New to crowdSec, some questions

Hello,
I’m really new with crowdsec, and I tryed some things, but doesn’t work for the moment …

My setup use 3 or more computers .
Multiples for parsers, one for the API, and one for the bouncer .

For the moment, I’ve some troubles with trying to set up one “machine”, linked to the API .

So :
Machine 1 :

  • run crowdsec in docker environment
  • behind a traefik reverse proxy ( I can call it with https://api-crowdsec.thib.lan , with a self signed certificate )
  • docker revision : 18ff3a3a306d1eca786038fb343250e43784a900

Machine 2 :

  • run on the host of the docker (but I will setup other machines, on other hosts)
  • cscli version : v1.0.7-18ff3a3a306d1eca786038fb343250e43784a900 / alphaga / 2021-02-10_08:32:20

Machine 3 :

  • will be a routeur from ubiquiti, where the bouncer will directly add/remove ip to banlist

So, here is my configuration for the machine 2 :

common:
  daemonize: true
  pid_dir: /var/run/
  log_media: file
  log_level: debug
  log_dir: /var/log/
  working_dir: .
config_paths:
  config_dir: /etc/crowdsec/
  data_dir: /var/lib/crowdsec/data/
  simulation_path: /etc/crowdsec/simulation.yaml
  hub_dir: /etc/crowdsec/hub/
  index_path: /etc/crowdsec/hub/.index.json
crowdsec_service:
  acquisition_path: /etc/crowdsec/acquis.yaml
  parser_routines: 1
cscli:
  output: human
  hub_branch: master
db_config:
  log_level: info
  type: sqlite
  db_path: /var/lib/crowdsec/data/crowdsec.db
  #user:
  #password:
  #db_name:
  #host:
  #port:
  flush:
    max_items: 5000
    max_age: 7d
api:
  client:
    insecure_skip_verify: true
    credentials_path: /etc/crowdsec/local_api_credentials.yaml
  server:
    log_level: info
    listen_uri: 127.0.0.1:8583
    profiles_path: /etc/crowdsec/profiles.yaml
#    online_client: # Crowdsec API credentials (to push signals and receive bad IPs)
#      credentials_path: /etc/crowdsec/online_api_credentials.yaml
#    tls:
#      cert_file: /etc/crowdsec/ssl/cert.pem
#      key_file: /etc/crowdsec/ssl/key.pem
prometheus:
  enabled: true
  level: full
  listen_addr: 127.0.0.1
  listen_port: 6060

my local_api_credentials.yaml

url: https://api-crowdsec.thib.lan
login: docker
password: XXXX

So, some questions :

  • is my setup “correct” ? or did you see something incorrect ?
  • do I need to keep api.server in the config ? if this machine will use another api ?
  • when I check the logs I see some errors like this issue unable to fetch scenarios from db: while listing machines: setting machine status: unable to update lot of times … (but not now when I try to get logs … so wait & see) .
    – I Also see log of logs speaking about timeout when reading logs file, like level=debug msg=timeout acquisition file=/var/log/auth.log can be a right problem ? or not important ? (file exist, and is readable)
  • just before writing this, I try to run the commande cscli config show, and at the end of the response I saw :
Central API:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0xe12fa5]

goroutine 1 [running]:
main.NewConfigCmd.func1(0xc0003ce2c0, 0x1c78eb8, 0x0, 0x0)
        /home/runner/work/crowdsec/crowdsec/cmd/crowdsec-cli/config.go:269 +0x1045
github.com/spf13/cobra.(*Command).execute(0xc0003ce2c0, 0x1c78eb8, 0x0, 0x0, 0xc0003ce2c0, 0x1c78eb8)
        /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.1.1/command.go:854 +0x2aa
github.com/spf13/cobra.(*Command).ExecuteC(0xc0000e9600, 0xc000513f18, 0x1, 0x1)
        /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.1.1/command.go:958 +0x349
github.com/spf13/cobra.(*Command).Execute(...)
        /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.1.1/command.go:895
main.main()
        /home/runner/work/crowdsec/crowdsec/cmd/crowdsec-cli/main.go:142 +0xb31

( I disable CAPI in config, because it will be a job for the LAPI ? )

  • when I run cscli lapi status it seems to be OK when authenticating with my LAPI .

Thank you,

Hello @thib3113, i will try to answer your questions one by one.

  • is my setup “correct” ? or did you see something incorrect ?

Yes your setup looks good

  • do I need to keep api.server in the config ? if this machine will use another api ?

If your crowdsec agent use another LAPI, you can remove the api.server part

when I check the logs I see some errors like this issue unable to fetch scenarios from db: while listing machines: setting machine status: unable to update lot of times … (but not now when I try to get logs … so wait & see) .

I’m interested if you manage to reproduce this error because we didn’t managed to do it :confused:

– I Also see log of logs speaking about timeout when reading logs file, like level=debug msg=timeout acquisition file=/var/log/auth.log can be a right problem ? or not important ? (file exist, and is readable)

Do you have data that are written to this file ? (for your information, you see this log because you are in debug mode)

  • just before writing this, I try to run the commande cscli config show , and at the end of the response I saw :

This is a bug on crowdsec. I’ve opened an issue and will fix this soon: https://github.com/crowdsecurity/crowdsec/issues/693

  • when I run cscli lapi status it seems to be OK when authenticating with my LAPI .

Did you run this command on machine 2?
What is the output of cscli decisions list ?

Great, thank you .

ok, it’s commented ( and so config show stack start at /home/runner/work/crowdsec/crowdsec/cmd/crowdsec-cli/config.go:238 and not /home/runner/work/crowdsec/crowdsec/cmd/crowdsec-cli/config.go:269 , but I think it’s covered by your PR ) .

I doesn’t know for the moment, logs show it’s disapear after a restart of crowdsec, when I activate log debug (but doesn’t remember if I change another settings :confused: )

not sure data is written on this files (data are in files, but maybe not updated) ( machines are not accessible from outside ) .

thank you .

yes .

/etc/crowdsec# cscli decisions list
No active decisions

For the moment, I just try to setup crowdsec, so the files read are not really filled by logs (machines are not accessible from the outside) .

The logs I want to monitor after are the sshd from gitlab, and the logs from bitwarden ( but it seems the sshd from gitlab is not exactly the same as the sshd, and bitwarden is not available on the hub ) … So next step is to learn how to parse logs and try to contribute at hub .

Good! so crowdsec looks to work on your setup ?
You can check if your agent works correctly with cscli metrics.
To check that your multi machines setup works correctly, you can try to add a decision from machine 2 (cscli decisions add -i <IP>) for example and run cscli decisions list on machine 3.

The logs I want to monitor after are the sshd from gitlab, and the logs from bitwarden ( but it seems the sshd from gitlab is not exactly the same as the sshd, and bitwarden is not available on the hub ) … So next step is to learn how to parse logs and try to contribute at hub .

Thanks! Don’t hesitate to give us feedback about the documentation :slight_smile:

Ok, so, it’s great, it’s work . Thank you ( I add on machine 2, and check on machine 1 because machine 3 not setup for the moment, but I think it’s the same ) .

So, I will continue to discover crowdsec, thank you

@alteredCoder I’ve another question (not sure if I need to open a new thread or not) .

How to install crowdsec without “acquis” ?

Here is my use case :

  • I try to setup a new machine ( 4 ), to run bouncers only
  • I run the wizard, but I didn’t need to setup acquisitions ( the machine will only be attacked by internal ips … I doesn’t want to ban them ) ( my router will scan my network for threats )
  • I didn’t find an option that will install + startup daemon
  • –bininstall seems to doesn’t enable the daemon

Did I miss something ? or just I can’t “just install crowdsec” (with the wizard) ? and always need to setup acquis ? ( I try to install it, because when I try to install cs-custom-bouncer, it crash because no cscli configured ) .


other thing, I finally suceed to setup the custom bouncer, and I saw lot of ips multiples times … for example, on 900 ips, I’ve only 68 uniq ip … Is it normal ? ( it can be a bug on my script too, but for the moment, its seems I have lot of multiples )

Hello @thib3113 !

Which kind of bouncer are you trying to setup ? Most bouncers should warn you if cscli isn’t present on the machine that it can’t add the API key itself, but it shouldn’t make the install fail :slightly_smiling_face:

edit: just saw that the custom bouncer doesn’t handle this gracefully, opening an issue to fix it

Plus, if the machine is to run bouncer only, it doesn’t have to have crowdsec running directly. The bouncers communicate via a HTTP rest API to the Local API for this purpose !

see schema :

This is weird indeed, can you tell me more about the bouncer ? when the bouncer “polls” the API, it should receive “new” and “expired” decisions, so that you shouldn’t have any multiples :slight_smile:

actually a MR already exists to fix this issue :sweat_smile:

should be merged for a new release soon !

there you go @thib3113 : Release v0.0.7 · crowdsecurity/cs-custom-bouncer · GitHub

let us know :+1:

Yes, it’s why I didn’t install crowdsec before trying to install the custom bouncer . ( and because I doesn’t really know how to do the setup manually when I write this comment ) .

Now, because the “setup” of the custom bouncer assume crowdsec is local ( api_url is localhost, and generate api_key with cscli ), I already need to do all the “setup” manually :slight_smile: .

Yes, I saw it when I do some search :slight_smile: . But seems to be opened multiples months ago .

I just use the custom bouncer, and (do a curl to another script +) add log to a file .
So, I clear the file, and run systemctl restart cs-custom-bouncer .

  • cat /var/log/bouncer.log | wc -l return 5612 ( my crowdsec has no parsers, and maybe 1 manual ip added to banlist for the moment ) . ( 936 add / 4676 del )
  • when sorting the logs I can see :
    add 95.91.82.81/32 for 13987s because crowdsecurity/http-bad-user-agent json :
    add 95.91.82.81/32 for 21187s because crowdsecurity/http-bad-user-agent json :
    add 95.91.82.81/32 for 27194s because crowdsecurity/http-bad-user-agent json :
    add 95.91.82.81/32 for 34396s because crowdsecurity/http-bad-user-agent json :
    add 95.91.82.81/32 for 41596s because crowdsecurity/http-bad-user-agent json :
    add 95.91.82.81/32 for 48796s because crowdsecurity/http-bad-user-agent json :
    add 95.91.82.81/32 for 55996s because crowdsecurity/http-bad-user-agent json :
    add 95.91.82.81/32 for 63196s because crowdsecurity/http-bad-user-agent json :
    add 95.91.82.81/32 for 6787s because crowdsecurity/http-bad-user-agent json :
    add 95.91.82.81/32 for 70396s because crowdsecurity/http-bad-user-agent json :
    add 95.91.82.81/32 for 77596s because crowdsecurity/http-bad-user-agent json :
    add 95.91.82.81/32 for 84796s because crowdsecurity/http-bad-user-agent json :

12 times the same ips, for the same reason, with different duration … this seems weird for me (maybe I miss a configuration ? ) … ( + I’m not a network expert, but 95.61.82.81/32 seems to be equal to 95.61.81.81 ? unifiOS refuse the /32 cidr )

And when checking directly on unifiOs, sometimes I’ve only 2 ips in blacklist (I need to investiguate more, but maybe it can be the script unban all the ips ?)

the script, just in case ( can be interesting for people that doesn’t know bash ? like me ? as an example ? ) :

#!/bin/bash

IP=$2
DURATION=$3
REASON=$4
JSON_OBJECT=$5

URL=http://192.168.9.100:3000

LOG=/var/log/bouncer.log

case $1 in
  add)
    #here the code for the add command
    echo add ${IP} for ${DURATION}s because "${REASON}" json : ${JSON} >> ${LOG}
    /usr/bin/curl -k --location --request POST "${URL}?token=sdfghjkaze&ips=${IP}"
  ;;
  del)
    #here the code for the del command
    echo del ${IP} for ${DURATION}s because "${REASON}" json : ${JSON} >> ${LOG}
    /usr/bin/curl -k --silent --location --request DELETE "${URL}?token=gifrnodekp%C3%B9lszmfml&ips=${IP}"
  ;;
  *) echo "unknown action $1" >> ${LOG}
     exit 1;;
esac

There is a new release now :wink:

If you don’t have bouncer, it is possible that this IP keeps triggering the scenario, and thus comes back on a regular basis, this would explain this :sweat_smile: Can you check the timestamps in the logs ? and/or match this with cscli alerts list (or even cscli alerts list -i 95.91.82.81 in your case).

Yes, 95.61.82.81/32 is equal to 95.61.81.81 : from the bouncer point of view, everything is received as a range (even if it’s a single ip) so that it doesn’t have to try & guess if it’s an ip or a range :slight_smile:

Yes, I saw when I’m writing, I’ll try a little test on a clean VM :slight_smile: .

In fact, I have bouncers, but no parsers . Ip all comes from community (If I correctly understand how crowdsec work) .

edit : just saw this issue : Multiple add/del ban on start · Issue #5 · crowdsecurity/cs-custom-bouncer · GitHub it seems to already be an issue about this

And the command show :

    # cscli alerts list -i 95.91.82.81
    | ID |        VALUE        |        REASON        | COUNTRY | AS | DECISIONS |           CREATED AT           |
    | 68 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-18 12:59:55.273891625+0000 UTC  |
    | 67 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-18 10:59:55.265941903+0000 UTC  |
    | 66 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-18 08:59:55.309135413+0000 UTC  |
    | 65 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-18 06:59:55.314202165+0000 UTC  |
    | 64 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-18 04:59:55.337215872+0000 UTC  |
    | 63 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-18 02:59:55.268404946+0000 UTC  |
    | 62 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-18 00:59:55.361954936+0000 UTC  |
    | 61 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-17 22:59:55.277663162+0000 UTC  |
    | 59 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-17 20:59:53.092057027+0000 UTC  |
    | 58 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-17 19:19:46.764019963+0000 UTC  |
    | 57 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-17 17:19:46.755005294+0000 UTC  |
    | 56 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-17 15:19:46.733326978+0000 UTC  |
    | 55 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-17 13:19:46.780627246+0000 UTC  |
    | 54 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-17 11:19:46.825624327+0000 UTC  |
    | 53 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-17 09:19:46.816788631+0000 UTC  |
    | 52 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-17 07:19:46.765577827+0000 UTC  |
    | 51 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-17 05:19:46.809953892+0000 UTC  |
    | 50 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-17 03:19:46.941295612+0000 UTC  |
    | 49 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-17 01:19:46.826938373+0000 UTC  |
    | 48 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-16 23:19:46.763648049+0000 UTC  |
    | 47 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-16 21:19:46.849546482+0000 UTC  |
    | 46 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-16 19:19:46.951200787+0000 UTC  |
    | 44 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-16 17:19:46.815176558+0000 UTC  |
    | 43 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-16 15:19:46.741766868+0000 UTC  |
    | 42 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-16 13:19:46.748264241+0000 UTC  |
    | 41 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-16 11:19:46.725977237+0000 UTC  |
    | 40 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-16 09:19:46.806034247+0000 UTC  |
    | 39 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-16 07:19:46.789361553+0000 UTC  |
    | 38 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-16 05:19:46.805386948+0000 UTC  |
    | 37 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-16 03:19:46.74964384 +0000 UTC  |
    | 36 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-16 01:19:45.021353945+0000 UTC  |
    | 35 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-16 00:41:35.256010743+0000 UTC  |
    | 34 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-15 22:41:35.247395522+0000 UTC  |
    | 33 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-15 20:41:35.272033907+0000 UTC  |
    | 32 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-15 18:41:35.295120583+0000 UTC  |
    | 31 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-15 16:41:35.295569654+0000 UTC  |
    | 30 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-15 14:41:35.26795653 +0000 UTC  |
    | 29 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-15 12:41:35.465075496+0000 UTC  |
    | 28 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-15 10:41:35.26975677 +0000 UTC  |
    | 27 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-15 08:41:35.268287806+0000 UTC  |
    | 26 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-15 06:41:35.269256036+0000 UTC  |
    | 25 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-15 04:41:35.311315124+0000 UTC  |
    | 24 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-15 02:41:35.280474824+0000 UTC  |
    | 23 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-15 00:41:35.268442396+0000 UTC  |
    | 22 | Community blocklist | update : +78/-0 IPs  |         |    | ban:78    | 2021-03-14 22:41:33.569363687+0000 UTC  |
    | 21 | Community blocklist | update : +100/-0 IPs |         |    | ban:100   | 2021-03-14 21:37:25.596782988+0000 UTC  |
    | 20 | Community blocklist | update : +100/-0 IPs |         |    | ban:100   | 2021-03-14 21:25:46.953063844+0000 UTC  |
    | 19 | Community blocklist | update : +100/-0 IPs |         |    | ban:100   | 2021-03-14 21:23:14.438461427+0000 UTC  |
    | 18 | Community blocklist | update : +100/-0 IPs |         |    | ban:100   | 2021-03-14 21:13:44.542535783+0000 UTC  |
    | 17 | Community blocklist | update : +100/-0 IPs |         |    | ban:100   | 2021-03-14 20:59:48.505866223+0000 UTC  |
    +----+---------------------+----------------------+---------+----+-----------+--------------------------------+

Yes, ok no problems :slight_smile: . I just remove “/32” on my side :slight_smile: .