Seems not to work

crowdsec
1

I have installed a new server (Debian12) including Crowdsec. But I have the feeling that it is not working properly. According to Jounalctl there are a lot of BF attempts but nothing is blocked` systemctl status crowdsec
● crowdsec.service - Crowdsec agent
Loaded: loaded (/lib/systemd/system/crowdsec.service; enabled; preset: enabled)
Active: active (running) since Tue 2024-07-23 08:26:28 CEST; 5h 50min ago
Main PID: 7470 (crowdsec)
Tasks: 11 (limit: 9475)
Memory: 125.8M
CPU: 30.286s
CGroup: /system.slice/crowdsec.service
├─7470 /usr/bin/crowdsec -c /etc/crowdsec/config.yaml
└─7478 journalctl --follow -n 0 _SYSTEMD_UNIT=ssh.service

Jul 23 08:26:24 dc systemd[1]: Starting crowdsec.service - Crowdsec agent…
Jul 23 08:26:28 dc systemd[1]: Started crowdsec.service - Crowdsec agent.`

and cscli metrics looks like this

Acquisition Metrics:
+-------------------------------------------------+------------+--------------+----------------+------------------------+-------------------+
|                      Source                     | Lines read | Lines parsed | Lines unparsed | Lines poured to bucket | Lines whitelisted |
+-------------------------------------------------+------------+--------------+----------------+------------------------+-------------------+
| journalctl:journalctl-_SYSTEMD_UNIT=ssh.service | 199        | 159          | 40             | 480                    | -                 |
+-------------------------------------------------+------------+--------------+----------------+------------------------+-------------------+

Local API Decisions:
+---------------------------------+--------+--------+-------+
|              Reason             | Origin | Action | Count |
+---------------------------------+--------+--------+-------+
| firehol_greensnow               | lists  | ban    | 4823  |
| otx-webscanners                 | lists  | ban    | 9038  |
| tor-exit-nodes                  | lists  | ban    | 997   |
| crowdsecurity/ssh-bf            | CAPI   | ban    | 6785  |
| crowdsecurity/ssh-cve-2024-6387 | CAPI   | ban    | 38    |
| crowdsecurity/ssh-slow-bf       | CAPI   | ban    | 8269  |
+---------------------------------+--------+--------+-------+

Local API Metrics:
+----------------------+--------+------+
|         Route        | Method | Hits |
+----------------------+--------+------+
| /v1/alerts           | GET    | 4    |
| /v1/decisions/stream | GET    | 2086 |
| /v1/heartbeat        | GET    | 347  |
| /v1/watchers/login   | POST   | 10   |
+----------------------+--------+------+

Local API Bouncers Metrics:
+--------------------------------+----------------------+--------+------+
|             Bouncer            |         Route        | Method | Hits |
+--------------------------------+----------------------+--------+------+
| cs-firewall-bouncer-1721715847 | /v1/decisions/stream | GET    | 2086 |
+--------------------------------+----------------------+--------+------+

Local API Machines Metrics:
+--------------------------------------------------+---------------+--------+------+
|                      Machine                     |     Route     | Method | Hits |
+--------------------------------------------------+---------------+--------+------+
| e0a27400cbb24413bcaf9eafe1469a73KozGmgzLx5Gaz4Jn | /v1/alerts    | GET    | 4    |
| e0a27400cbb24413bcaf9eafe1469a73KozGmgzLx5Gaz4Jn | /v1/heartbeat | GET    | 347  |
+--------------------------------------------------+---------------+--------+------+

Parser Metrics:
+---------------------------------+-------+--------+----------+
|             Parsers             |  Hits | Parsed | Unparsed |
+---------------------------------+-------+--------+----------+
| child-crowdsecurity/sshd-logs   | 1.27k | 159    | 1.12k    |
| child-crowdsecurity/syslog-logs | 199   | 199    | -        |
| crowdsecurity/dateparse-enrich  | 159   | 159    | -        |
| crowdsecurity/geoip-enrich      | 159   | 159    | -        |
| crowdsecurity/sshd-logs         | 199   | 159    | 40       |
| crowdsecurity/syslog-logs       | 199   | 199    | -        |
| crowdsecurity/whitelists        | 159   | 159    | -        |
+---------------------------------+-------+--------+----------+

Scenario Metrics:
+-------------------------------------+---------------+-----------+--------------+--------+---------+
|               Scenario              | Current Count | Overflows | Instantiated | Poured | Expired |
+-------------------------------------+---------------+-----------+--------------+--------+---------+
| crowdsecurity/ssh-bf                | 1             | -         | 83           | 159    | 82      |
| crowdsecurity/ssh-bf_user-enum      | 1             | -         | 83           | 83     | 82      |
| crowdsecurity/ssh-slow-bf           | 1             | -         | 35           | 159    | 34      |
| crowdsecurity/ssh-slow-bf_user-enum | 1             | -         | 37           | 79     | 36      |
+-------------------------------------+---------------+-----------+--------------+--------+---------+

Whitelist Metrics:
+--------------------------+-----------------------------+------+-------------+
|         Whitelist        |            Reason           | Hits | Whitelisted |
+--------------------------+-----------------------------+------+-------------+
| crowdsecurity/whitelists | private ipv4/ipv6 ip/ranges | 159  | -           |
+--------------------------+-----------------------------+------+-------------+

is something missing here?

2

Seems detection is working but they haven’t been aggressive enough to trigger an overflow.