I am missing " log statement to the firewall"

crowdsec
1

Hello again ( unfortunately :slight_smile: )

as explain in the bouncers doc,
deny_log - set this to true to add a log statement to the firewall rule

Unfortunately, it seem to be broken, because I don’t get any statement in journalctl except:

 crowdsec-firewall-bouncer[76998]: time="2022-03-25T02:46:45+01:00" level=info msg="crowdsec-firewall-bouncer v0.0.23-debian-pragmatic-5a27e28ac5b528ab02fc35ae81459f75f69a3866"
Mar 25 02:46:45 n2 crowdsec-firewall-bouncer[76998]: time="2022-03-25T02:46:45+01:00" level=info msg="config is valid"
Mar 25 02:46:45 n2 crowdsec-firewall-bouncer[77004]: time="2022-03-25T02:46:45+01:00" level=info msg="crowdsec-firewall-bouncer v0.0.23-debian-pragmatic-5a27e28ac5b528ab02fc35ae81459f75f69a3866"

I believe I am suppose to get something like this:

 kernel: crowdsec drop: IN=enp5s0f1 OUT= MAC=00:1b:21:bc:e0:a1:34:27:92:60:e0:ca:08:00 SRC=XXX.XXX.XXX.XXX DST=192.168.1.137 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=18178 DF PROTO=TCP SPT=42544 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0

Could this be a bug on my side ? Or maybe a missing log option in the nftables tables ?

Thanks again.

  • System info and useful informations
My server run Linux-Debian11.2 5.10.0-12-amd64 #1 SMP  5.10.103-1 (2022-03-07) x86_64 GNU/Linux
Apache/2.4.54 
PHP 8.0.17 
using UFW over nftables


 cscli metrics
INFO[25-03-2022 03:11:10 AM] Buckets Metrics:
+--------------------------------------+---------------+-----------+--------------+--------+---------+
|                BUCKET                | CURRENT COUNT | OVERFLOWS | INSTANCIATED | POURED | EXPIRED |
+--------------------------------------+---------------+-----------+--------------+--------+---------+
| crowdsecurity/http-crawl-non_statics | -             | -         |            1 |      1 |       1 |
| crowdsecurity/http-probing           | -             | -         |            1 |      1 |       1 |
+--------------------------------------+---------------+-----------+--------------+--------+---------+
INFO[25-03-2022 03:11:10 AM] Acquisition Metrics:
+----------------------------------+------------+--------------+----------------+------------------------+
|              SOURCE              | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
+----------------------------------+------------+--------------+----------------+------------------------+
| file:/var/log/apache2/access.log |       1937 |         1745 |            192 |                      2 |
| file:/var/log/auth.log           |         35 | -            |             35 | -                      |
| file:/var/log/syslog             |         33 | -            |             33 | -                      |
+----------------------------------+------------+--------------+----------------+------------------------+
INFO[25-03-2022 03:11:10 AM] Parser Metrics:
+----------------------------------+------+--------+----------+
|             PARSERS              | HITS | PARSED | UNPARSED |
+----------------------------------+------+--------+----------+
| child-crowdsecurity/apache2-logs | 2129 |   1745 |      384 |
| child-crowdsecurity/http-logs    | 5235 |   5228 |        7 |
| child-crowdsecurity/sshd-logs    |   99 | -      |       99 |
| child-crowdsecurity/syslog-logs  |   68 |     68 | -        |
| crowdsecurity/apache2-logs       | 1937 |   1745 |      192 |
| crowdsecurity/dateparse-enrich   | 1745 |   1745 | -        |
| crowdsecurity/geoip-enrich       | 1745 |   1745 | -        |
| crowdsecurity/http-logs          | 1745 |   1743 |        2 |
| crowdsecurity/non-syslog         | 1937 |   1937 | -        |
| crowdsecurity/sshd-logs          |   11 | -      |       11 |
| crowdsecurity/syslog-logs        |   68 |     68 | -        |
| crowdsecurity/whitelists         | 1745 |   1745 | -        |
+----------------------------------+------+--------+----------+
INFO[25-03-2022 03:11:10 AM] Local Api Metrics:
+----------------------+--------+------+
|        ROUTE         | METHOD | HITS |
+----------------------+--------+------+
| /v1/decisions/stream | GET    |  174 |
| /v1/watchers/login   | POST   |    2 |
+----------------------+--------+------+
INFO[25-03-2022 03:11:10 AM] Local Api Bouncers Metrics:
+----------------------------+----------------------+--------+------+
|          BOUNCER           |        ROUTE         | METHOD | HITS |
+----------------------------+----------------------+--------+------+
| FirewallBouncer-1648077543 | /v1/decisions/stream | GET    |  174 |
+----------------------------+----------------------+--------+------+



cscli bouncers list
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
 NAME                        IP ADDRESS  VALID  LAST API PULL         TYPE                       VERSION
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
 FirewallBouncer-1648077543  127.0.0.1   ✔️      2022-03-25T02:07:55Z  crowdsec-firewall-bouncer  v0.0.23-debian-pragmatic-5a27e28ac5b528ab02fc35ae81459f75f69a3866
-------------------------------------------------------------------------------------------------------------------------------------------------------------------



/etc/crowdsec/parsers# cscli hub list
INFO[25-03-2022 03:06:42 AM] Loaded 49 collecs, 55 parsers, 66 scenarios, 3 post-overflow parsers
PARSERS
-------------------------------------------------------------------------------------------------------------
 NAME                            📦 STATUS   VERSION  LOCAL PATH
-------------------------------------------------------------------------------------------------------------
 crowdsecurity/apache2-logs      ✔️  enabled  0.9      /etc/crowdsec/parsers/s01-parse/apache2-logs.yaml
 crowdsecurity/dateparse-enrich  ✔️  enabled  0.2      /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
 crowdsecurity/http-logs         ✔️  enabled  0.8      /etc/crowdsec/parsers/s02-enrich/http-logs.yaml
 crowdsecurity/whitelists        ✔️  enabled  0.2      /etc/crowdsec/parsers/s02-enrich/whitelists.yaml
 crowdsecurity/syslog-logs       ✔️  enabled  0.8      /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
 crowdsecurity/iptables-logs     ✔️  enabled  0.2      /etc/crowdsec/parsers/s01-parse/iptables-logs.yaml
 crowdsecurity/nextcloud-logs    ✔️  enabled  0.1      /etc/crowdsec/parsers/s01-parse/nextcloud-logs.yaml
 crowdsecurity/geoip-enrich      ✔️  enabled  0.2      /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
 crowdsecurity/sshd-logs         ✔️  enabled  1.8      /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
-------------------------------------------------------------------------------------------------------------
COLLECTIONS
------------------------------------------------------------------------------------------------------------
 NAME                               📦 STATUS   VERSION  LOCAL PATH
------------------------------------------------------------------------------------------------------------
 crowdsecurity/linux                ✔️  enabled  0.2      /etc/crowdsec/collections/linux.yaml
 crowdsecurity/base-http-scenarios  ✔️  enabled  0.5      /etc/crowdsec/collections/base-http-scenarios.yaml
 crowdsecurity/iptables             ✔️  enabled  0.1      /etc/crowdsec/collections/iptables.yaml
 crowdsecurity/sshd                 ✔️  enabled  0.2      /etc/crowdsec/collections/sshd.yaml
 crowdsecurity/nextcloud            ✔️  enabled  0.2      /etc/crowdsec/collections/nextcloud.yaml
 crowdsecurity/apache2              ✔️  enabled  0.1      /etc/crowdsec/collections/apache2.yaml
------------------------------------------------------------------------------------------------------------
SCENARIOS
--------------------------------------------------------------------------------------------------------------------------
 NAME                                       📦 STATUS   VERSION  LOCAL PATH
--------------------------------------------------------------------------------------------------------------------------
 crowdsecurity/http-xss-probing             ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-xss-probing.yaml
 ltsich/http-w00tw00t                       ✔️  enabled  0.1      /etc/crowdsec/scenarios/http-w00tw00t.yaml
 crowdsecurity/iptables-scan-multi_ports    ✔️  enabled  0.1      /etc/crowdsec/scenarios/iptables-scan-multi_ports.yaml
 crowdsecurity/http-generic-bf              ✔️  enabled  0.1      /etc/crowdsec/scenarios/http-generic-bf.yaml
 crowdsecurity/nextcloud-bf                 ✔️  enabled  0.1      /etc/crowdsec/scenarios/nextcloud-bf.yaml
 crowdsecurity/http-bad-user-agent          ✔️  enabled  0.7      /etc/crowdsec/scenarios/http-bad-user-agent.yaml
 crowdsecurity/http-crawl-non_statics       ✔️  enabled  0.3      /etc/crowdsec/scenarios/http-crawl-non_statics.yaml
 crowdsecurity/ssh-bf                       ✔️  enabled  0.1      /etc/crowdsec/scenarios/ssh-bf.yaml
 crowdsecurity/http-sensitive-files         ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-sensitive-files.yaml
 crowdsecurity/http-sqli-probing            ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-sqli-probing.yaml
 crowdsecurity/http-open-proxy              ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-open-proxy.yaml
 crowdsecurity/ssh-slow-bf                  ✔️  enabled  0.2      /etc/crowdsec/scenarios/ssh-slow-bf.yaml
 crowdsecurity/http-backdoors-attempts      ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-backdoors-attempts.yaml
 crowdsecurity/http-probing                 ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-probing.yaml
 crowdsecurity/http-path-traversal-probing  ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-path-traversal-probing.yaml
--------------------------------------------------------------------------------------------------------------------------
POSTOVERFLOWS
--------------------------------------
 NAME  📦 STATUS  VERSION  LOCAL PATH
--------------------------------------
--------------------------------------

* Output from `nft list ruleset` proving the bouncer is OK 

table ip crowdsec-blacklists {
        set crowdsec-blacklists {
                type ipv4_addr
                flags timeout
                elements = { 1.7.165.3 timeout 6d16h55m32s192ms expires 6d16h22m25s784ms, 1.9.78.242 timeout 6d19h55m32s196ms expires 6d19h22m25s300ms,
                             1.9.131.3 timeout 6d21h55m32s204ms expires 6d21h22m25s232ms, 1.9.226.34 timeout 5d11h22m18s220ms expires 5d10h49m11s500ms,
                             1.12.236.69 timeout 6d16h55m32s196ms expires 6d16h22m26s48ms, 1.14.17.3 timeout 5d5h55m32s184ms expires 5d5h22m25s480ms,
                             1.14.17.43 timeout 5d6h55m32s184ms expires 5d6h22m26s612ms, 1.14.17.83 timeout 5d13h55m32s184ms expires 5d13h22m26s272ms,
                             1.14.30.21 timeout 5d6h55m32s184ms expires 5d6h22m26s736ms, 1.14.34.199 timeout 3d18h55m32s184ms expires 3d18h22m25s500ms,
                             1.14.66.207 timeout 6d19h55m32s184ms expires 6d19h22m26s232ms, 1.14.69.182 timeout 6d22h55m32s208ms expires 6d22h22m26s28ms,


table ip6 crowdsec6-blacklists {
        set crowdsec6-blacklists {
                type ipv6_addr
                flags timeout
                elements = { 2602:80d:1000:b0cc:e:2:8:6 timeout 6d21h55m32s212ms expires 6d21h22m25s176ms,
                             2602:80d:1000:b0cc:e:2:8:7 timeout 6d21h55m32s212ms expires 6d21h22m25s492ms,
                             2607:5300:203:502c:: timeout 6d22h55m32s212ms expires 6d22h22m26s300ms,
                             2620:96:e000:b0cc:e:2:1:3 timeout 6d14h55m32s212ms expires 6d14h22m25s288ms,
                             2620:96:e000:b0cc:e:2:1:5 timeout 6d21h55m32s212ms expires 6d21h22m25s312ms,
                             2620:96:e000:b0cc:e:2:2:2 timeout 6d20h55m32s212ms expires 6d20h22m26s68ms,
                             2620:96:e000:b0cc:e:2:2:3 timeout 6d21h55m32s212ms expires 6d21h22m25s288ms,
                             2620:96:e000:b0cc:e:2:2:4 timeout 6d21h55m32s212ms expires 6d21h22m26s444ms,
                             2620:96:e000:b0cc:e:2:7:4 timeout 6d16h55m32s212ms expires 6d16h22m25s276ms }
2

Hello,

Those statement will be generated by the kernel itself, so they won’t appear in the bouncer logs, but in your kernel logs (/var/log/kern.log).

3

Unfortunately, the kern.log is showing my usual nftables rules output.

kernel: [26129.859519] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=154 TOS=0x08 PREC=0x00 TTL=64 ID=36843 DF PROTO=TCP SPT=3306 DPT=50270 WINDOW=512 RES=0x00 ACK PSH URGP=0
kernel: [26129.861755] IN=enp5s0f1 OUT= MAC=00:1b:21:bc:e0:a1:34:27:92:60:e0:ca:08:00 SRC=192.168.1.254 DST=192.168.1.137 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=11735 DF PROTO=TCP SPT=56002 DPT=22 WINDOW=8211 RES=0x00 ACK URGP=0

Usually, Crowdsec use a prefix output [Crowdsec] for each BOUNCER-ACTION-DROP. And i don’t have any. It is like every DROP action is not log:

kernel: crowdsec drop: ........

Furthermore, debian conf for journald usually send nftables output to journalctl…

In fact; i don’t really understand this :slight_smile: :

chain crowdsec-chain {
                type filter hook input priority filter; policy accept;
                ip saddr @crowdsec-blacklists log group 0 drop

specifically the log group 0 drop

I do smell ulogd miss-configuration… digging…

If someone could help, cause i am still a newbe …

4

Hello @stratege1401 ,

Can you show your bouncer configuration please?

5

Indeed, there is a problem with the logging option of the bouncer. We are investigating.

6

@alteredCoder My bad, forget to provide this yaml :slight_smile:
Thank you for investigating, i was thinking my server went bad…

cscli bouncers list
 FirewallBouncer-1648077543  127.0.0.1   ✔️      2022-03-25T16:31:24Z  crowdsec-firewall-bouncer  v0.0.23-debian-pragmatic-5a27e28ac5b528ab02fc35ae81459f75f69a3866

/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

mode: nftables
pid_dir: /var/run/
update_frequency: 10s
daemonize: true
log_mode: file
log_dir: /var/log/
log_level: "info"
log_compression: true
log_max_size: 100
log_max_backups: 3
log_max_age: 30
api_url: http://127.0.0.1:8080/
api_key: 0291ec564db1b368d0d11964c4809d3d
insecure_skip_verify: false
disable_ipv6: false
deny_action: DROP
deny_log: true
supported_decisions_types:
  - ban
#to change log prefix
deny_log_prefix: "crowdsec: "
#to change the blacklists name
blacklists_ipv4: crowdsec-blacklists
blacklists_ipv6: crowdsec6-blacklists
#if present, insert rule in those chains
iptables_chains:
  - INPUT
#  - FORWARD
#  - DOCKER-USER

## nftables
nftables:
  ipv4:
    enabled: true
    set-only: false
    table: crowdsec-blacklists
    chain: crowdsec-chain
  ipv6:
    enabled: true
    set-only: false
    table: crowdsec6-blacklists
    chain: crowdsec6-chain
# packet filter
pf:
  # an empty string disables the anchor
  anchor_name: ""
7

Also, on page
https://doc.crowdsec.net/docs/bouncers/firewall
the log value are not define correctly, as there is info and debug possible as variables
log_level: "info" or log_level: "debug" *( haven't test verbose or warn` )*

8

Hello @stratege1401

I confirmed the bug and opened a PR for it : fix logging for nftables by buixor · Pull Request #169 · crowdsecurity/cs-firewall-bouncer · GitHub

1 Like