Hey, I’m new to crowdsec and found that the overall idea is amazing and I want to be a part of it.
Fail2Ban was my previous bouncer but it wouldn’t detect all SSH attempt for some odd reason. It only detected every second or third attempt. While searching for an alternative i found crowdsec. I decided to give it a try on my VPS. I disabled Fail2Ban and installed crowdsec + bouncer and it looks like it should work just fine. Looking at the documentation it should be all well and running. I even got my first alert after a few minutes (http-probing). Now I wanted to try the system out myself by bf ssh myself. I used a VPN to bf into my machine but i did not get stopped. I tried at least 50 times and did not get banned. This is not exactly how I’d imagine this. Am I doing something wrong? Where exactly do I change the bantime, findtime and maxretrys? I wasn’t able to find a good answer in the docs to that.
Here are some screenshots:
Metrics
Hub List
Thanks for the help
~SniperOwl
Hi
Happy you like our concept. So do we
To help you out I need to know more about what’s going on. So could you please paste the output of /var/log/crowdsec.log
?
Also pay attention to that you need the bouncer to be registered to the agent for it to work. Normally this happens automatically but please do a cscli bouncers list
to make sure.
Thanks
Hey,
thanks for the amazingly quick reply. I really appreciate that.
Here is what I get from the command:
I just noticed that the IP i was using got banned a bit after i tried the bf. I cannot load my website with this ip but I can still use SSH.
Hi. Don’t worry, it was purely concidental
Could you paste me relevant content of the crowdsec.log file? I need to know if your bf is detected and how the agent reacts to it.
Thanks
Hey,
I totally forgot to attach it for some reason. Here it is
This is a real attack btw but he got banned multiple times already.
Allright. That looks fine. cscli decisions list
verifies that the attack has been blocked (assuming the bouncer works as it should. Nothing indicates otherwise).
Could you find the log entries from your own try? I have a theory that they originate from localhost (which is whitelisted and can’t be banned). But only the log can tell for sure.
I just rechecked and im the Finish ip ending with 235. I can still access SSH with that IP but can’t reach my nginx server.
Allright. I am fresh out of ideas
I’ll make sure someone more qualified follows up. Thanks for getting in touch!
1 Like
Thank you for your time and effort. Much appreciated
1 Like
Hello @SniperOwl,
Can you paste the output of your firewall bouncer logs please ? They are located in /var/log/crowdsec-firewall-bouncer.log
.
Also, can you paste the output of sudo cscli decisions list
please ?
Hey,
the complete log can be found here and the the decisions list here.
Thanks for the assistance.
@SniperOwl those are crowdsec logs, i would like to see the firewall bouncer logs please
My bad i copied the wrong value. Should be fixed now. (https://x.sniperowl.info/crowdsecfw.txt)
The Indian IP got detected 3 times and got banned 3 times and is still trying to ssh into my server.
The detection works but the bouncer for SSHD does not work correctly for some reason. Fail2Ban is still installed but disabled and not running if that could be a problem.
Hello @SniperOwl, sorry for the delay.
From your bouncer logs, if those are the latest logs, it seems that your bouncer is not running:
time="08-12-2021 07:33:32" level=info msg="Shutting down firewall-bouncer service"
Can you try to restart it with sudo systemctl restart crowdsec-firewall-bouncer
and paste the logs again if it still not working as expected ?
Hey,
I’m just thankful for the support. Take as much time as you need
I restarted the service and updated the log.
https://x.sniperowl.info/crowdsecfw.txt
Thanks
Edit: I retried my self bf and tried to login to root 10 times but did not get banned. I did not even trigger an alert. Where exactly can I configure the maxretrys and stuff?
I think this file is the same than the one you pasted yesterday
Yes but its updated. See time=“09-12-2021 13:30:01”. Maybe do ctrl + f5 to empty browser cache?
Edit: I updated it once more so it the most recent state of the log. (09-12-2021 14:39:3)
Hello it seems ok from your crowdsec-firewall-bouncer logs.
If you haven’t been banned it is another problem.
Can you paste the output of cscli metrics
please ?
Also, be careful when you try to BF your server to trigger an alert while you have the crowdsec-firewall-bouncer running.
Here are the results: https://x.sniperowl.info/powershell_A8O6PgOs8X.png
I’m using a VPN to trigger the alert so I won’t block myself.