:
#   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
#   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
#   - http_default   # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
 - email_default  # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break

vi /etc/crowdsec/notifications/email.yaml
paste the template from here :

Update

smtp host
smtp username
smtp password
port (without quotes, I’ve tried with and crowsec failed to reload, so the file is parsed at least)
Sender name
sender email
receiver emails (one)

I’ve configured and successfully tested msmtprc and I was able to send email on my gmail address, so reaching the SMTP server is OK from this machine.

systemctl restart crowdsec
cscli decisions add --ip 1.2.3.8 --duration 4h --scope ip
INFO[21-09-2024 16:40:43] Decision successfully added

here is the logs :

time="21-09-2024 16:40:34" level=info msg="Starting processing data"
time="21-09-2024 16:40:34" level=info msg="Running journalctl command: /usr/bin/journalctl [journalctl --follow -n 0 _SYSTEMD_UNIT=ssh.service]" src="journalctl-_SYSTEMD_UNIT=ssh.service" type=journalctl
time="21-09-2024 16:40:43" level=debug msg="eval(Alert.Remediation == true && Alert.GetScope() == \"Ip\") = FALSE" name=default_ip_remediation type=profile
time="21-09-2024 16:40:43" level=debug msg="eval variables:" name=default_ip_remediation type=profile
time="21-09-2024 16:40:43" level=debug msg="       Alert.Remediation = 'false'" name=default_ip_remediation type=profile
time="21-09-2024 16:40:43" level=debug msg="       Alert = '&{0x4000843160 2024-09-21T16:40:43Z [0x4000bb5590] [] 0x400084317c 0 [] 0x4000c40760 68e2cc4723434577bf195f36a2f4dee1 0x4000c40770 [] false 0x4000c40780 0x4000c40790 0x4000c407a0 0x4000843180 0x400048abd0 0x4000c407d0 0x4000c407e0}'" name=default_ip_remediation type=profile
time="21-09-2024 16:40:43" level=debug msg="Profile default_ip_remediation filter is unsuccessful" name=default_ip_remediation type=profile
time="21-09-2024 16:40:43" level=info msg="(68e2cc4723434577bf195f36a2f4dee1/cscli) manual 'ban' from '68e2cc4723434577bf195f36a2f4dee1' by ip 1.2.3.8 : 4h ban on Ip 1.2.3.8"

verybadsoldier · September 23, 2024, 6:53am

What does this command show?
cscli notifications list

And then
cscli notifications test <name>

iiAmLoz · September 23, 2024, 8:20am

cscli decisions add do not trigger notifications. You can test it by using the above commands by @verybadsoldier OR if you want the manual decisions you can reinject the alert ID but using test command is the best.

dev-mansonthomas · September 25, 2024, 9:40am

~$ cscli notifications list
────────────────────────────────────────────────
 Name            Type    Profile name
────────────────────────────────────────────────
 email_default   email   default_ip_remediation
────────────────────────────────────────────────

But, there’s no “test” command for notifications

cscli notifications test email_default
To list/inspect/test notification template


Usage:

  cscli notifications [command]


Aliases:

  notifications, notifications, notification


Available Commands:

  inspect   Inspect active notifications plugin configuration
  list      List active notifications plugins
  reinject  reinject alert into notifications system


Flags:

  -h, --help   help for notifications


Global Flags:

      --color string    Output color: yes, no, auto. (default "auto")
  -c, --config string   path to crowdsec config file (default "/etc/crowdsec/config.yaml")
      --debug           Set logging to debug.
      --error           Set logging to error.
      --info            Set logging to info.
  -o, --output string   Output format: human, json, raw.
      --trace           Set logging to trace.
      --warning         Set logging to warning.


Use "cscli notifications [command] --help" for more information about a command.

I’ve installed CrowdSec from Ubuntu 24.04.1 packges with apt.

apt info crowdsec
Package: crowdsec
Version: 1.6.3
Priority: optional
Section: admin
Maintainer: Crowdsec Team <debian@crowdsec.net>
Installed-Size: 175 MB
Depends: coreutils
Suggests: cron
Download-Size: 40.6 MB
APT-Sources: https://packagecloud.io/crowdsec/crowdsec/any any/main arm64 Packages
Description: Crowdsec - An open-source, lightweight agent to detect and respond to bad behaviors. It also automatically benefits from our global community-wide IP reputation database

iiAmLoz · September 25, 2024, 11:28am

Do you have two cscli on your system?

which -a cscli

dev-mansonthomas · September 25, 2024, 12:25pm

indeed, but If I try with the other one, (/usr/bin) I get the same result.

I’ve just installed Ubuntu, the system is brand new.

I’ve ran :

apt install crowdsec
cscli collections install crowdsecurity/sshd
curl -s [https://install.crowdsec.net](https://install.crowdsec.net/) | sh
apt install crowdsec-firewall-bouncer-nftables

I did run the curl one otherwise the apt install crowdsec-firewall-bouncer-nftables would not work. Maybe this messed up things ?
Should I avoid the distro package completely ?

tom@home:~$ which -a cscli
/usr/bin/cscli
/bin/cscli
tom@home:~$ which  cscli
/usr/bin/cscli
tom@home:~$
tom@home:~$ /bin/cscli notifications test email_default
To list/inspect/test notification template


Usage:

  cscli notifications [command]


Aliases:

  notifications, notifications, notification


Available Commands:

  inspect   Inspect active notifications plugin configuration
  list      List active notifications plugins
  reinject  reinject alert into notifications system


Flags:

  -h, --help   help for notifications


Global Flags:

      --color string    Output color: yes, no, auto. (default "auto")
  -c, --config string   path to crowdsec config file (default "/etc/crowdsec/config.yaml")
      --debug           Set logging to debug.
      --error           Set logging to error.
      --info            Set logging to info.
  -o, --output string   Output format: human, json, raw.
      --trace           Set logging to trace.
      --warning         Set logging to warning.


Use "cscli notifications [command] --help" for more information about a command.

verybadsoldier · September 25, 2024, 4:03pm

That’s my docker container:

version: v1.6.3-4851945a
Codename: alphaga
BuildDate: 2024-09-12_09:37:12
GoVersion: 1.22.6
Platform: docker
libre2: C++
User-Agent: crowdsec/v1.6.3-4851945a-docker
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
75f0aee23bcb:/# cscli notifications -h
To list/inspect/test notification template

Usage:
  cscli notifications [command]

Aliases:
  notifications, notifications, notification

Available Commands:
  inspect   Inspect notifications plugin
  list      list notifications plugins
  reinject  reinject an alert into profiles to trigger notifications
  test      send a generic test alert to notification plugin

Flags:
  -h, --help   help for notifications

Global Flags:
      --color string    Output color: yes, no, auto (default "auto")
  -c, --config string   path to crowdsec config file (default "/etc/crowdsec/config.yaml")
      --debug           Set logging to debug
      --error           Set logging to error
      --info            Set logging to info
  -o, --output string   Output format: human, json, raw
      --trace           Set logging to trace
      --warning         Set logging to warning

iiAmLoz · September 25, 2024, 4:29pm

The distro package is on version 1.4.6 so is very outdated you should install the package from our repository. I believe apt info crowdsec you are showing is not the installed version, apt list --installed | grep crowdsec this might show you the older version that is.

dev-mansonthomas · September 26, 2024, 9:32am

Indeed, the start of /var/logs/crowdsec.log shows :

time="21-09-2024 12:45:56" level=info msg="Crowdsec v1.4.6-6ubuntu0.24.04.1-linux-debian"

apt info crowdsec
Package: crowdsec
Version: 1.6.3
Priority: optional
Section: admin
Maintainer: Crowdsec Team <debian@crowdsec.net>

Running this command shows it’s 1.4.6, but upgradable to 1.6.3.

apt list --installed | grep crowdsec

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

crowdsec-firewall-bouncer-nftables/any,now 0.0.30 arm64 [installed]
crowdsec/noble-updates,noble-security,now 1.4.6-6ubuntu0.24.04.1 arm64 [installed,upgradable to: 1.6.3]

Since I’ve run curl -s https://install.crowdsec.net | sh to get apt install crowdsec-firewall-bouncer-nftables to work, I also can get the 1.6.3 version of the package.

Upgrading crowdsec, I can see that it fetches the package from
Get:7 https://packagecloud.io/crowdsec/crowdsec/any any/main arm64 crowdsec arm64 1.6.3 [40.6 MB]

I’ll reapply my configuration, and let you know if it works

Thanks for spotting this !

iiAmLoz · September 26, 2024, 9:42am

Just note deploying our version over the debian package comes with conflicts as the way the debian package is designed it uses /usr/share for data items which is not where the main package uses them.

The convert the data items to the correct places I created this helper script

dev-mansonthomas · September 26, 2024, 10:23am

Thanks, the notifications now works.

I’ve run your script, I’ve got a single FATAL in the middle of the script execution :

INFO Run 'sudo systemctl reload crowdsec' for the new configuration to be effective.
FATA requires at least 1 arg(s), only received 0

iiAmLoz · September 26, 2024, 10:51am

Ahh good point, most likely one the parameters is an empty file so that would happen.

I can update the script to precheck if there are any items before attempting to load them again

However, this shouldnt cause an error within CrowdSec only just in my script.

EDIT: it seems recent changes to the hub have broken the script my recommendation is to do

apt purge crowdsec -y
rm -rf /etc/crowdsec/
rm -rf /var/lib/crowdsec/

then install latest and it will reconfigure itself.

dev-mansonthomas · September 26, 2024, 11:10am

So remove, reinstall, update the configuration and then I don’t need to run your script ?

iiAmLoz · September 26, 2024, 11:11am

Exactly, here an issue [hub] introduce cscli hub fix command · Issue #3264 · crowdsecurity/crowdsec · GitHub

dev-mansonthomas · September 26, 2024, 11:15am

Thanks a lot for your help

Topic		Replies	Views
Email alert don't working crowdsec	13	1533	June 27, 2022
Telegram notification : plugin not enabled? crowdsec	4	705	August 10, 2023
Error on email notification plugin crowdsec	11	1601	October 5, 2022
Telegram Notification Bug	26	1459	February 29, 2024
eMail notifications not working: "Mail Error on dialing with encryption type SSL/TLS: tls: first record does not look like a TLS handshake error" crowdsec	3	1046	February 25, 2023

Email notification not sent

Related topics