peter1
(Peter)
March 24, 2024, 5:43pm
1
I sent 30 failed login attempts through a vpn to cluster-admin, and 15 failed dovecot authentications within a few minutes without ban. What are some things I can do to test further and fix this?
OS Rocky 9
davidep
(Davide Principi)
March 24, 2024, 6:03pm
2
There’s a bug filed here
opened 11:49AM - 18 Mar 24 UTC
bug
testing
**Steps to reproduce**
- Install crowdsec
- check the log
you can see some … journald filtering
```
time="18-03-2024 11:33:58" level=info msg="Running journalctl command: /usr/bin/journalctl [journalctl --follow -n 0 SYSLOG_IDENTIFIER=dokuwiki2]" src="journalctl-SYSLOG_IDENTIFIER=dokuwiki2" type=journalctl
```
and for services
```
time="18-03-2024 11:33:58" level=info msg="Running journalctl command: /usr/bin/journalctl [journalctl --follow -n 0 _SYSTEMD_UNIT=sshd.service]" src="journalctl-_SYSTEMD_UNIT=sshd.service" type=journalctl
```
**Expected behavior**
I expect that crowdsec is able to read log from journald
**Actual behavior**
In fact `SYSLOG_IDENTIFIER` is no more used
```
[root@R4-pve ~]# journalctl SYSLOG_IDENTIFIER=mail1
-- No entries --
[root@R4-pve ~]#
```
this drives that crowdsec is fully blind
we could uses the UID instead
`journalctl _UID=$(id -u mail1)`
**Components**
ghcr.io/nethserver/crowdsec:1.0.6
**See also**
https://mattermost.nethesis.it/nethesis/pl/pgogitpypfb57kyn5p56w13asc
----
thank davidep
1 Like
stephdl
(Stéphane de Labrusse)
March 25, 2024, 10:32am
3
hello @peter1
Maybe you could help the NS8 development by performing a QA
opened 08:10AM - 20 Mar 24 UTC
testing
Upgrade crowdsec to 1.6.0.0-1-debian
**Proposed solution**
We have a new v… ersion since january 2024, time to test it
**Alternative solutions**
do not upgrade but we could lead to a technical debt one day
**Additional context**
https://github.com/crowdsecurity/crowdsec/releases/tag/v1.6.0
to install it on a VM, enable the testing repo, or update the module
api-cli run update-module --data '{"module_url":"ghcr.io/nethserver/crowdsec:1.0.7-dev.1","instances":["crowdsec1"],"force":true}'
2 Likes
stephdl
(Stéphane de Labrusse)
March 25, 2024, 10:33am
4
if you agreed I can give some guidances on what to test
mrmarkuz
(Markus Neuberger)
March 25, 2024, 3:20pm
5
Tested the crowdsec upgrade to 1.7.0-dev.1 and ssh bruteforce gets banned now and it’s all viewable in the crowdsec web app.
5 Likes
stephdl
(Stéphane de Labrusse)
March 25, 2024, 3:54pm
6
Can you follow the other QA please
opened 03:11PM - 20 Mar 24 UTC
testing
Not really a bug nor a feature request but crowdsec does a request to redis on s… ome scripts that the service triggers in preaction, we should request to the redis replica instead to the main instance of redis that it could be remote and long to answer in the case of cluster
**Proposed solution**
use `rdb = agent.redis_connect(use_replica=True)`
**Alternative solutions**
continue to request to the remote redis instance in case of cluster
opened 04:54PM - 19 Mar 24 UTC
bug
testing
**Steps to reproduce**
- Install crowdsec
- once installed check if the ipv4… /ipv6 sets of ipset are in iptables
```
[root@R1-pve ~]# ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere match-set crowdsec6-blacklists src
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
```
```
[root@R1-pve ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere match-set crowdsec-blacklists src
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
```
reload the firewall like agent.add_public_service after it has added opened services
firewall-cmd --reload
**Expected behavior**
I expect that my sets are loaded
**Actual behavior**
The sets are not loaded anymore and obviously crwdsec can ban, the drop is not honored
```
[root@R1-pve ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
```
```
[root@R1-pve ~]# ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
```
however if I restart crowdsec-firewall-bouncer.service the sets are back
`systemctl restart crowdsec-firewall-bouncer.service`
I tried to make permanent the set to the drop zone of firewalld or with also a rich-rule of the public zone but we face to a strange behavior with two kinds of sets, crowdset wants to use the set that you can see with `ipset -L -n` and since I want to make `permanent` the set to firewalld, it looks like there is a conflict
**Components**
crowdsec 1.0.6
opened 08:10AM - 20 Mar 24 UTC
testing
Upgrade crowdsec to 1.6.0.0-1-debian
**Proposed solution**
We have a new v… ersion since january 2024, time to test it
**Alternative solutions**
do not upgrade but we could lead to a technical debt one day
**Additional context**
https://github.com/crowdsecurity/crowdsec/releases/tag/v1.6.0
2 Likes
stephdl
(Stéphane de Labrusse)
March 29, 2024, 4:16pm
8
One step more in the world of container, now the bouncer itself is a container, no more deb or rpm installed on the host
opened 04:54PM - 19 Mar 24 UTC
bug
testing
**Steps to reproduce**
- Install crowdsec
- once installed check if the ipv4… /ipv6 sets of ipset are in iptables
```
[root@R1-pve ~]# ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere match-set crowdsec6-blacklists src
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
```
```
[root@R1-pve ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere match-set crowdsec-blacklists src
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
```
reload the firewall like agent.add_public_service after it has added opened services
firewall-cmd --reload
**Expected behavior**
I expect that my sets are loaded
**Actual behavior**
The sets are not loaded anymore and obviously crwdsec can ban, the drop is not honored
```
[root@R1-pve ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
```
```
[root@R1-pve ~]# ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
```
however if I restart crowdsec-firewall-bouncer.service the sets are back
`systemctl restart crowdsec-firewall-bouncer.service`
I tried to make permanent the set to the drop zone of firewalld or with also a rich-rule of the public zone but we face to a strange behavior with two kinds of sets, crowdset wants to use the set that you can see with `ipset -L -n` and since I want to make `permanent` the set to firewalld, it looks like there is a conflict
**Components**
crowdsec 1.0.6
Please some braves to break it
3 Likes
mrmarkuz
(Markus Neuberger)
March 29, 2024, 11:31pm
9
I did an update on 2 nodes of a Debian NS8 cluster and it’s just working and banning IPs as expected.
4 Likes