with nethserver/nethsecurity you have two kind of manual, dev and admin
we know that dev is more CLI oriented and admin more GUI
for nethsec
Hello Stephane
I’ve tried from an external IP to connect the the curl command
curl -k -n --url 'smtps://pdebrabander.nl:587' --user 'patrick@pdebrabander.nl:password' --mail-from 'patrick.brab1308@gmail.com' --mail-rcpt 'patrick@pdebrabander.nl' --upload-file /dev/null -u 'patrick@pdebrabander.nl':'password' -v
* Couldn't find host pdebrabander.nl in the .netrc file; using defaults
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to connect() to pdebrabander.nl port 587 (#0)
* Trying 213.93.196.209...
* Connected to pdebrabander.nl (213.93.196.209) port 587 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* NSS error -5938 (PR_END_OF_FILE_ERROR)
* Encountered end of file
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Closing connection 0
curl: (35) Encountered end of file
In the mail.log
2024-10-16T18:59:33+02:00 [1:mail1:rspamd] (rspamd_proxy) <6a5feb>; proxy; proxy_accept_socket: accepted milter connection from ::1 port 54192
2024-10-16T18:59:33+02:00 [1:mail1:postfix/smtpd] warning: non-SMTP command from e118099.upc-e.chello.nl[213.93.118.99]: \026\003\001\000\304\001\000\000\300\003\003\021\226\352R\262Z\331\302\355\341\345\217\211\003\357g\
2024-10-16T18:59:33+02:00 [1:mail1:postfix/smtpd] disconnect from e118099.upc-e.chello.nl[213.93.118.99] unknown=0/1 commands=0/1
2024-10-16T18:59:33+02:00 [1:mail1:rspamd] (rspamd_proxy) <6a5feb>; milter; rspamd_milter_process_command: got connection from 213.93.118.99:60102
2024-10-16T18:59:33+02:00 [1:mail1:rspamd] (rspamd_proxy) <6a5feb>; proxy; proxy_milter_finish_handler: finished milter connection
2024-10-16T18:59:38+02:00 [1:sogo1:sogo-app] Oct 16 18:59:38 sogod [109]: <0x0x563a93309930[SOGoActiveSyncDispatcher]> Sleeping 30 seconds while detecting changes for user patrick in Ping...
2024-10-16T18:59:41+02:00 [1:mail1:postfix/smtpd] connect from e118099.upc-e.chello.nl[213.93.118.99]
2024-10-16T18:59:41+02:00 [1:mail1:rspamd] (rspamd_proxy) <d64d5d>; proxy; proxy_accept_socket: accepted milter connection from ::1 port 60374
2024-10-16T18:59:42+02:00 [1:mail1:postfix/smtpd] warning: non-SMTP command from e118099.upc-e.chello.nl[213.93.118.99]: \026\003\001\000\304\001\000\000\300\003\0034rwa\266\327\325\344\222\024>N\326\215\345T\267@\355\351
2024-10-16T18:59:42+02:00 [1:mail1:rspamd] (rspamd_proxy) <d64d5d>; milter; rspamd_milter_process_command: got connection from 213.93.118.99:60104
2024-10-16T18:59:42+02:00 [1:mail1:rspamd] (rspamd_proxy) <d64d5d>; proxy; proxy_milter_finish_handler: finished milter connection
2024-10-16T18:59:42+02:00 [1:mail1:postfix/smtpd] disconnect from e118099.upc-e.chello.nl[213.93.118.99] unknown=0/1 commands=0/1
2024-10-16T18:59:42+02:00 [1:sogo1:sogo-app] Oct 16 18:59:42 sogod [7]: [WARN] <0x0x563a91e5aba0[WOWatchDogChild]> pid 104 has been hanging in the same request for 3 minutes
2024-10-16T18:59:42+02:00 [1:sogo1:sogo-app] Oct 16 18:59:42 sogod [104]: <0x0x563a92285460[SOGoActiveSyncDispatcher]> Sleeping 30 seconds while detecting changes for user linda in Ping...
2024-10-16T18:59:46+02:00 [1:mail1:postfix/smtpd] connect from e118099.upc-e.chello.nl[213.93.118.99]
2024-10-16T18:59:46+02:00 [1:mail1:rspamd] (rspamd_proxy) <704d52>; proxy; proxy_accept_socket: accepted milter connection from ::1 port 60386
2024-10-16T18:59:46+02:00 [1:mail1:postfix/smtpd] warning: non-SMTP command from e118099.upc-e.chello.nl[213.93.118.99]: \026\003\001\000\304\001\000\000\300\003\003\304\037\021\367r\311.\0047\022ITo\006\315\265ey\341\362
2024-10-16T18:59:46+02:00 [1:mail1:postfix/smtpd] disconnect from e118099.upc-e.chello.nl[213.93.118.99] unknown=0/1 commands=0/1
2024-10-16T18:59:46+02:00 [1:mail1:rspamd] (rspamd_proxy) <704d52>; milter; rspamd_milter_process_command: got connection from 213.93.118.99:60106
2024-10-16T18:59:46+02:00 [1:mail1:rspamd] (rspamd_proxy) <704d52>; proxy; proxy_milter_finish_handler: finished milter connection
2024-10-16T18:59:51+02:00 [1:sogo1:sogo-app] Oct 16 18:59:51 sogod [101]: <0x0x563a91f03860[SOGoActiveSyncDispatcher]> Sleeping 30 seconds while detecting changes for user thomas in Ping...
2024-10-16T18:59:52+02:00 [1:mail1:postfix/smtpd] connect from e118099.upc-e.chello.nl[213.93.118.99]
2024-10-16T18:59:52+02:00 [1:mail1:rspamd] (rspamd_proxy) <dd83a0>; proxy; proxy_accept_socket: accepted milter connection from ::1 port 57114
2024-10-16T18:59:52+02:00 [1:mail1:postfix/smtpd] warning: non-SMTP command from e118099.upc-e.chello.nl[213.93.118.99]: \026\003\001\000\304\001\000\000\300\003\003B\r<\221\330q=\aR\326g\240\233\330]\\\tu\324\330\321\200
2024-10-16T18:59:52+02:00 [1:mail1:postfix/smtpd] disconnect from e118099.upc-e.chello.nl[213.93.118.99] unknown=0/1 commands=0/1
2024-10-16T18:59:52+02:00 [1:mail1:rspamd] (rspamd_proxy) <dd83a0>; milter; rspamd_milter_process_command: got connection from 213.93.118.99:60108
2024-10-16T18:59:52+02:00 [1:mail1:rspamd] (rspamd_proxy) <dd83a0>; proxy; proxy_milter_finish_handler: finished milter connection
2024-10-16T18:59:54+02:00 [1:mail1:postfix/smtpd] connect from e118099.upc-e.chello.nl[213.93.118.99]
2024-10-16T18:59:54+02:00 [1:mail1:rspamd] (rspamd_proxy) <7b7aaa>; proxy; proxy_accept_socket: accepted milter connection from ::1 port 57120
2024-10-16T18:59:54+02:00 [1:mail1:postfix/smtpd] warning: non-SMTP command from e118099.upc-e.chello.nl[213.93.118.99]: \026\003\001\000\304\001\000\000\300\003\003\270\247\362\367\250\335\335\277\322\244\321\267)\330=\3
2024-10-16T18:59:54+02:00 [1:mail1:rspamd] (rspamd_proxy) <7b7aaa>; milter; rspamd_milter_process_command: got connection from 213.93.118.99:60110
2024-10-16T18:59:54+02:00 [1:mail1:postfix/smtpd] disconnect from e118099.upc-e.chello.nl[213.93.118.99] unknown=0/1 commands=0/1
2024-10-16T18:59:54+02:00 [1:mail1:rspamd] (rspamd_proxy) <7b7aaa>; proxy; proxy_milter_finish_handler: finished milter connection
2024-10-16T18:59:58+02:00 [1:mail1:postfix/smtpd] connect from e118099.upc-e.chello.nl[213.93.118.99]
2024-10-16T18:59:58+02:00 [1:mail1:rspamd] (rspamd_proxy) <2f8327>; proxy; proxy_accept_socket: accepted milter connection from ::1 port 39080
2024-10-16T18:59:58+02:00 [1:mail1:postfix/smtpd] warning: non-SMTP command from e118099.upc-e.chello.nl[213.93.118.99]: \026\003\001\000\304\001\000\000\300\003\003\3265`\214\345\244GXZ\267\375\024>!\2531\036Y\265[\262a\
2024-10-16T18:59:58+02:00 [1:mail1:postfix/smtpd] disconnect from e118099.upc-e.chello.nl[213.93.118.99] unknown=0/1 commands=0/1
2024-10-16T18:59:58+02:00 [1:mail1:rspamd] (rspamd_proxy) <2f8327>; milter; rspamd_milter_process_command: got connection from 213.93.118.99:60112
2024-10-16T18:59:58+02:00 [1:mail1:rspamd] (rspamd_proxy) <2f8327>; proxy; proxy_milter_finish_handler: finished milter connection
Nothing in the crowdsec log to see
Even your mail server did not catch it !!!
we did not have the smtp transaction
this is wrong
look at the smtp vs smtps
smtps → 465
smtp → 587
Bingo !!
2024-10-16T19:33:39+02:00 [1:mail1:postfix/smtpd] warning: e118099.upc-e.chello.nl[213.93.118.99]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=linda
2024-10-16T19:33:39+02:00 [1:mail1:postfix/smtpd] lost connection after AUTH from e118099.upc-e.chello.nl[213.93.118.99]
2024-10-16T19:33:39+02:00 [1:mail1:postfix/smtpd] disconnect from e118099.upc-e.chello.nl[213.93.118.99] ehlo=2 starttls=1 auth=0/1 commands=3/4
2024-10-16T19:33:39+02:00 [1:mail1:rspamd] (rspamd_proxy) <1b5c21>; milter; rspamd_milter_process_command: got connection from 213.93.118.99:33518
2024-10-16T19:33:39+02:00 [1:mail1:rspamd] (rspamd_proxy) <1b5c21>; proxy; proxy_milter_finish_handler: finished milter connection
2024-10-16T19:33:43+02:00 [1:mail1:postfix/smtpd] connect from e118099.upc-e.chello.nl[213.93.118.99]
2024-10-16T19:33:43+02:00 [1:mail1:rspamd] (rspamd_proxy) <559240>; proxy; proxy_accept_socket: accepted milter connection from ::1 port 33552
2024-10-16T19:33:44+02:00 [1:mail1:postfix/smtpd] Anonymous TLS connection established from e118099.upc-e.chello.nl[213.93.118.99]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
2024-10-16T19:33:44+02:00 [1:mail1:dovecot] auth-worker(11733): conn unix:auth-worker (pid=11732,uid=90): auth-worker<8>: ldap(linda,213.93.118.99): Password mismatch (for LDAP bind)
2024-10-16T19:33:44+02:00 [1:crowdsec2:crowdsec2] time="2024-10-16T17:33:44Z" level=info msg="Ip 213.93.118.99 performed 'crowdsecurity/dovecot-spam' (4 events over 36.89303849s) at 2024-10-16 17:33:44.802392089 +0000 UTC"
2024-10-16T19:33:45+02:00 [1:crowdsec2:crowdsec2] time="2024-10-16T17:33:45Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 213.93.118.99 (NL/33915) : 4m ban on Ip 213.93.118.99"
2024-10-16T19:33:46+02:00 [1:mail1:postfix/smtpd] warning: e118099.upc-e.chello.nl[213.93.118.99]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=linda
2024-10-16T19:33:46+02:00 [1:mail1:postfix/smtpd] lost connection after AUTH from e118099.upc-e.chello.nl[213.93.118.99]
2024-10-16T19:33:46+02:00 [1:mail1:rspamd] (rspamd_proxy) <559240>; milter; rspamd_milter_process_command: got connection from 213.93.118.99:33520
2024-10-16T19:33:46+02:00 [1:mail1:postfix/smtpd] disconnect from e118099.upc-e.chello.nl[213.93.118.99] ehlo=2 starttls=1 auth=0/1 commands=3/4
2024-10-16T19:33:46+02:00 [1:mail1:rspamd] (rspamd_proxy) <559240>; proxy; proxy_milter_finish_handler: finished milter connection
Thanks a lot for the help.
So crowdsec is block the IP’s. Does Crowdsec has a List of IP which it is blocking already ? Because the hits are very low id comparing to fail2ban
Looks like there is a failsafe feature which block IP’s upfront
Crowdsec is edited by a french startup/scalup and they provide services and try to sell blacklist
You can connect your instance to their website to manage the available blacklists
It is an enhancement but it is not needed because crowdsec could works as a standalone
However the central api (central intelligence) provides to you a blacklist of 15000 IP if I recall correctly
When you list the decisions use --all
Maybe this is why you feel so few attempts
Correct.
runagent -m crowdsec2 podman exec -ti crowdsec2 cscli decisions list --all
Gives a list of > 120k IP
Did a quick check of fail2ban blocks on an other server and those IP were in the list
1 Like
Gentle reminder that the Crowdsec dev version has not yet been evolved into a released version.
@stephdl anything we still need to do/test please?
4 Likes
we have had a bottleneck in the verification of crowdsec, we have some verified code blocked by an unverified feature. I must release a new version of crowdsec, maybe I need to make a rollback of the feature. Lets wait
2 Likes
Thanks for the update. I updated the 1.0.15-dev to 1.0.15
If I click ‘open app’, the screen stays blank.
crowdsec1 Log
2025-09-01T22:50:12+02:00 [1:crowdsec1:crowdsec1] time=“2025-09-01T20:50:12Z” level=debug msg=“received EOF, stopping recv loop” err=“rpc error: code = Unavailable desc = error reading from server: EOF” 2025-09-01T22:50:16+02:00 [1:crowdsec1:crowdsec1-firewall-bouncer] time=“2025-09-01T20:50:16Z” level=error msg=“auth-api: auth with api key failed return nil response, error: dial tcp 127.0.0.1:20003: connect: connection refused” 2025-09-01T22:50:16+02:00 [1:crowdsec1:crowdsec1-firewall-bouncer] time=“2025-09-01T20:50:16Z” level=error msg=“Get \“http://127.0.0.1:20003/v1/decisions/stream?additional_pull=false&community_pull=false&startup=true\”: dial tcp 127.0.0.1:20003: connect: connection refused” 2025-09-01T22:50:16+02:00 [1:crowdsec1:crowdsec1-firewall-bouncer] time=“2025-09-01T20:50:16Z” level=fatal msg=“process terminated with error: bouncer stream halted” 2025-09-01T22:50:24+02:00 [1:crowdsec1:crowdsec1] time=“2025-09-01T20:50:24Z” level=info msg=“Adding leaky bucket” cfg=white-paper name=crowdsecurity/nextcloud-bf_domain_error
1 Like
Which dev version? As there could be rollbacks of features, it’s possible that updating from an earlier dev version could cause issues.
I tested the update from 1.0.14 today and retested now and wasn’t able to reproduce the issue.
Did you already try to refresh the browser?
1 Like
Or restart the service
systemctl restart crowdsec*
2 Likes
I did, but interestingly on Safari it works, but on Google Chrome it gives me a blank screen. I will need to check cache, cookies and extension in Google Chrome.
update: deleted all cache and history. Now it works. Thanks!
1 Like
Which services can be restarted from NS8 root please? For all ‘other apps’ need to be restarted from within their respective containers right?
The one discussed above,
1 Like
Crowdsec is a rootfull container, you must have only one instance
For other apps do for example
systemctl restart user@$(id -u webserver1).service
Or go to module
runagent -m webserver1
and
Systemctl –user restart webserver.service
1 Like
Thanks, do ‘we’ have an overview of which apps are rootfull and which are not?
What would this be for sogo1 please? (as an example).
I recall that we have a banner somewhere. The app is rootfull….do not remember where but anyway I recall netdata, dnsmasq, crowdsec. If an app is not under /home it is a rootfull container
Same for sogo, use the module id of sogo, sogo1, sogo2 etc
Thanks!
systemctl restart user@$(id -u webserver1).service
So user is ‘user’ and id is ‘id’ and webserver1 is ‘sogo1’?
1 Like
User is static, at the end it will be
systemctl restart user@1001.service
Id -u sogo1 gives back this 1001….. obviously it will change for any module
Btw we have a project to make a button to restart apps in the node page
3 Likes