Prometheus connection refused

DuvelCorp · June 30, 2023, 1:11pm

Hi

Get “http://192.168.2.10:6060/metrics”: dial tcp 192.168.2.10:6060: connect: connection refused

Cant nail down my issue so I am asking here.

Got Crowdsec bouncer installed on the internet-facing proxy in the DMZ (Ubuntu Apache)

My config related to prometheus is the default :

  enabled: true
  level: full
  listen_addr: 127.0.0.1
  listen_port: 6060

The metrics are available on the server with http://localhost:6060 but nothing else. If I try on the localhost, with its own IP, it doesn’t work, and it is obviously refused as well from all other machines in my LAN or DMZ.

tom@cerbere:/etc/crowdsec$ sudo service crowdsec-firewall-bouncer restart
tom@cerbere:/etc/crowdsec$ curl http://192.168.2.10:6060/metrics
curl: (7) Failed to connect to 192.168.2.10 port 6060: Connection refused
tom@cerbere:/etc/crowdsec$ curl http://localhost:6060/metrics
# HELP cs_active_decisions Number of active decisions.
# TYPE cs_active_decisions gauge
cs_active_decisions{action="ban",origin="CAPI",reason="crowdsecurity/CVE-2019-18935"} 4
cs_active_decisions{action="ban",origin="CAPI",reason="crowdsecurity/CVE-2022-26134"} 10
...

ufw port 6060 is allowed, and all traffic from my LAN too (which is where thePpromotheus server is)

tom@cerbere:/etc/crowdsec$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
80                         ALLOW       Anywhere
443                        ALLOW       Anywhere
9100                       ALLOW       Anywhere
1050                       ALLOW       Anywhere
10050                      ALLOW       Anywhere
10051                      ALLOW       Anywhere
6060                       ALLOW       Anywhere
Anywhere                   ALLOW       192.168.1.0/24
22 (v6)                    ALLOW       Anywhere (v6)
80 (v6)                    ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)
9100 (v6)                  ALLOW       Anywhere (v6)
1050 (v6)                  ALLOW       Anywhere (v6)
10050 (v6)                 ALLOW       Anywhere (v6)
10051 (v6)                 ALLOW       Anywhere (v6)
6060 (v6)                  ALLOW       Anywhere (v6)

In the bouncer config I also have rules to whilelist DMZ and LAN traffic, and allow LAN connections to the API. And obviously the bouncer hasn’t blocked/banned anything on my network.

Additionally, I have the zabbix agent running on this machine, with its ports allowed in UFW, and it works fine (Zabbix server in the LAN can pull info from it) which makes me think that the issue is purely in a Crowdsec component.

Cheers

Tom

iiAmLoz · July 1, 2023, 12:56pm

Your config is only on loopback so wont accept connections from outside. Change to 0.0.0.0

DuvelCorp · July 2, 2023, 5:10am

Make sense

Btw I tried the IP of my monitoring box or the whole LAN like 192.168.1.0/24, but that doesn’t work… why?

smu44 · July 8, 2023, 9:32am

According to your log above, it should be 192.168.2.0/24, or 192.168.0.0/22 to cover both 192.168.1.x and 192.168.2.x.

Topic		Replies	Views
Caddy-bouncer on caddy docker trying to connect to external LAPI host crowdsec	2	323	December 3, 2023
[docker setup] local bouncer on host doesn't ban IPs	3	736	September 30, 2023
Did I have the rigth setup crowdsec	3	832	August 17, 2022
Crowdsec engine and API on windows bouncer on openwrt issues crowdsec	1	218	January 23, 2024
Can't make crowdsec-blocklist-mirror bouncer to connect to LAPI crowdsec	5	1444	July 26, 2022

Prometheus connection refused

Related Topics