is my setup “correct” ? or did you see something incorrect ?
do I need to keep api.server in the config ? if this machine will use another api ?
when I check the logs I see some errors like this issueunable to fetch scenarios from db: while listing machines: setting machine status: unable to update lot of times … (but not now when I try to get logs … so wait & see) .
– I Also see log of logs speaking about timeout when reading logs file, like level=debug msg=timeout acquisition file=/var/log/auth.log can be a right problem ? or not important ? (file exist, and is readable)
just before writing this, I try to run the commande cscli config show, and at the end of the response I saw :
Hello @thib3113, i will try to answer your questions one by one.
is my setup “correct” ? or did you see something incorrect ?
Yes your setup looks good
do I need to keep api.server in the config ? if this machine will use another api ?
If your crowdsec agent use another LAPI, you can remove the api.server part
when I check the logs I see some errors like this issueunable to fetch scenarios from db: while listing machines: setting machine status: unable to update lot of times … (but not now when I try to get logs … so wait & see) .
I’m interested if you manage to reproduce this error because we didn’t managed to do it
– I Also see log of logs speaking about timeout when reading logs file, like level=debug msg=timeout acquisition file=/var/log/auth.log can be a right problem ? or not important ? (file exist, and is readable)
Do you have data that are written to this file ? (for your information, you see this log because you are in debug mode)
just before writing this, I try to run the commande cscli config show , and at the end of the response I saw :
ok, it’s commented ( and so config show stack start at /home/runner/work/crowdsec/crowdsec/cmd/crowdsec-cli/config.go:238 and not /home/runner/work/crowdsec/crowdsec/cmd/crowdsec-cli/config.go:269 , but I think it’s covered by your PR ) .
I doesn’t know for the moment, logs show it’s disapear after a restart of crowdsec, when I activate log debug (but doesn’t remember if I change another settings )
not sure data is written on this files (data are in files, but maybe not updated) ( machines are not accessible from outside ) .
thank you .
yes .
/etc/crowdsec# cscli decisions list
No active decisions
For the moment, I just try to setup crowdsec, so the files read are not really filled by logs (machines are not accessible from the outside) .
The logs I want to monitor after are the sshd from gitlab, and the logs from bitwarden ( but it seems the sshd from gitlab is not exactly the same as the sshd, and bitwarden is not available on the hub ) … So next step is to learn how to parse logs and try to contribute at hub .
Good! so crowdsec looks to work on your setup ?
You can check if your agent works correctly with cscli metrics.
To check that your multi machines setup works correctly, you can try to add a decision from machine 2 (cscli decisions add -i <IP>) for example and run cscli decisions list on machine 3.
The logs I want to monitor after are the sshd from gitlab, and the logs from bitwarden ( but it seems the sshd from gitlab is not exactly the same as the sshd, and bitwarden is not available on the hub ) … So next step is to learn how to parse logs and try to contribute at hub .
Thanks! Don’t hesitate to give us feedback about the documentation
Ok, so, it’s great, it’s work . Thank you ( I add on machine 2, and check on machine 1 because machine 3 not setup for the moment, but I think it’s the same ) .
So, I will continue to discover crowdsec, thank you
@alteredCoder I’ve another question (not sure if I need to open a new thread or not) .
How to install crowdsec without “acquis” ?
Here is my use case :
I try to setup a new machine ( 4 ), to run bouncers only
I run the wizard, but I didn’t need to setup acquisitions ( the machine will only be attacked by internal ips … I doesn’t want to ban them ) ( my router will scan my network for threats )
I didn’t find an option that will install + startup daemon
–bininstall seems to doesn’t enable the daemon
Did I miss something ? or just I can’t “just install crowdsec” (with the wizard) ? and always need to setup acquis ? ( I try to install it, because when I try to install cs-custom-bouncer, it crash because no cscli configured ) .
other thing, I finally suceed to setup the custom bouncer, and I saw lot of ips multiples times … for example, on 900 ips, I’ve only 68 uniq ip … Is it normal ? ( it can be a bug on my script too, but for the moment, its seems I have lot of multiples )
Which kind of bouncer are you trying to setup ? Most bouncers should warn you if cscli isn’t present on the machine that it can’t add the API key itself, but it shouldn’t make the install fail
edit: just saw that the custom bouncer doesn’t handle this gracefully, opening an issue to fix it
Plus, if the machine is to run bouncer only, it doesn’t have to have crowdsec running directly. The bouncers communicate via a HTTP rest API to the Local API for this purpose !
This is weird indeed, can you tell me more about the bouncer ? when the bouncer “polls” the API, it should receive “new” and “expired” decisions, so that you shouldn’t have any multiples
Yes, it’s why I didn’t install crowdsec before trying to install the custom bouncer . ( and because I doesn’t really know how to do the setup manually when I write this comment ) .
Now, because the “setup” of the custom bouncer assume crowdsec is local ( api_url is localhost, and generate api_key with cscli ), I already need to do all the “setup” manually .
Yes, I saw it when I do some search . But seems to be opened multiples months ago .
I just use the custom bouncer, and (do a curl to another script +) add log to a file .
So, I clear the file, and run systemctl restart cs-custom-bouncer .
cat /var/log/bouncer.log | wc -l return 5612 ( my crowdsec has no parsers, and maybe 1 manual ip added to banlist for the moment ) . ( 936 add / 4676 del )
when sorting the logs I can see :
add 95.91.82.81/32 for 13987s because crowdsecurity/http-bad-user-agent json :
add 95.91.82.81/32 for 21187s because crowdsecurity/http-bad-user-agent json :
add 95.91.82.81/32 for 27194s because crowdsecurity/http-bad-user-agent json :
add 95.91.82.81/32 for 34396s because crowdsecurity/http-bad-user-agent json :
add 95.91.82.81/32 for 41596s because crowdsecurity/http-bad-user-agent json :
add 95.91.82.81/32 for 48796s because crowdsecurity/http-bad-user-agent json :
add 95.91.82.81/32 for 55996s because crowdsecurity/http-bad-user-agent json :
add 95.91.82.81/32 for 63196s because crowdsecurity/http-bad-user-agent json :
add 95.91.82.81/32 for 6787s because crowdsecurity/http-bad-user-agent json :
add 95.91.82.81/32 for 70396s because crowdsecurity/http-bad-user-agent json :
add 95.91.82.81/32 for 77596s because crowdsecurity/http-bad-user-agent json :
add 95.91.82.81/32 for 84796s because crowdsecurity/http-bad-user-agent json :
12 times the same ips, for the same reason, with different duration … this seems weird for me (maybe I miss a configuration ? ) … ( + I’m not a network expert, but 95.61.82.81/32 seems to be equal to 95.61.81.81 ? unifiOS refuse the /32 cidr )
And when checking directly on unifiOs, sometimes I’ve only 2 ips in blacklist (I need to investiguate more, but maybe it can be the script unban all the ips ?)
the script, just in case ( can be interesting for people that doesn’t know bash ? like me ? as an example ? ) :
#!/bin/bash
IP=$2
DURATION=$3
REASON=$4
JSON_OBJECT=$5
URL=http://192.168.9.100:3000
LOG=/var/log/bouncer.log
case $1 in
add)
#here the code for the add command
echo add ${IP} for ${DURATION}s because "${REASON}" json : ${JSON} >> ${LOG}
/usr/bin/curl -k --location --request POST "${URL}?token=sdfghjkaze&ips=${IP}"
;;
del)
#here the code for the del command
echo del ${IP} for ${DURATION}s because "${REASON}" json : ${JSON} >> ${LOG}
/usr/bin/curl -k --silent --location --request DELETE "${URL}?token=gifrnodekp%C3%B9lszmfml&ips=${IP}"
;;
*) echo "unknown action $1" >> ${LOG}
exit 1;;
esac
If you don’t have bouncer, it is possible that this IP keeps triggering the scenario, and thus comes back on a regular basis, this would explain this Can you check the timestamps in the logs ? and/or match this with cscli alerts list (or even cscli alerts list -i 95.91.82.81 in your case).
Yes, 95.61.82.81/32 is equal to 95.61.81.81 : from the bouncer point of view, everything is received as a range (even if it’s a single ip) so that it doesn’t have to try & guess if it’s an ip or a range
Can you check the timestamps in the logs ? and/or match this with