Tainted collections. How to reinstall?

1

I tried manually parsing logs and I think I now have a problem with my collection.

NAME :package: STATUS VERSION LOCAL PATH

crowdsecurity/sshd :heavy_check_mark: enabled 0.2 /etc/crowdsec/collections/sshd.yaml
crowdsecurity/apache2 :warning: enabled,tainted ? /etc/crowdsec/collections/apache2.yaml
crowdsecurity/linux :heavy_check_mark: enabled 0.2 /etc/crowdsec/collections/linux.yaml
crowdsecurity/base-http-scenarios :warning: enabled,tainted ? /etc/crowdsec/collections/base-http-scenarios.yaml
crowdsecurity/modsecurity :warning: enabled,tainted ? /etc/crowdsec/collections/modsecurity.yaml

I tried removing the tainted collection but get an error when I try to remove.

crowdsec collection remove modsecurity
time=“25-01-2022 20:52:17” level=fatal msg=“listen tcp 127.0.0.1:8080: bind: address already in use”

I stop crowdsec:
service crowdsec stop

and then the removal:
crowdsec collection remove modsecurity
but it freezes and never finishes requiring break.

yum remove crowdsec
yum install crowdsec

Collections still show tainted.
The metabase dashboard container still shows the same info.

How can I blow up my crowdsec install and start fresh?
I would prefer not to restage the box.

2

I don’t know if it’s a typo or an error but you use ‘crowdsec’ to remove collections. You need to use cscli.

Does this change anything?

3

Apologies, yes I was using the cscli previously, but my syntax wasn’t correct. When corrected I was prompted to use the force argument because the collection is tainted.

cscli collections remove crowdsecurity/modsecurity --force
cscli collections remove crowdsecurity/apache2 --force
cscli collections remove crowdsecurity/base-http-scenarios --force
systemctl reload crowdsec

cscli collections install crowdsecurity/modsecurity
cscli collections install crowdsecurity/apache2
cscli collections install crowdsecurity/base-http-scenarios
systemctl reload crowdsec

COLLECTIONS

NAME :package: STATUS VERSION LOCAL PATH

crowdsecurity/sshd :heavy_check_mark: enabled 0.2 /etc/crowdsec/collections/sshd.yaml
crowdsecurity/base-http-scenarios :heavy_check_mark: enabled 0.5 /etc/crowdsec/collections/base-http-scenarios.yaml
crowdsecurity/linux :heavy_check_mark: enabled 0.2 /etc/crowdsec/collections/linux.yaml
crowdsecurity/modsecurity :heavy_check_mark: enabled 0.1 /etc/crowdsec/collections/modsecurity.yaml
crowdsecurity/apache2 :heavy_check_mark: enabled 0.1 /etc/crowdsec/collections/apache2.yaml

All good now! :slight_smile:

1 Like
4

Great to hear that - if you run into more problems feel free to post here or on Discord :slight_smile: