I don't know if it works

Legolas · August 13, 2024, 9:12am

Hello,

i followed this steps: Protecting mailcow with Crowdsec

but i beleive it does not work

 cscli metrics

Acquisition Metrics:
╭─────────────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────╮
│                      Source                     │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├─────────────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ journalctl:journalctl-_SYSTEMD_UNIT=ssh.service │ 8          │ -            │ 8              │ -                      │ -                 │
╰─────────────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯

Local API Decisions:
╭────────────────────────────────────────────┬────────┬────────┬───────╮
│                   Reason                   │ Origin │ Action │ Count │
├────────────────────────────────────────────┼────────┼────────┼───────┤
│ crowdsecurity/jira_cve-2021-26086          │ CAPI   │ ban    │ 18    │
│ crowdsecurity/thinkphp-cve-2018-20062      │ CAPI   │ ban    │ 69    │
│ ltsich/http-w00tw00t                       │ CAPI   │ ban    │ 3     │
│ crowdsecurity/fortinet-cve-2018-13379      │ CAPI   │ ban    │ 6     │
│ crowdsecurity/netgear_rce                  │ CAPI   │ ban    │ 2     │
│ crowdsecurity/nginx-req-limit-exceeded     │ CAPI   │ ban    │ 204   │
│ crowdsecurity/ssh-bf                       │ CAPI   │ ban    │ 4417  │
│ crowdsecurity/ssh-cve-2024-6387            │ CAPI   │ ban    │ 33    │
│ crowdsecurity/ssh-slow-bf                  │ CAPI   │ ban    │ 6322  │
│ crowdsecurity/dovecot-spam                 │ CAPI   │ ban    │ 142   │
│ crowdsecurity/http-path-traversal-probing  │ CAPI   │ ban    │ 93    │
│ crowdsecurity/http-open-proxy              │ CAPI   │ ban    │ 760   │
│ crowdsecurity/http-admin-interface-probing │ CAPI   │ ban    │ 95    │
│ crowdsecurity/http-crawl-non_statics       │ CAPI   │ ban    │ 183   │
│ crowdsecurity/http-sensitive-files         │ CAPI   │ ban    │ 182   │
│ crowdsecurity/CVE-2019-18935               │ CAPI   │ ban    │ 9     │
│ crowdsecurity/CVE-2023-22515               │ CAPI   │ ban    │ 3     │
│ crowdsecurity/http-generic-bf              │ CAPI   │ ban    │ 12    │
│ crowdsecurity/vmware-cve-2022-22954        │ CAPI   │ ban    │ 1     │
│ firehol_cruzit_web_attacks                 │ lists  │ ban    │ 13173 │
│ otx-webscanners                            │ lists  │ ban    │ 8720  │
│ tor-exit-nodes                             │ lists  │ ban    │ 2219  │
│ crowdsecurity/CVE-2022-35914               │ CAPI   │ ban    │ 5     │
│ crowdsecurity/CVE-2023-49103               │ CAPI   │ ban    │ 15    │
│ crowdsecurity/CVE-2022-26134               │ CAPI   │ ban    │ 4     │
│ crowdsecurity/http-cve-2021-42013          │ CAPI   │ ban    │ 1     │
│ crowdsecurity/http-cve-probing             │ CAPI   │ ban    │ 2     │
│ crowdsecurity/http-probing                 │ CAPI   │ ban    │ 1677  │
│ crowdsecurity/http-wordpress-scan          │ CAPI   │ ban    │ 153   │
│ crowdsecurity/CVE-2017-9841                │ CAPI   │ ban    │ 98    │
│ crowdsecurity/http-backdoors-attempts      │ CAPI   │ ban    │ 113   │
│ crowdsecurity/http-bad-user-agent          │ CAPI   │ ban    │ 3176  │
│ crowdsecurity/http-cve-2021-41773          │ CAPI   │ ban    │ 127   │
│ crowdsecurity/postfix-spam                 │ CAPI   │ ban    │ 213   │
│ crowdsecurity/apache_log4j2_cve-2021-44228 │ CAPI   │ ban    │ 30    │
╰────────────────────────────────────────────┴────────┴────────┴───────╯

Local API Metrics:
╭──────────────────────┬────────┬──────╮
│         Route        │ Method │ Hits │
├──────────────────────┼────────┼──────┤
│ /v1/decisions/stream │ GET    │ 7813 │
│ /v1/heartbeat        │ GET    │ 1303 │
│ /v1/watchers/login   │ POST   │ 23   │
╰──────────────────────┴────────┴──────╯

Local API Bouncers Metrics:
╭────────────────────────────────┬──────────────────────┬────────┬──────╮
│             Bouncer            │         Route        │ Method │ Hits │
├────────────────────────────────┼──────────────────────┼────────┼──────┤
│ cs-firewall-bouncer-1721992191 │ /v1/decisions/stream │ GET    │ 7813 │
╰────────────────────────────────┴──────────────────────┴────────┴──────╯

Local API Machines Metrics:
╭──────────────────────────────────────────────────┬───────────────┬────────┬──────╮
│                      Machine                     │     Route     │ Method │ Hits │
├──────────────────────────────────────────────────┼───────────────┼────────┼──────┤
│ e600393ad36b47ec881f35da6413c916ODzyFE4isUNlWAc6 │ /v1/heartbeat │ GET    │ 1303 │
╰──────────────────────────────────────────────────┴───────────────┴────────┴──────╯

Parser Metrics:
╭─────────────────────────────────┬──────┬────────┬──────────╮
│             Parsers             │ Hits │ Parsed │ Unparsed │
├─────────────────────────────────┼──────┼────────┼──────────┤
│ child-crowdsecurity/sshd-logs   │ 112  │ -      │ 112      │
│ child-crowdsecurity/syslog-logs │ 8    │ 8      │ -        │
│ crowdsecurity/sshd-logs         │ 8    │ -      │ 8        │
│ crowdsecurity/syslog-logs       │ 8    │ 8      │ -        │

cscli parsers list

PARSERS
──────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Name                            📦 Status    Version  Local Path
──────────────────────────────────────────────────────────────────────────────────────────────────────────────
 crowdsecurity/dateparse-enrich  ✔️  enabled  0.2      /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
 crowdsecurity/docker-logs       ✔️  enabled  0.1      /etc/crowdsec/parsers/s00-raw/docker-logs.yaml
 crowdsecurity/dovecot-logs      ✔️  enabled  0.8      /etc/crowdsec/parsers/s01-parse/dovecot-logs.yaml
 crowdsecurity/geoip-enrich      ✔️  enabled  0.4      /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
 crowdsecurity/http-logs         ✔️  enabled  1.2      /etc/crowdsec/parsers/s02-enrich/http-logs.yaml
 crowdsecurity/nginx-logs        ✔️  enabled  1.6      /etc/crowdsec/parsers/s01-parse/nginx-logs.yaml
 crowdsecurity/postfix-logs      ✔️  enabled  0.6      /etc/crowdsec/parsers/s01-parse/postfix-logs.yaml
 crowdsecurity/postscreen-logs   ✔️  enabled  0.3      /etc/crowdsec/parsers/s01-parse/postscreen-logs.yaml
 crowdsecurity/sshd-logs         ✔️  enabled  2.7      /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
 crowdsecurity/syslog-logs       ✔️  enabled  0.8      /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
 crowdsecurity/whitelists        ✔️  enabled  0.2      /etc/crowdsec/parsers/s02-enrich/whitelists.yaml
──────────────────────────────────────────────────────────────────────────────────────────────────────────────

Does anyone have any tips or hints for me?
Thanks
SW

iiAmLoz · August 13, 2024, 3:33pm

From what I see the acquisition seems to be missing or it fails to find the containers did you add the following from the guide?

# lines for mailcow
source: docker
container_name:
  - mailcowdockerized_nginx-mailcow_1
labels:
  type: nginx
---
source: docker
container_name:
  - mailcowdockerized_dovecot-mailcow_1
  - mailcowdockerized_postfix-mailcow_1
labels:
  type: syslog
---

also ensure when you run docker ps -a that the container names are correct

Legolas · August 14, 2024, 12:33pm

That was a very good hint. It was actually the names of the containers. Thank you very much

Topic		Replies	Views
Captcha that does not work	37	6710	March 18, 2022
I feel I made something wrong crowdsec	2	42	August 2, 2024
CS apparently not doing anything crowdsec	1	468	May 4, 2022
SSHD detection not working? crowdsec	27	2249	December 9, 2021
How does denial of service work with crowdsec? crowdsec	3	613	February 19, 2022

I don't know if it works

Related Topics