New setup - right setup?

Legolas · November 7, 2023, 8:18am

I have a Debian 12 machine with a Mailcow

Operating system and crowdsec are up to date. Does anyone see errors here? In the console i see that nothing is happening. Fail2ban is already on this machine and is banning ssh attacs

cscli decisions list
No active decisions

cscli bouncers list
cs-firewall-bouncer-1697802070 127.0.0.1 2023-11-07T08:09:35Z crowdsec-firewall-bouncer v0.0.28-debian-pragmatic-af6e7e25822c2b1a02168b99ebbf8458bc6728e5 api-key

cscli metrics list
FATA[07-11-2023 09:04:29] accepts 0 arg(s), received 1

cscli parsers list
crowdsecurity/dovecot-logs enabled 0.8 /etc/crowdsec/parsers/s01-parse/dovecot-logs.yaml
crowdsecurity/http-logs enabled 1.2 /etc/crowdsec/parsers/s02-enrich/http-logs.yaml
crowdsecurity/nginx-logs enabled 1.4 /etc/crowdsec/parsers/s01-parse/nginx-logs.yaml
crowdsecurity/postfix-logs enabled 0.4 /etc/crowdsec/parsers/s01-parse/postfix-logs.yaml
crowdsecurity/postscreen-logs enabled 0.2 /etc/crowdsec/parsers/s01-parse/postscreen-logs.yaml

acquis.yaml

filenames:
  - /var/log/nginx/*.log
  - ./tests/nginx/nginx.log
#this is not a syslog log, indicate which kind of logs it is
labels:
  type: nginx
---
filenames:
 - /var/log/auth.log
 - /var/log/syslog
labels:
  type: syslog
---
source: journalctl
journalctl_filter:
 - "_SYSTEMD_UNIT=ssh.service"
labels:
  type: syslog
---
source: docker
container_name:
  - mailcowdockerized-nginx-mailcow-1
labels:
  type: nginx
---
source: docker
container_name:
  - mailcowdockerized-dovecot-mailcow-1
  - mailcowdockerized-postfix-mailcow-1
labels:
  type: syslog
---

config .yaml

common:
  daemonize: true
  log_media: file
  log_level: info
  log_dir: /var/log/
  log_max_size: 20
  compress_logs: true
  log_max_files: 10
  working_dir: .
config_paths:
  config_dir: /etc/crowdsec/
  data_dir: /var/lib/crowdsec/data/
  simulation_path: /etc/crowdsec/simulation.yaml
  hub_dir: /etc/crowdsec/hub/
  index_path: /etc/crowdsec/hub/.index.json
  notification_dir: /etc/crowdsec/notifications/
  plugin_dir: /usr/lib/crowdsec/plugins/
crowdsec_service:
  #console_context_path: /etc/crowdsec/console/context.yaml
  acquisition_path: /etc/crowdsec/acquis.yaml
  acquisition_dir: /etc/crowdsec/acquis.d
  parser_routines: 1
cscli:
  output: human
  color: auto
db_config:
  log_level: info
  type: sqlite
  db_path: /var/lib/crowdsec/data/crowdsec.db
  #max_open_conns: 100
  #user:
  #password:
  #db_name:
  #host:
  #port:
  use_wal: true
  flush:
    max_items: 5000
    max_age: 7d
plugin_config:
  user: nobody # plugin process would be ran on behalf of this user
  group: nogroup # plugin process would be ran on behalf of this group
api:
  client:
    insecure_skip_verify: false
    credentials_path: /etc/crowdsec/local_api_credentials.yaml
  server:
    log_level: info
    listen_uri: 127.0.0.1:8080
    profiles_path: /etc/crowdsec/profiles.yaml
    console_path: /etc/crowdsec/console.yaml
    online_client: # Central API credentials (to push signals and receive bad IPs)
      credentials_path: /etc/crowdsec/online_api_credentials.yaml
    trusted_ips: # IP ranges, or IPs which can have admin API access
      - 127.0.0.1
      - ::1
#    tls:
#      cert_file: /etc/crowdsec/ssl/cert.pem
#      key_file: /etc/crowdsec/ssl/key.pem
prometheus:
  enabled: true
  level: full
  listen_addr: 127.0.0.1
  listen_port: 6060

iiAmLoz · November 7, 2023, 2:38pm

Could you provide the output of cscli metrics ?

Legolas · November 7, 2023, 2:58pm

 cscli metrics

Acquisition Metrics:
╭─────────────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────╮
│                     Source                      │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │
├─────────────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┤
│ docker:mailcowdockerized-dovecot-mailcow-1      │ 5.11k      │ -            │ 5.11k          │ -                      │
│ docker:mailcowdockerized-nginx-mailcow-1        │ 4.02k      │ -            │ 4.02k          │ -                      │
│ docker:mailcowdockerized-postfix-mailcow-1      │ 1.57k      │ -            │ 1.57k          │ -                      │
│ file:/var/log/auth.log                          │ 58         │ -            │ 58             │ -                      │
│ file:/var/log/syslog                            │ 1.67k      │ -            │ 1.67k          │ -                      │
│ journalctl:journalctl-_SYSTEMD_UNIT=ssh.service │ 32         │ -            │ 32             │ -                      │
╰─────────────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────╯

Local API Metrics:
╭──────────────────────┬────────┬──────╮
│        Route         │ Method │ Hits │
├──────────────────────┼────────┼──────┤
│ /v1/decisions/stream │ GET    │ 2415 │
│ /v1/heartbeat        │ GET    │ 402  │
│ /v1/watchers/login   │ POST   │ 7    │
╰──────────────────────┴────────┴──────╯

Local API Machines Metrics:
╭──────────────────────────────────┬───────────────┬────────┬──────╮
│             Machine              │     Route     │ Method │ Hits │
├──────────────────────────────────┼───────────────┼────────┼──────┤
│ bb18879c5289415587b6ae9360662797 │ /v1/heartbeat │ GET    │ 402  │
╰──────────────────────────────────┴───────────────┴────────┴──────╯

Local API Bouncers Metrics:
╭────────────────────────────────┬──────────────────────┬────────┬──────╮
│            Bouncer             │        Route         │ Method │ Hits │
├────────────────────────────────┼──────────────────────┼────────┼──────┤
│ cs-firewall-bouncer-1697802070 │ /v1/decisions/stream │ GET    │ 2415 │
╰────────────────────────────────┴──────────────────────┴────────┴──────╯

Local API Decisions:
╭────────────────────────────────────────────┬────────┬────────┬───────╮
│                   Reason                   │ Origin │ Action │ Count │
├────────────────────────────────────────────┼────────┼────────┼───────┤
│ crowdsecurity/CVE-2022-26134               │ CAPI   │ ban    │ 199   │
│ crowdsecurity/CVE-2022-35914               │ CAPI   │ ban    │ 54    │
│ crowdsecurity/http-open-proxy              │ CAPI   │ ban    │ 406   │
│ crowdsecurity/http-sensitive-files         │ CAPI   │ ban    │ 13    │
│ crowdsecurity/jira_cve-2021-26086          │ CAPI   │ ban    │ 27    │
│ crowdsecurity/CVE-2023-22515               │ CAPI   │ ban    │ 4     │
│ crowdsecurity/http-bad-user-agent          │ CAPI   │ ban    │ 4144  │
│ firehol_botscout_7d                        │ lists  │ ban    │ 3698  │
│ firehol_greensnow                          │ lists  │ ban    │ 7621  │
│ crowdsecurity/CVE-2019-18935               │ CAPI   │ ban    │ 27    │
│ crowdsecurity/apache_log4j2_cve-2021-44228 │ CAPI   │ ban    │ 368   │
│ crowdsecurity/dovecot-spam                 │ CAPI   │ ban    │ 3152  │
│ crowdsecurity/f5-big-ip-cve-2020-5902      │ CAPI   │ ban    │ 24    │
│ crowdsecurity/fortinet-cve-2018-13379      │ CAPI   │ ban    │ 64    │
│ crowdsecurity/grafana-cve-2021-43798       │ CAPI   │ ban    │ 49    │
│ crowdsecurity/postfix-spam                 │ CAPI   │ ban    │ 2795  │
│ crowdsecurity/ssh-slow-bf                  │ CAPI   │ ban    │ 12    │
│ crowdsecurity/CVE-2022-41082               │ CAPI   │ ban    │ 965   │
│ crowdsecurity/http-crawl-non_statics       │ CAPI   │ ban    │ 351   │
│ crowdsecurity/netgear_rce                  │ CAPI   │ ban    │ 11    │
│ crowdsecurity/nginx-req-limit-exceeded     │ CAPI   │ ban    │ 74    │
│ crowdsecurity/CVE-2022-42889               │ CAPI   │ ban    │ 13    │
│ crowdsecurity/http-generic-bf              │ CAPI   │ ban    │ 15    │
│ crowdsecurity/http-probing                 │ CAPI   │ ban    │ 1260  │
│ crowdsecurity/ssh-bf                       │ CAPI   │ ban    │ 9997  │
│ crowdsecurity/thinkphp-cve-2018-20062      │ CAPI   │ ban    │ 39    │
│ otx-webscanners                            │ lists  │ ban    │ 9102  │
│ crowdsecurity/http-path-traversal-probing  │ CAPI   │ ban    │ 41    │
│ crowdsecurity/vmware-cve-2022-22954        │ CAPI   │ ban    │ 1     │
│ ltsich/http-w00tw00t                       │ CAPI   │ ban    │ 1     │
│ crowdsecurity/CVE-2022-37042               │ CAPI   │ ban    │ 21    │
│ crowdsecurity/CVE-2023-22518               │ CAPI   │ ban    │ 6     │
│ crowdsecurity/http-backdoors-attempts      │ CAPI   │ ban    │ 431   │
│ crowdsecurity/http-cve-2021-41773          │ CAPI   │ ban    │ 29    │
╰────────────────────────────────────────────┴────────┴────────┴───────╯

iiAmLoz · November 7, 2023, 6:02pm

It seems there logs being read but nothing is parsed, However, I see in your top message you are missing the s00 parsers.

Can you run

cscli parsers install crowdsecurity/syslog-logs
cscli parsers install crowdsecurity/docker-logs
systemctl restart crowdsec

As these are needed for your setup.

Legolas · November 8, 2023, 7:37am

Looks good. Thank you. I will continue to monitor this now

Topic		Replies	Views
Did I have the rigth setup crowdsec	3	1016	August 17, 2022
How to make it work? crowdsec	8	1348	November 15, 2021
Crowdsec update on Debian 12 and other questions crowdsec	2	109	September 18, 2024
Newbie questions before installation crowdsec	4	776	December 28, 2021
I don't know if it works crowdsec	2	77	August 14, 2024

New setup - right setup?

Related topics