NethServer Version: NS 8Module: Crowdsec
Good evening,
Now that NS 8 is doing what NS 7 has done reliably over the years, I have installed and set up Crowdsec. So far, so good. Multiple deliberately incorrect login attempts with my smartphone were recognised immediately and the IP was temporarily blocked. Unfortunately, what doesn’t work is the notification by email about the blocked IP, as I’m used to from Fail2Ban.
The mail server is set up. Mattermost and Nextcloud can successfully send notifications. I have saved my email address in the Crowdsec settings, but unfortunately no notifications arrive at this address. I configured the mail server for the notifications manually in the NS 8 settings. Can someone tell me the correct Crowdsec configuration for sending mails?
Thanks…
Uwe
1 Like
stephdl
May 30, 2024, 9:26pm
2
Need to see if I can reproduce
1 Like
stephdl
May 31, 2024, 1:55pm
3
sorry I am not able to reproduce
did you put an email to push the notification
Return-Path: <stephane@foo.com>
Delivered-To: stephane@foo.com
Received: from prometheus.foo.com
by prometheus.foo.com with LMTP id EK5oH2vWWWYGVwAAQwhQhQ
for <stephane@foo.com>; Fri, 31 May 2024 15:53:47 +0200
Received: from mout.kundenserver.de (mout.kundenserver.de [217.72.192.74])
by prometheus.foo.com (Postfix) with ESMTPS id 791DD18CF51E2
for <stephane@foo.com>; Fri, 31 May 2024 15:53:46 +0200 (CEST)
Received: from localhost ([86.206.129.103]) by mrelayeu.kundenserver.de
(mreue107 [213.165.67.119]) with ESMTPSA (Nemesis) id
1MFbmS-1sGuZw0QFq-00H59Q for <stephane@foo.com>; Fri, 31 May 2024
15:53:46 +0200
Content-Type: text/html; charset=UTF-8
Date: Fri, 31 May 2024 13:53:46 +0000
MIME-Version: 1.0
From: "CrowdSec" <stephane@foo.com>
To: <stephane@foo.com>
Subject: CrowdSec Notification
Content-Transfer-Encoding: quoted-printable
Message-ID: <1Mqal4-1sqWJW0hrk-00mYHq@mrelayeu.kundenserver.de>
X-Provags-ID: V03:K1:XvAVTJSBy4HQh24wJUvnenZYlUVUBDKqTPhlHguA3iDI90CylJE
8aCW06jY4InxMttj4hoW4KYOZevwMDi9BbW+Lg10c3MdollJG08NE5otAxrXilvEBx4N6g8
Zzvbu/1zQRfqHDSzp7Hw2NbYlVS9hN4rmAc1I7n0XT71/THX+CWKBJzsA/DX3UwrMF58qkN
9HPxbOuPdI1EMKcOnwJuw==
UI-OutboundReport: notjunk:1;M01:P0:GybnFBK+Nro=;mvf60IYHlJQiOqdtwCmZAeQlX3A
t0n4Y64CwfPhQFYT+tlpKeRYvE53yzhIBN+SREEEUYvbWDs+GCajbOprahChnO/G+Gp1/tCwd
okaj0LdV/EGMwANeelVbGbkY8ZFB1kLE3bpP9tV8lWDO4rMp+l5DqmCPO2bmuoRnKxqowGp+D
uxKIQc24cPh+D4nzFW/exQeFXs/cpsQt+EWrURqn9yuNTVKSiTvN0y93biNbu9B4gDon8/KYE
kkIq3gEIhitFHqV93ubWC6quQllvAExrR70JYB1kOZ1ugobeyvAFRVukKk3ezqr+Ldelupj18
SAC86FALjd6dW2eLfax826Usq7n9qKnfM8bcIEu8ZbZOJ8YHKkVBpoco4rWZ0m3V2JJx+7QK3
1PzR+fIpuZzl7uLt8zNp1DapWzvhVmVzku10PAdMPSlM7RdbdQRHaXdlciNmJxj9bYcKiQTXO
3Lp5b8G9kqf4PvkSAG+i2YI4QlTiDfAqiW858OuBp7/6HHkd+r+95RZDEvCDOBfidsHejyfS0
R+cPdtD3ykgBhq6VKKYdU+sqlajTt9yUjEfLjvbPQr/HnmjzolXwiPK9JBKPweUIHsFIbc1m/
Qgfl0EDr1f/D/L2ZZJpIvxgaAJnqn/F6UPq4ek5SZe5LA3sl6MFHFbYkT/ee1WwPATXZ5EUV1
kTX8HXZHChx5NVId1u5bib9T0no2aIlB47LrsAsmRZu7Lw8+Uw7ktWGjyYPP15xGnfrl1gI/k
D5ymGCr/qfSsLamKHEB4feJl9MYAWO1+iji0eyU51Z8g1mIhXD3Zk4=
X-Rspamd-Queue-Id: 791DD18CF51E2
X-Spamd-Result: default: False [-1.14 / 19.90];
IP_REPUTATION_HAM(-0.72)[asn: 8560(-0.23), country: DE(-0.01), ip: 217.72.192.74(-0.49)];
GENERIC_REPUTATION(-0.51)[-0.50636749063094];
RWL_MAILSPIKE_VERYGOOD(-0.20)[217.72.192.74:from];
MIME_HTML_ONLY(0.20)[];
DMARC_POLICY_SOFTFAIL(0.10)[foo.com : No valid SPF, No valid DKIM,none];
MX_GOOD(-0.01)[];
FROM_EQ_ENVFROM(0.00)[];
R_SPF_NA(0.00)[no SPF record];
R_DKIM_NA(0.00)[];
MIME_TRACE(0.00)[0:~];
RCVD_COUNT_TWO(0.00)[2];
ASN(0.00)[asn:8560, ipnet:217.72.192.0/20, country:DE];
NEURAL_HAM(-0.00)[-0.847];
RCVD_VIA_SMTP_AUTH(0.00)[];
RCVD_TLS_ALL(0.00)[];
FROM_HAS_DN(0.00)[];
RECEIVED_SPAMHAUS_PBL(0.00)[86.206.129.103:received];
RCVD_IN_DNSWL_NONE(0.00)[217.72.192.74:from];
TO_MATCH_ENVRCPT_ALL(0.00)[];
TO_DN_NONE(0.00)[];
PREVIOUSLY_DELIVERED(0.00)[stephane@foo.com];
RCPT_COUNT_ONE(0.00)[1];
TO_EQ_FROM(0.00)[]
X-Rspamd-Server: prometheus.foo.com
<html><body><p><a href=3Dhttps://www.whois.com/whois/192.168.12.15>192.168.=
12.15</a> will get <b>ban</b> for next <b>12m</b> for triggering <b>crowdse=
curity/ssh-bf</b> on machine <b>localhost</b>.</p> <p><a href=3Dhttps://www=
.shodan.io/host/192.168.12.15>Shodan</a></p></body></html>
=20
1 Like
Hi @stephdl and thanks for the reply.
I have entered a valid e-mail address. And if I enter the SMTP of my ISP in the e-mail notifications tab in the settings, the notifications from Crowdsec also work. The only question is why I can’t get it to work with the mail server already installed on my NS 8.
stephdl
May 31, 2024, 2:21pm
5
this is a feature of mail 1.4 but you need to set in the settings that you want to send by your mail server
additionally you can create in the relay a default rule to send any mail of your mail server with the smtp of your provider
1 Like
stephdl
May 31, 2024, 2:31pm
6
You know our mantra
in Logs we trust
May 31 16:30:36 R2-pve.rocky9-pve2.org crowdsec1-firewall-bouncer[46962]: time="2024-05-31T14:30:36Z" level=info msg="1 decision added"
May 31 16:30:36 R2-pve.rocky9-pve2.org crowdsec1[53404]: time="2024-05-31T14:30:36Z" level=info msg="Ip 192.168.12.15 performed 'crowdsecurity/ssh-slow-bf' (17 events over 6m47.250278763s) at 2024-05-31 14:30:36.840715739 +0000 UTC"
May 31 16:30:37 R2-pve.rocky9-pve2.org crowdsec1[53404]: time="2024-05-31T14:30:37Z" level=info msg="(localhost/crowdsec) crowdsecurity/ssh-slow-bf by ip 192.168.12.15 (/0) : 24m ban on Ip 192.168.12.15"
May 31 16:30:37 R2-pve.rocky9-pve2.org crowdsec1[53404]: time="2024-05-31T14:30:37Z" level=info msg="127.0.0.1 - [Fri, 31 May 2024 14:30:37 UTC] \"POST /v1/alerts HTTP/1.1 201 2.341922ms \"crowdsec/v1.6.1-c6e40191\" \""
May 31 16:30:37 R2-pve.rocky9-pve2.org postfix/postscreen[57773]: CONNECT from [10.5.4.1]:50448 to [10.5.4.1]:25
May 31 16:30:37 R2-pve.rocky9-pve2.org postfix/postscreen[57773]: ALLOWLISTED [10.5.4.1]:50448
May 31 16:30:37 R2-pve.rocky9-pve2.org postfix/smtpd[57776]: connect from cluster-localnode[10.5.4.1]
May 31 16:30:37 R2-pve.rocky9-pve2.org rspamd[52641]: (rspamd_proxy) <be0d3f>; proxy; proxy_accept_socket: accepted milter connection from ::1 port 42460
May 31 16:30:37 R2-pve.rocky9-pve2.org crowdsec1[53404]: time="2024-05-31T14:30:37Z" level=error msg="rpc error: code = Unknown desc = Mail Error: mail: invalid string; Header: [From] Address: [CrowdSec <>] error, retry num 1" plugin=email_default
May 31 16:30:38 R2-pve.rocky9-pve2.org crowdsec1[53404]: time="2024-05-31T14:30:38Z" level=error msg="rpc error: code = Unknown desc = Mail Error: mail: invalid string; Header: [From] Address: [CrowdSec <>]" plugin:=email_default
May 31 16:30:38 R2-pve.rocky9-pve2.org crowdsec1[53404]: time="2024-05-31T14:30:38Z" level=info msg="Signal push: 1 signals to push"
May 31 16:30:46 R2-pve.rocky9-pve2.org crowdsec1[53404]: time="2024-05-31T14:30:46Z" level=info msg="127.0.0.1 - [Fri, 31 May 2024 14:30:46 UTC] \"GET /v1/decisions/stream HTTP/1.1 200 4.125688ms \"crowdsec-firewall-bouncer/v0.0.28-debian-pragmatic-af6e7e25822c2b1a02168b99ebbf8458bc6728e5\" \""
stephdl
May 31, 2024, 2:36pm
8
ok this is a bug, thank you
Python 3.11.7 (main, Jan 22 2024, 00:00:00) [GCC 11.4.1 20231218 (Red Hat 11.4.1-3)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import agent
>>> agent.get_smarthost_settings(agent.redis_connect(use_replica=True))
{'port': 25, 'host': '10.5.4.1', 'username': '', 'password': '', 'enabled': True, 'encrypt_smtp': 'none', 'tls_verify': False}
3 Likes
stephdl
June 3, 2024, 8:46am
10
if you want to have a go @transocean
opened 03:21PM - 31 May 24 UTC
bug
testing
**Steps to reproduce**
- configure a mail server
- configure a default relay… rule to send email, it could be also via a smarthost provider
- configure the default email notifications to use the mail server
- install crowdsec, allow the ban on the LAN
- start to make bad login to ban a client on the lan
**Expected behavior**
I expect that when the client is banned, then I receive an email
**Actual behavior**
I do not even send an email and I find some traces in logs
```
May 31 16:30:37 R2-pve.rocky9-pve2.org crowdsec1[53404]: time="2024-05-31T14:30:37Z" level=error msg="rpc error: code = Unknown desc = Mail Error: mail: invalid string; Header: [From] Address: [CrowdSec <>] error, retry num 1" plugin=email_default
May 31 16:30:38 R2-pve.rocky9-pve2.org crowdsec1[53404]: time="2024-05-31T14:30:38Z" level=error msg="rpc error: code = Unknown desc = Mail Error: mail: invalid string; Header: [From] Address: [CrowdSec <>]" plugin:=email_default
May 31 16:30:38 R2-pve.rocky9-pve2.org crowdsec1[53404]: time="2024-05-31T14:30:38Z" level=info msg="Signal push: 1 signals to push"
May 31 16:30:46 R2-pve.rocky9-pve2.org crowdsec1[53404]: time="2024-05-31T14:30:46Z" level=info msg="127.0.0.1 - [Fri, 31 May 2024 14:30:46 UTC] \"GET /v1/decisions/stream HTTP/1.1 200 4.125688ms \"crowdsec-firewall-bouncer/v0.0.28-debian-pragmatic-af6e7e25822c2b1a02168b99ebbf8458bc6728e5\" \""
```
This is due because the `sender_email` is empty, since we use the mail server as provider without authentication, the from field is empty
```
Python 3.11.7 (main, Jan 22 2024, 00:00:00) [GCC 11.4.1 20231218 (Red Hat 11.4.1-3)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import agent
>>> agent.get_smarthost_settings(agent.redis_connect(use_replica=True))
{'port': 25, 'host': '10.5.4.1', 'username': '', 'password': '', 'enabled': True, 'encrypt_smtp': 'none', 'tls_verify': False}
```
see https://github.com/NethServer/ns8-crowdsec/blob/72013f70a71fe7b3dcd6ac8247ce4bc7e55bf6e1/imageroot/bin/expand-smarthost#L39
**Components**
crowdsec 1.0.8
**See also**
https://community.nethserver.org/t/crowdsec-does-not-send-notifications/23740
----
thank transocean
1 Like
From now on I will call you Master.
Thank you @stephdl …, now it works.
1 Like
