Crowdsec not working as expected

pnemenz · May 6, 2025, 6:25am

NethServer Version: 8
Module: crowndsec
I recently installed crowndsec. I have a lot of unauthorized access attempts on my mail system. It looks like crownsec isn’t doing what expected.
I’ll get a notification every few minutes that a specific IP will be banned, (right now it is for about 828 Minutes), but this specific IP is still trying to access my system.
I have Nethsecurity as a firewall. Do I need to enable something so crowdsec will work?

capote · May 6, 2025, 6:26am

If you cannot assign the IP address to your jurisdiction, Crowdsec will do its job.

pnemenz · May 6, 2025, 6:28am

I kow.
The thing is: the adress is not beeing blocket even I’ll get the notofication from crowdsec.

capote · May 6, 2025, 7:12am

Then I misunderstood your description of the problem, sorry.

mrmarkuz · May 6, 2025, 8:17am

How did you test it?

I tested crowdsec now behind NethSecurity using SSH from my mobile. I set a port forward of the SSH port 22 on the NethSec to the NS8.

After some wrong SSH login attempts, I can see the following in the logs:

2025-05-06T10:04:19+02:00 [3:crowdsec5:crowdsec5] time="2025-05-06T08:04:19Z" level=info msg="Ip 178.115.69.103 performed 'crowdsecurity/ssh-bf' (9 events over 37.999906312s) at 2025-05-06 08:04:19.495267988 +0000 UTC"
2025-05-06T10:04:20+02:00 [3:crowdsec5:crowdsec5] time="2025-05-06T08:04:20Z" level=info msg="(localhost/crowdsec) crowdsecurity/ssh-bf by ip 178.115.69.103 (AT/25255) : 4m ban on Ip 178.115.69.103"

The alerts are also shown on the crowdsec page, I tested using a wrong password from LAN and WAN and both worked.

Also a notification mail is sent. After the ban no connection from my mobile to the NS8 is possible anymore until it gets unbanned.

stephdl · May 6, 2025, 8:55am

can we have the log transaction

journalctl > dump, can you send us

stephdl · May 6, 2025, 8:59am

you can also check what IPs are banned do

nft list ruleset

to verify if an IP is in the list do

nft list ruleset | grep 223.71.254.162

we use the set of nftables, any IP inside cannot communicate

stephdl · May 6, 2025, 9:01am

some debug for future

runagent -m crowdsec1 cscli decisions list --all
runagent -m crowdsec1 cscli decisions list
runagent -m crowdsec1 cscli metrics

pnemenz · May 6, 2025, 9:02am

I saw the Ip Adresses still coming up in the dovecot Log files

pnemenz · May 6, 2025, 9:16am

to verify if an IP is in the list do
nft list ruleset | grep

I just checked with 2 Adresses for wich I got lots auf notifications:
45.144.212.223 should be banned for 848 Miuntes, its not in the ruleset, I have over 200 Notifications in the last 2 days
193.46.255.40 should be banned for 2312 Miuntes, its not in the ruleset, I have over 500 Notifications in the last 2 days

runagent -m crowdsec1 cscli decisions list --all
runagent -m crowdsec1 cscli decisions list
runagent -m crowdsec1 cscli metrics

brinngs lots of data, what should I look for?

journalctl > dump,
the log is over 260 MB, what app should I filter so you dont get everything?

stephdl · May 6, 2025, 9:20am

the idea is to understand what crowdsec does

journalctl -t crowdsec1-firewall-bouncer -t crowdsec1 > dump

pnemenz · May 6, 2025, 9:44am

I cant post all of the result. I could not upload a txt file.
As far as I see its always reapeating.

Mai 05 01:28:24 ns8 crowdsec1[1666425]: time="2025-05-05T01:28:24Z" level=info msg="Ip 65.49.20.66 performed 'crowdsecurity/postscreen-rbl' (1 events over 0s) at 2025-05-05 01:28:24.231156701 +0000 UTC"
Mai 05 01:28:24 ns8 crowdsec1[1666425]: time="2025-05-05T01:28:24Z" level=info msg="Ip 65.49.20.66 performed 'crowdsecurity/postfix-non-smtp-command' (1 events over 0s) at 2025-05-05 01:28:24.231624637 +0000 UTC"
Mai 05 01:28:24 ns8 crowdsec1[1666425]: time="2025-05-05T01:28:24Z" level=info msg="(localhost/crowdsec) crowdsecurity/postscreen-rbl by ip 65.49.20.66 (US/6939) : 4m ban on Ip 65.49.20.66"
Mai 05 01:28:24 ns8 crowdsec1[1666425]: time="2025-05-05T01:28:24Z" level=info msg="(localhost/crowdsec) crowdsecurity/postfix-non-smtp-command by ip 65.49.20.66 (US/6939) : 4m ban on Ip 65.49.20.66"
Mai 05 01:28:25 ns8 crowdsec1[1666425]: time="2025-05-05T01:28:25Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 01:28:25 ns8 crowdsec1[1666425]: time="2025-05-05T01:28:25Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 01:28:28 ns8 crowdsec1-firewall-bouncer[1665486]: time="2025-05-05T01:28:28Z" level=info msg="1 decision added"
Mai 05 01:28:29 ns8 crowdsec1[1666425]: time="2025-05-05T01:28:29Z" level=info msg="Signal push: 2 signals to push"
Mai 05 01:32:28 ns8 crowdsec1-firewall-bouncer[1665486]: time="2025-05-05T01:32:28Z" level=info msg="1 decision deleted"
Mai 05 01:35:04 ns8 crowdsec1[1666425]: time="2025-05-05T01:35:04Z" level=info msg="Ip 193.46.255.40 performed 'crowdsecurity/dovecot-spam' (5 events over 8m34.500085789s) at 2025-05-05 01:35:04.23095512 +0000 UTC"
Mai 05 01:35:04 ns8 crowdsec1[1666425]: time="2025-05-05T01:35:04Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 193.46.255.40 (RO/47890) : 1624m ban on Ip 193.46.255.40"
Mai 05 01:35:05 ns8 crowdsec1[1666425]: time="2025-05-05T01:35:05Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 01:35:09 ns8 crowdsec1[1666425]: time="2025-05-05T01:35:09Z" level=info msg="Signal push: 1 signals to push"
Mai 05 01:39:25 ns8 crowdsec1[1666425]: time="2025-05-05T01:39:25Z" level=info msg="Ip 45.144.212.223 performed 'crowdsecurity/postscreen-rbl' (1 events over 0s) at 2025-05-05 01:39:25.981436277 +0000 UTC"
Mai 05 01:39:26 ns8 crowdsec1[1666425]: time="2025-05-05T01:39:26Z" level=info msg="(localhost/crowdsec) crowdsecurity/postscreen-rbl by ip 45.144.212.223 (UA/214940) : 600m ban on Ip 45.144.212.223"
Mai 05 01:39:27 ns8 crowdsec1[1666425]: time="2025-05-05T01:39:27Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 01:39:29 ns8 crowdsec1[1666425]: time="2025-05-05T01:39:29Z" level=info msg="Signal push: 1 signals to push"
Mai 05 01:40:58 ns8 crowdsec1-firewall-bouncer[1665486]: time="2025-05-05T01:40:58Z" level=info msg="1 decision deleted"
Mai 05 01:45:53 ns8 crowdsec1[1666425]: time="2025-05-05T01:45:53Z" level=info msg="Ip 193.46.255.40 performed 'crowdsecurity/dovecot-spam' (5 events over 8m37.250560401s) at 2025-05-05 01:45:53.981797881 +0000 UTC"
Mai 05 01:45:54 ns8 crowdsec1[1666425]: time="2025-05-05T01:45:54Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 193.46.255.40 (RO/47890) : 1628m ban on Ip 193.46.255.40"
Mai 05 01:45:55 ns8 crowdsec1[1666425]: time="2025-05-05T01:45:55Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 01:45:59 ns8 crowdsec1[1666425]: time="2025-05-05T01:45:59Z" level=info msg="Signal push: 1 signals to push"
Mai 05 01:48:58 ns8 crowdsec1-firewall-bouncer[1665486]: time="2025-05-05T01:48:58Z" level=info msg="3 decisions deleted"
Mai 05 01:49:08 ns8 crowdsec1-firewall-bouncer[1665486]: time="2025-05-05T01:49:08Z" level=info msg="3 decisions deleted"
Mai 05 01:49:23 ns8 crowdsec1[1666425]: time="2025-05-05T01:49:23Z" level=info msg="capi metrics: sending"
Mai 05 01:53:07 ns8 crowdsec1[1666425]: time="2025-05-05T01:53:07Z" level=info msg="Sent 3 usage metrics"
Mai 05 01:56:18 ns8 crowdsec1-firewall-bouncer[1665486]: time="2025-05-05T01:56:18Z" level=info msg="1 decision deleted"
Mai 05 01:56:44 ns8 crowdsec1[1666425]: time="2025-05-05T01:56:44Z" level=info msg="Ip 193.46.255.40 performed 'crowdsecurity/dovecot-spam' (5 events over 8m39.500102483s) at 2025-05-05 01:56:44.481230732 +0000 UTC"
Mai 05 01:56:45 ns8 crowdsec1[1666425]: time="2025-05-05T01:56:45Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 193.46.255.40 (RO/47890) : 1632m ban on Ip 193.46.255.40"
Mai 05 01:56:46 ns8 crowdsec1[1666425]: time="2025-05-05T01:56:46Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 01:56:49 ns8 crowdsec1[1666425]: time="2025-05-05T01:56:49Z" level=info msg="Signal push: 1 signals to push"
Mai 05 02:01:03 ns8 crowdsec1[1666425]: time="2025-05-05T02:01:03Z" level=info msg="Ip 176.65.140.199 performed 'crowdsecurity/postfix-relay-denied' (2 events over 40.249244752s) at 2025-05-05 02:00:55.731133446 +0000 UTC"
Mai 05 02:01:03 ns8 crowdsec1[1666425]: time="2025-05-05T02:01:03Z" level=info msg="(localhost/crowdsec) crowdsecurity/postfix-relay-denied by ip 176.65.140.199 (DE/215240) : 4m ban on Ip 176.65.140.199"
Mai 05 02:01:04 ns8 crowdsec1[1666425]: time="2025-05-05T02:01:04Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 02:01:08 ns8 crowdsec1-firewall-bouncer[1665486]: time="2025-05-05T02:01:08Z" level=info msg="1 decision added"
Mai 05 02:01:09 ns8 crowdsec1[1666425]: time="2025-05-05T02:01:09Z" level=info msg="Signal push: 1 signals to push"
Mai 05 02:04:58 ns8 crowdsec1-firewall-bouncer[1665486]: time="2025-05-05T02:04:58Z" level=info msg="1 decision deleted"
Mai 05 02:06:03 ns8 crowdsec1[1666425]: time="2025-05-05T02:06:03Z" level=info msg="Ip 45.144.212.223 performed 'crowdsecurity/postscreen-rbl' (1 events over 0s) at 2025-05-05 02:06:03.231476666 +0000 UTC"
Mai 05 02:06:03 ns8 crowdsec1[1666425]: time="2025-05-05T02:06:03Z" level=info msg="(localhost/crowdsec) crowdsecurity/postscreen-rbl by ip 45.144.212.223 (UA/214940) : 604m ban on Ip 45.144.212.223"
Mai 05 02:06:04 ns8 crowdsec1[1666425]: time="2025-05-05T02:06:04Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 02:06:09 ns8 crowdsec1[1666425]: time="2025-05-05T02:06:09Z" level=info msg="Signal push: 1 signals to push"
Mai 05 02:07:28 ns8 crowdsec1[1666425]: time="2025-05-05T02:07:28Z" level=info msg="Ip 45.146.130.98 performed 'crowdsecurity/dovecot-spam' (5 events over 10m11.249103227s) at 2025-05-05 02:07:28.480740165 +0000 UTC"
Mai 05 02:07:29 ns8 crowdsec1[1666425]: time="2025-05-05T02:07:29Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 45.146.130.98 (SC/0) : 128m ban on Ip 45.146.130.98"
Mai 05 02:07:29 ns8 crowdsec1[1666425]: time="2025-05-05T02:07:29Z" level=info msg="Signal push: 1 signals to push"
Mai 05 02:07:30 ns8 crowdsec1[1666425]: time="2025-05-05T02:07:30Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 02:07:38 ns8 crowdsec1-firewall-bouncer[1665486]: time="2025-05-05T02:07:38Z" level=info msg="1 decision added"
Mai 05 02:07:39 ns8 crowdsec1[1666425]: time="2025-05-05T02:07:39Z" level=info msg="Ip 193.46.255.40 performed 'crowdsecurity/dovecot-spam' (5 events over 8m44.750143885s) at 2025-05-05 02:07:39.231127198 +0000 UTC"
Mai 05 02:07:39 ns8 crowdsec1[1666425]: time="2025-05-05T02:07:39Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 193.46.255.40 (RO/47890) : 1636m ban on Ip 193.46.255.40"
Mai 05 02:07:39 ns8 crowdsec1[1666425]: time="2025-05-05T02:07:39Z" level=info msg="Signal push: 1 signals to push"
Mai 05 02:07:40 ns8 crowdsec1[1666425]: time="2025-05-05T02:07:40Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 02:18:29 ns8 crowdsec1[1666425]: time="2025-05-05T02:18:29Z" level=info msg="Ip 193.46.255.40 performed 'crowdsecurity/dovecot-spam' (5 events over 8m40.250041511s) at 2025-05-05 02:18:29.481290111 +0000 UTC"
Mai 05 02:18:30 ns8 crowdsec1[1666425]: time="2025-05-05T02:18:30Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 193.46.255.40 (RO/47890) : 1640m ban on Ip 193.46.255.40"
Mai 05 02:18:31 ns8 crowdsec1[1666425]: time="2025-05-05T02:18:31Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 02:18:39 ns8 crowdsec1[1666425]: time="2025-05-05T02:18:39Z" level=info msg="Signal push: 1 signals to push"
Mai 05 02:19:24 ns8 crowdsec1[1666425]: time="2025-05-05T02:19:24Z" level=info msg="capi metrics: sending"
Mai 05 02:23:07 ns8 crowdsec1[1666425]: time="2025-05-05T02:23:07Z" level=info msg="Sent 3 usage metrics"
Mai 05 02:29:19 ns8 crowdsec1[1666425]: time="2025-05-05T02:29:19Z" level=info msg="Ip 193.46.255.40 performed 'crowdsecurity/dovecot-spam' (5 events over 8m39.999891411s) at 2025-05-05 02:29:19.73126551 +0000 UTC"
Mai 05 02:29:20 ns8 crowdsec1[1666425]: time="2025-05-05T02:29:20Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 193.46.255.40 (RO/47890) : 1644m ban on Ip 193.46.255.40"
Mai 05 02:29:21 ns8 crowdsec1[1666425]: time="2025-05-05T02:29:21Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 02:29:29 ns8 crowdsec1[1666425]: time="2025-05-05T02:29:29Z" level=info msg="Signal push: 1 signals to push"
Mai 05 02:32:32 ns8 crowdsec1[1666425]: time="2025-05-05T02:32:32Z" level=info msg="Ip 45.144.212.223 performed 'crowdsecurity/postscreen-rbl' (1 events over 0s) at 2025-05-05 02:32:32.481565615 +0000 UTC"
Mai 05 02:32:33 ns8 crowdsec1[1666425]: time="2025-05-05T02:32:33Z" level=info msg="(localhost/crowdsec) crowdsecurity/postscreen-rbl by ip 45.144.212.223 (UA/214940) : 608m ban on Ip 45.144.212.223"
Mai 05 02:32:34 ns8 crowdsec1[1666425]: time="2025-05-05T02:32:34Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 02:32:40 ns8 crowdsec1[1666425]: time="2025-05-05T02:32:40Z" level=info msg="Signal push: 1 signals to push"
Mai 05 02:42:23 ns8 crowdsec1[1666425]: time="2025-05-05T02:42:23Z" level=info msg="Ip 193.46.255.40 performed 'crowdsecurity/dovecot-spam' (5 events over 10m53.261287193s) at 2025-05-05 02:42:23.992387843 +0000 UTC"
Mai 05 02:42:24 ns8 crowdsec1[1666425]: time="2025-05-05T02:42:24Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 193.46.255.40 (RO/47890) : 1648m ban on Ip 193.46.255.40"
Mai 05 02:42:25 ns8 crowdsec1[1666425]: time="2025-05-05T02:42:25Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 02:42:30 ns8 crowdsec1[1666425]: time="2025-05-05T02:42:30Z" level=info msg="Signal push: 1 signals to push"
Mai 05 02:48:57 ns8 crowdsec1[1666425]: time="2025-05-05T02:48:57Z" level=info msg="Starting community-blocklist update"
Mai 05 02:48:58 ns8 crowdsec1[1666425]: time="2025-05-05T02:48:58Z" level=info msg="capi/community-blocklist : 0 explicit deletions"
Mai 05 02:48:58 ns8 crowdsec1-firewall-bouncer[1665486]: time="2025-05-05T02:48:58Z" level=info msg="1 decision deleted"
Mai 05 02:48:59 ns8 crowdsec1[1666425]: time="2025-05-05T02:48:59Z" level=info msg="crowdsecurity/community-blocklist : added 15000 entries, deleted 14966 entries (alert:796)"
Mai 05 02:49:08 ns8 crowdsec1-firewall-bouncer[1665486]: time="2025-05-05T02:49:08Z" level=info msg="1 decision deleted"
Mai 05 02:49:09 ns8 crowdsec1-firewall-bouncer[1665486]: time="2025-05-05T02:49:09Z" level=info msg="15000 decisions added"
Mai 05 02:49:24 ns8 crowdsec1[1666425]: time="2025-05-05T02:49:24Z" level=info msg="capi metrics: sending"
Mai 05 02:53:07 ns8 crowdsec1[1666425]: time="2025-05-05T02:53:07Z" level=info msg="Sent 3 usage metrics"
Mai 05 02:53:11 ns8 crowdsec1[1666425]: time="2025-05-05T02:53:11Z" level=info msg="Ip 193.46.255.40 performed 'crowdsecurity/dovecot-spam' (5 events over 8m38.249871033s) at 2025-05-05 02:53:11.981561703 +0000 UTC"
Mai 05 02:53:12 ns8 crowdsec1[1666425]: time="2025-05-05T02:53:12Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 193.46.255.40 (RO/47890) : 1652m ban on Ip 193.46.255.40"
Mai 05 02:53:13 ns8 crowdsec1[1666425]: time="2025-05-05T02:53:13Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 02:53:20 ns8 crowdsec1[1666425]: time="2025-05-05T02:53:20Z" level=info msg="Signal push: 1 signals to push"
Mai 05 02:58:50 ns8 crowdsec1[1666425]: time="2025-05-05T02:58:50Z" level=info msg="Ip 185.208.159.214 performed 'crowdsecurity/postscreen-rbl' (1 events over 0s) at 2025-05-05 02:58:50.481246798 +0000 UTC"
Mai 05 02:58:51 ns8 crowdsec1[1666425]: time="2025-05-05T02:58:51Z" level=info msg="(localhost/crowdsec) crowdsecurity/postscreen-rbl by ip 185.208.159.214 (US/42624) : 188m ban on Ip 185.208.159.214"
Mai 05 02:58:52 ns8 crowdsec1[1666425]: time="2025-05-05T02:58:52Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 02:59:00 ns8 crowdsec1[1666425]: time="2025-05-05T02:59:00Z" level=info msg="Signal push: 1 signals to push"
Mai 05 02:59:35 ns8 crowdsec1[1666425]: time="2025-05-05T02:59:35Z" level=info msg="Ip 45.144.212.223 performed 'crowdsecurity/postscreen-rbl' (1 events over 0s) at 2025-05-05 02:59:35.98173164 +0000 UTC"
Mai 05 02:59:36 ns8 crowdsec1[1666425]: time="2025-05-05T02:59:36Z" level=info msg="(localhost/crowdsec) crowdsecurity/postscreen-rbl by ip 45.144.212.223 (UA/214940) : 612m ban on Ip 45.144.212.223"
Mai 05 02:59:37 ns8 crowdsec1[1666425]: time="2025-05-05T02:59:37Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 02:59:40 ns8 crowdsec1[1666425]: time="2025-05-05T02:59:40Z" level=info msg="Signal push: 1 signals to push"
Mai 05 03:03:59 ns8 crowdsec1[1666425]: time="2025-05-05T03:03:59Z" level=info msg="Ip 193.46.255.40 performed 'crowdsecurity/dovecot-spam' (5 events over 8m39.250035849s) at 2025-05-05 03:03:59.481417839 +0000 UTC"
Mai 05 03:04:00 ns8 crowdsec1[1666425]: time="2025-05-05T03:04:00Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 193.46.255.40 (RO/47890) : 1656m ban on Ip 193.46.255.40"
Mai 05 03:04:01 ns8 crowdsec1[1666425]: time="2025-05-05T03:04:01Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 03:04:10 ns8 crowdsec1[1666425]: time="2025-05-05T03:04:10Z" level=info msg="Signal push: 1 signals to push"
Mai 05 03:14:44 ns8 crowdsec1[1666425]: time="2025-05-05T03:14:44Z" level=info msg="Ip 193.46.255.40 performed 'crowdsecurity/dovecot-spam' (5 events over 8m37.252550056s) at 2025-05-05 03:14:44.234352575 +0000 UTC"
Mai 05 03:14:44 ns8 crowdsec1[1666425]: time="2025-05-05T03:14:44Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 193.46.255.40 (RO/47890) : 1660m ban on Ip 193.46.255.40"
Mai 05 03:14:45 ns8 crowdsec1[1666425]: time="2025-05-05T03:14:45Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 03:14:50 ns8 crowdsec1[1666425]: time="2025-05-05T03:14:50Z" level=info msg="Signal push: 1 signals to push"
Mai 05 03:19:24 ns8 crowdsec1[1666425]: time="2025-05-05T03:19:24Z" level=info msg="capi metrics: sending"
Mai 05 03:23:07 ns8 crowdsec1[1666425]: time="2025-05-05T03:23:07Z" level=info msg="Sent 3 usage metrics"
Mai 05 03:25:29 ns8 crowdsec1[1666425]: time="2025-05-05T03:25:29Z" level=info msg="Ip 193.46.255.40 performed 'crowdsecurity/dovecot-spam' (5 events over 8m36.000500244s) at 2025-05-05 03:25:29.982571984 +0000 UTC"
Mai 05 03:25:30 ns8 crowdsec1[1666425]: time="2025-05-05T03:25:30Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 193.46.255.40 (RO/47890) : 1664m ban on Ip 193.46.255.40"
Mai 05 03:25:32 ns8 crowdsec1[1666425]: time="2025-05-05T03:25:32Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 03:25:40 ns8 crowdsec1[1666425]: time="2025-05-05T03:25:40Z" level=info msg="Signal push: 1 signals to push"
Mai 05 03:27:59 ns8 crowdsec1[1666425]: time="2025-05-05T03:27:59Z" level=info msg="Ip 45.144.212.223 performed 'crowdsecurity/postscreen-rbl' (1 events over 0s) at 2025-05-05 03:27:59.484868101 +0000 UTC"
Mai 05 03:28:00 ns8 crowdsec1[1666425]: time="2025-05-05T03:28:00Z" level=info msg="(localhost/crowdsec) crowdsecurity/postscreen-rbl by ip 45.144.212.223 (UA/214940) : 616m ban on Ip 45.144.212.223"
Mai 05 03:28:01 ns8 crowdsec1[1666425]: time="2025-05-05T03:28:01Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 03:28:10 ns8 crowdsec1[1666425]: time="2025-05-05T03:28:10Z" level=info msg="Signal push: 1 signals to push"
Mai 05 03:36:09 ns8 crowdsec1-firewall-bouncer[1665486]: time="2025-05-05T03:36:09Z" level=info msg="1 decision deleted"
Mai 05 03:36:19 ns8 crowdsec1-firewall-bouncer[1665486]: time="2025-05-05T03:36:19Z" level=info msg="1 decision deleted"
Mai 05 03:36:19 ns8 crowdsec1[1666425]: time="2025-05-05T03:36:19Z" level=info msg="Ip 193.46.255.40 performed 'crowdsecurity/dovecot-spam' (5 events over 8m39.998398095s) at 2025-05-05 03:36:19.731915895 +0000 UTC"
Mai 05 03:36:20 ns8 crowdsec1[1666425]: time="2025-05-05T03:36:20Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 193.46.255.40 (RO/47890) : 1668m ban on Ip 193.46.255.40"
Mai 05 03:36:21 ns8 crowdsec1[1666425]: time="2025-05-05T03:36:21Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 03:36:30 ns8 crowdsec1[1666425]: time="2025-05-05T03:36:30Z" level=info msg="Signal push: 1 signals to push"
Mai 05 03:42:20 ns8 crowdsec1[1666425]: time="2025-05-05T03:42:20Z" level=info msg="Ip 66.63.187.75 performed 'crowdsecurity/postscreen-rbl' (1 events over 0s) at 2025-05-05 03:42:19.9818264 +0000 UTC"
Mai 05 03:42:20 ns8 crowdsec1[1666425]: time="2025-05-05T03:42:20Z" level=info msg="(localhost/crowdsec) crowdsecurity/postscreen-rbl by ip 66.63.187.75 (US/214943) : 192m ban on Ip 66.63.187.75"
Mai 05 03:42:21 ns8 crowdsec1[1666425]: time="2025-05-05T03:42:21Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 03:42:29 ns8 crowdsec1-firewall-bouncer[1665486]: time="2025-05-05T03:42:29Z" level=info msg="1 decision added"
Mai 05 03:42:30 ns8 crowdsec1[1666425]: time="2025-05-05T03:42:30Z" level=info msg="Signal push: 1 signals to push"
Mai 05 03:47:09 ns8 crowdsec1[1666425]: time="2025-05-05T03:47:09Z" level=info msg="Ip 193.46.255.40 performed 'crowdsecurity/dovecot-spam' (5 events over 8m39.999618387s) at 2025-05-05 03:47:09.981423756 +0000 UTC"
Mai 05 03:47:10 ns8 crowdsec1[1666425]: time="2025-05-05T03:47:10Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 193.46.255.40 (RO/47890) : 1672m ban on Ip 193.46.255.40"
Mai 05 03:47:11 ns8 crowdsec1[1666425]: time="2025-05-05T03:47:11Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 03:47:20 ns8 crowdsec1[1666425]: time="2025-05-05T03:47:20Z" level=info msg="Signal push: 1 signals to push"
Mai 05 03:49:00 ns8 crowdsec1-firewall-bouncer[1665486]: time="2025-05-05T03:49:00Z" level=info msg="2 decisions deleted"
Mai 05 03:49:09 ns8 crowdsec1-firewall-bouncer[1665486]: time="2025-05-05T03:49:09Z" level=info msg="2 decisions deleted"
Mai 05 03:49:24 ns8 crowdsec1[1666425]: time="2025-05-05T03:49:24Z" level=info msg="capi metrics: sending"
Mai 05 03:53:07 ns8 crowdsec1[1666425]: time="2025-05-05T03:53:07Z" level=info msg="Sent 3 usage metrics"
Mai 05 03:57:59 ns8 crowdsec1[1666425]: time="2025-05-05T03:57:59Z" level=info msg="Ip 45.144.212.223 performed 'crowdsecurity/postscreen-rbl' (1 events over 0s) at 2025-05-05 03:57:59.329551112 +0000 UTC"
Mai 05 03:57:59 ns8 crowdsec1[1666425]: time="2025-05-05T03:57:59Z" level=info msg="(localhost/crowdsec) crowdsecurity/postscreen-rbl by ip 45.144.212.223 (UA/214940) : 620m ban on Ip 45.144.212.223"
Mai 05 03:57:59 ns8 crowdsec1[1666425]: time="2025-05-05T03:57:59Z" level=info msg="Ip 193.46.255.40 performed 'crowdsecurity/dovecot-spam' (5 events over 8m39.998175795s) at 2025-05-05 03:57:59.981599882 +0000 UTC"
Mai 05 03:58:00 ns8 crowdsec1[1666425]: time="2025-05-05T03:58:00Z" level=info msg="Signal push: 1 signals to push"
Mai 05 03:58:00 ns8 crowdsec1[1666425]: time="2025-05-05T03:58:00Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 193.46.255.40 (RO/47890) : 1676m ban on Ip 193.46.255.40"
Mai 05 03:58:00 ns8 crowdsec1[1666425]: time="2025-05-05T03:58:00Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 03:58:01 ns8 crowdsec1[1666425]: time="2025-05-05T03:58:01Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 03:58:10 ns8 crowdsec1[1666425]: time="2025-05-05T03:58:10Z" level=info msg="Signal push: 1 signals to push"
Mai 05 04:08:49 ns8 crowdsec1[1666425]: time="2025-05-05T04:08:49Z" level=info msg="Ip 193.46.255.40 performed 'crowdsecurity/dovecot-spam' (5 events over 8m39.750108303s) at 2025-05-05 04:08:49.982083566 +0000 UTC"
Mai 05 04:08:50 ns8 crowdsec1[1666425]: time="2025-05-05T04:08:50Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 193.46.255.40 (RO/47890) : 1680m ban on Ip 193.46.255.40"
Mai 05 04:08:51 ns8 crowdsec1[1666425]: time="2025-05-05T04:08:51Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 04:09:00 ns8 crowdsec1[1666425]: time="2025-05-05T04:09:00Z" level=info msg="Signal push: 1 signals to push"
Mai 05 04:15:39 ns8 crowdsec1-firewall-bouncer[1665486]: time="2025-05-05T04:15:39Z" level=info msg="1 decision deleted"
Mai 05 04:19:25 ns8 crowdsec1[1666425]: time="2025-05-05T04:19:25Z" level=info msg="capi metrics: sending"
Mai 05 04:19:43 ns8 crowdsec1[1666425]: time="2025-05-05T04:19:43Z" level=info msg="Ip 193.46.255.40 performed 'crowdsecurity/dovecot-spam' (5 events over 8m42.748948737s) at 2025-05-05 04:19:43.981338156 +0000 UTC"
Mai 05 04:19:44 ns8 crowdsec1[1666425]: time="2025-05-05T04:19:44Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 193.46.255.40 (RO/47890) : 1684m ban on Ip 193.46.255.40"
Mai 05 04:19:46 ns8 crowdsec1[1666425]: time="2025-05-05T04:19:46Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 04:19:50 ns8 crowdsec1[1666425]: time="2025-05-05T04:19:50Z" level=info msg="Signal push: 1 signals to push"
Mai 05 04:23:07 ns8 crowdsec1[1666425]: time="2025-05-05T04:23:07Z" level=info msg="Sent 3 usage metrics"
Mai 05 04:25:18 ns8 crowdsec1[1666425]: time="2025-05-05T04:25:18Z" level=info msg="Ip 45.146.130.98 performed 'crowdsecurity/dovecot-spam' (5 events over 9m39.172410297s) at 2025-05-05 04:25:18.231972983 +0000 UTC"
Mai 05 04:25:18 ns8 crowdsec1[1666425]: time="2025-05-05T04:25:18Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 45.146.130.98 (SC/0) : 132m ban on Ip 45.146.130.98"
Mai 05 04:25:20 ns8 crowdsec1[1666425]: time="2025-05-05T04:25:20Z" level=info msg="Ip 45.144.212.223 performed 'crowdsecurity/postscreen-rbl' (1 events over 0s) at 2025-05-05 04:25:20.242549105 +0000 UTC"
Mai 05 04:25:20 ns8 crowdsec1[1666425]: time="2025-05-05T04:25:20Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 04:25:20 ns8 crowdsec1[1666425]: time="2025-05-05T04:25:20Z" level=info msg="(localhost/crowdsec) crowdsecurity/postscreen-rbl by ip 45.144.212.223 (UA/214940) : 624m ban on Ip 45.144.212.223"
Mai 05 04:25:20 ns8 crowdsec1[1666425]: time="2025-05-05T04:25:20Z" level=info msg="Signal push: 2 signals to push"
Mai 05 04:25:21 ns8 crowdsec1[1666425]: time="2025-05-05T04:25:21Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 04:25:29 ns8 crowdsec1-firewall-bouncer[1665486]: time="2025-05-05T04:25:29Z" level=info msg="1 decision added"
Mai 05 04:30:33 ns8 crowdsec1[1666425]: time="2025-05-05T04:30:33Z" level=info msg="Ip 193.46.255.40 performed 'crowdsecurity/dovecot-spam' (5 events over 8m39.998826735s) at 2025-05-05 04:30:33.982386464 +0000 UTC"
Mai 05 04:30:34 ns8 crowdsec1[1666425]: time="2025-05-05T04:30:34Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 193.46.255.40 (RO/47890) : 1688m ban on Ip 193.46.255.40"
Mai 05 04:30:35 ns8 crowdsec1[1666425]: time="2025-05-05T04:30:35Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 04:30:40 ns8 crowdsec1[1666425]: time="2025-05-05T04:30:40Z" level=info msg="Signal push: 1 signals to push"
Mai 05 04:41:23 ns8 crowdsec1[1666425]: time="2025-05-05T04:41:23Z" level=info msg="Ip 193.46.255.40 performed 'crowdsecurity/dovecot-spam' (5 events over 8m39.63466807s) at 2025-05-05 04:41:23.231848977 +0000 UTC"
Mai 05 04:41:23 ns8 crowdsec1[1666425]: time="2025-05-05T04:41:23Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 193.46.255.40 (RO/47890) : 1692m ban on Ip 193.46.255.40"
Mai 05 04:41:24 ns8 crowdsec1[1666425]: time="2025-05-05T04:41:24Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 04:41:30 ns8 crowdsec1[1666425]: time="2025-05-05T04:41:30Z" level=info msg="Signal push: 1 signals to push"
Mai 05 04:43:16 ns8 crowdsec1[1666425]: time="2025-05-05T04:43:16Z" level=info msg="Ip 185.208.159.214 performed 'crowdsecurity/postscreen-rbl' (1 events over 0s) at 2025-05-05 04:43:16.982208123 +0000 UTC"
Mai 05 04:43:17 ns8 crowdsec1[1666425]: time="2025-05-05T04:43:17Z" level=info msg="(localhost/crowdsec) crowdsecurity/postscreen-rbl by ip 185.208.159.214 (US/42624) : 192m ban on Ip 185.208.159.214"
Mai 05 04:43:18 ns8 crowdsec1[1666425]: time="2025-05-05T04:43:18Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 04:43:20 ns8 crowdsec1[1666425]: time="2025-05-05T04:43:20Z" level=info msg="Signal push: 1 signals to push"
Mai 05 04:48:57 ns8 crowdsec1[1666425]: time="2025-05-05T04:48:57Z" level=info msg="Starting community-blocklist update"
Mai 05 04:48:58 ns8 crowdsec1[1666425]: time="2025-05-05T04:48:58Z" level=info msg="capi/community-blocklist : 0 explicit deletions"
Mai 05 04:48:58 ns8 crowdsec1-firewall-bouncer[1665486]: time="2025-05-05T04:48:58Z" level=info msg="4 decisions deleted"
Mai 05 04:48:59 ns8 crowdsec1[1666425]: time="2025-05-05T04:48:59Z" level=info msg="crowdsecurity/community-blocklist : added 15000 entries, deleted 14989 entries (alert:816)"
Mai 05 04:49:08 ns8 crowdsec1-firewall-bouncer[1665486]: time="2025-05-05T04:49:08Z" level=info msg="3 decisions deleted"
Mai 05 04:49:09 ns8 crowdsec1-firewall-bouncer[1665486]: time="2025-05-05T04:49:09Z" level=info msg="15000 decisions added"
Mai 05 04:49:25 ns8 crowdsec1[1666425]: time="2025-05-05T04:49:25Z" level=info msg="capi metrics: sending"
Mai 05 04:52:12 ns8 crowdsec1[1666425]: time="2025-05-05T04:52:12Z" level=info msg="Ip 193.46.255.40 performed 'crowdsecurity/dovecot-spam' (5 events over 8m39.250274075s) at 2025-05-05 04:52:12.231139353 +0000 UTC"
Mai 05 04:52:12 ns8 crowdsec1[1666425]: time="2025-05-05T04:52:12Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 193.46.255.40 (RO/47890) : 1696m ban on Ip 193.46.255.40"
Mai 05 04:52:13 ns8 crowdsec1[1666425]: time="2025-05-05T04:52:13Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 04:52:20 ns8 crowdsec1[1666425]: time="2025-05-05T04:52:20Z" level=info msg="Signal push: 1 signals to push"
Mai 05 04:53:06 ns8 crowdsec1[1666425]: time="2025-05-05T04:53:06Z" level=info msg="Sent 3 usage metrics"
Mai 05 04:54:48 ns8 crowdsec1[1666425]: time="2025-05-05T04:54:48Z" level=info msg="Ip 45.144.212.223 performed 'crowdsecurity/postscreen-rbl' (1 events over 0s) at 2025-05-05 04:54:48.731343178 +0000 UTC"
Mai 05 04:54:49 ns8 crowdsec1[1666425]: time="2025-05-05T04:54:49Z" level=info msg="(localhost/crowdsec) crowdsecurity/postscreen-rbl by ip 45.144.212.223 (UA/214940) : 628m ban on Ip 45.144.212.223"
Mai 05 04:54:50 ns8 crowdsec1[1666425]: time="2025-05-05T04:54:50Z" level=info msg="Signal push: 1 signals to push"
Mai 05 04:54:50 ns8 crowdsec1[1666425]: time="2025-05-05T04:54:50Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 05:05:11 ns8 crowdsec1[1666425]: time="2025-05-05T05:05:11Z" level=info msg="Ip 193.46.255.40 performed 'crowdsecurity/dovecot-spam' (5 events over 10m47.999565271s) at 2025-05-05 05:05:11.980822644 +0000 UTC"
Mai 05 05:05:12 ns8 crowdsec1[1666425]: time="2025-05-05T05:05:12Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 193.46.255.40 (RO/47890) : 1700m ban on Ip 193.46.255.40"
Mai 05 05:05:13 ns8 crowdsec1[1666425]: time="2025-05-05T05:05:13Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 05:05:20 ns8 crowdsec1[1666425]: time="2025-05-05T05:05:20Z" level=info msg="Signal push: 1 signals to push"
Mai 05 05:05:52 ns8 crowdsec1[1666425]: time="2025-05-05T05:05:52Z" level=info msg="Ip 20.15.164.143 performed 'crowdsecurity/http-cve-probing' (1 events over 0s) at 2025-05-05 05:05:52.732121341 +0000 UTC"
Mai 05 05:05:53 ns8 crowdsec1[1666425]: time="2025-05-05T05:05:53Z" level=info msg="(localhost/crowdsec) crowdsecurity/http-cve-probing by ip 20.15.164.143 (US/8075) : 4m ban on Ip 20.15.164.143"
Mai 05 05:05:54 ns8 crowdsec1[1666425]: time="2025-05-05T05:05:54Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 05:05:58 ns8 crowdsec1-firewall-bouncer[1665486]: time="2025-05-05T05:05:58Z" level=info msg="1 decision added"
Mai 05 05:06:00 ns8 crowdsec1[1666425]: time="2025-05-05T05:06:00Z" level=info msg="Signal push: 1 signals to push"
Mai 05 05:08:10 ns8 crowdsec1[1666425]: time="2025-05-05T05:08:10Z" level=info msg="Ip 62.60.191.87 performed 'crowdsecurity/postscreen-rbl' (1 events over 0s) at 2025-05-05 05:08:10.732167258 +0000 UTC"
Mai 05 05:08:11 ns8 crowdsec1[1666425]: time="2025-05-05T05:08:11Z" level=info msg="(localhost/crowdsec) crowdsecurity/postscreen-rbl by ip 62.60.191.87 (IR/215930) : 88m ban on Ip 62.60.191.87"
Mai 05 05:08:12 ns8 crowdsec1[1666425]: time="2025-05-05T05:08:12Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 05:08:20 ns8 crowdsec1[1666425]: time="2025-05-05T05:08:20Z" level=info msg="Signal push: 1 signals to push"
Mai 05 05:09:58 ns8 crowdsec1-firewall-bouncer[1665486]: time="2025-05-05T05:09:58Z" level=info msg="1 decision deleted"
Mai 05 05:12:55 ns8 crowdsec1[1666425]: time="2025-05-05T05:12:55Z" level=info msg="Ip 185.196.10.204 performed 'crowdsecurity/postscreen-rbl' (1 events over 0s) at 2025-05-05 05:12:55.981279324 +0000 UTC"
Mai 05 05:12:56 ns8 crowdsec1[1666425]: time="2025-05-05T05:12:56Z" level=info msg="(localhost/crowdsec) crowdsecurity/postscreen-rbl by ip 185.196.10.204 (GB/42624) : 80m ban on Ip 185.196.10.204"
Mai 05 05:12:57 ns8 crowdsec1[1666425]: time="2025-05-05T05:12:57Z" level=info msg="sent email to [peter@nemenz.at]" @module=email-plugin.email_default
Mai 05 05:13:00 ns8 crowdsec1[1666425]: time="2025-05-05T05:13:00Z" level=info msg="Signal push: 1 signals to push"
Mai 05 05:15:59 ns8 crowdsec1[1666425]: time="2025-05-05T05:15:59Z" level=info msg="Ip 193.46.255.40 performed 'crowdsecurity/dovecot-spam' (5 events over 8m37.750364698s) at 2025-05-05 05:15:59.731951527 +0000 UTC"
Mai 05 05:16:00 ns8 crowdsec1[1666425]: time="2025-05-05T05:16:00Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 193.46.255.40 (RO/47890) : 1704m ban on Ip 193.46.255.40"

pnemenz · May 6, 2025, 9:47am

the dovecot log shows lines like this even this IP should be banned:

2025-05-06T11:44:49+02:00 [1:mail2:dovecot] auth-worker(33886): conn unix:auth-worker (pid=239,uid=90): auth-worker<2303>: ldap(w,193.46.255.40): unknown user
2025-05-06T11:44:51+02:00 [1:mail2:postfix/smtpd] warning: unknown[193.46.255.40]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=w
2025-05-06T11:44:51+02:00 [1:mail2:postfix/smtpd] lost connection after AUTH from unknown[193.46.255.40]
2025-05-06T11:44:51+02:00 [1:mail2:postfix/smtpd] disconnect from unknown[193.46.255.40] ehlo=1 auth=0/1 rset=1 commands=2/3

stephdl · May 6, 2025, 9:49am

are you using debian or rocky

The IP you have listed are they in the nftable ruleset ?

stephdl · May 6, 2025, 9:50am

193.46.255.40

for example

pnemenz · May 6, 2025, 9:52am

I’m using rocky
the IP 193.46.255.40 is not in the ruleset

stephdl · May 6, 2025, 9:54am

did you ever try a restart of crowdsec1 and crowdsec1-firewall-bouncer ?

so it is an infinite loop, but no clue why

pnemenz · May 6, 2025, 9:59am

not yet.
I just rebooted the system. I’ll see if this workes

mrmarkuz · May 6, 2025, 10:27am

I can’t reproduce, I found the same IP on one of my Nethservers (Debian)

and the IP is listed in the ruleset:

root@contabo:/var/lib/nethserver/crowdsec6/state# nft list ruleset | grep 193.46.255.40
			     80.94.95.241 timeout 11m55s expires 9m44s508ms, 193.46.255.40 timeout 19m56s expires 11m15s512ms }

It shows postfix/smtpd just once which I think is normal as the connection gets lost after a ban.

Here is my cluster log (I searched for the malicious IP) that shows that dovecot isn’t attacked anymore from that IP after the ban.

2025-05-06T12:01:48+02:00 [1:mail1:postfix/smtpd] warning: hostname hostingmailto189.statics.servermail.org does not resolve to address 193.46.255.40: Name has no usable address
2025-05-06T12:01:48+02:00 [1:mail1:postfix/smtpd] connect from unknown[193.46.255.40]
2025-05-06T12:01:49+02:00 [1:mail1:postfix/smtpd] Anonymous TLS connection established from unknown[193.46.255.40]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
2025-05-06T12:01:50+02:00 [1:mail1:dovecot] auth-worker(54909): conn unix:auth-worker (pid=54851,uid=90): auth-worker<1>: ldap(office1,193.46.255.40): unknown user
2025-05-06T12:01:52+02:00 [1:mail1:postfix/smtpd] warning: unknown[193.46.255.40]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=office1
2025-05-06T12:01:52+02:00 [1:mail1:postfix/smtpd] lost connection after AUTH from unknown[193.46.255.40]
2025-05-06T12:01:52+02:00 [1:mail1:postfix/smtpd] disconnect from unknown[193.46.255.40] ehlo=1 auth=0/1 rset=1 commands=2/3
2025-05-06T12:01:52+02:00 [1:mail1:rspamd] (rspamd_proxy) <2ac27a>; milter; rspamd_milter_process_command: got connection from 193.46.255.40:44838
2025-05-06T12:03:58+02:00 [1:mail1:postfix/smtpd] warning: hostname hostingmailto189.statics.servermail.org does not resolve to address 193.46.255.40: Name has no usable address
2025-05-06T12:03:58+02:00 [1:mail1:postfix/smtpd] connect from unknown[193.46.255.40]
2025-05-06T12:03:58+02:00 [1:mail1:postfix/smtpd] Anonymous TLS connection established from unknown[193.46.255.40]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
2025-05-06T12:03:58+02:00 [1:mail1:dovecot] auth-worker(54912): conn unix:auth-worker (pid=54851,uid=90): auth-worker<7>: ldap(faxuser,193.46.255.40): unknown user
2025-05-06T12:04:00+02:00 [1:mail1:postfix/smtpd] warning: unknown[193.46.255.40]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=faxuser
2025-05-06T12:04:00+02:00 [1:mail1:postfix/smtpd] lost connection after AUTH from unknown[193.46.255.40]
2025-05-06T12:04:00+02:00 [1:mail1:postfix/smtpd] disconnect from unknown[193.46.255.40] ehlo=1 auth=0/1 rset=1 commands=2/3
2025-05-06T12:04:00+02:00 [1:mail1:rspamd] (rspamd_proxy) <c08a7f>; milter; rspamd_milter_process_command: got connection from 193.46.255.40:37478
2025-05-06T12:06:08+02:00 [1:mail1:postfix/smtpd] warning: hostname hostingmailto189.statics.servermail.org does not resolve to address 193.46.255.40: Name has no usable address
2025-05-06T12:06:08+02:00 [1:mail1:postfix/smtpd] connect from unknown[193.46.255.40]
2025-05-06T12:06:08+02:00 [1:mail1:postfix/smtpd] Anonymous TLS connection established from unknown[193.46.255.40]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
2025-05-06T12:06:09+02:00 [1:mail1:dovecot] auth-worker(54940): conn unix:auth-worker (pid=54851,uid=90): auth-worker<7>: ldap(nagata,193.46.255.40): unknown user
2025-05-06T12:06:09+02:00 [1:crowdsec6:crowdsec6] time="2025-05-06T10:06:09Z" level=info msg="Ip 193.46.255.40 performed 'crowdsecurity/dovecot-spam' (5 events over 8m36.721496291s) at 2025-05-06 10:06:09.145842974 +0000 UTC"
2025-05-06T12:06:09+02:00 [1:crowdsec6:crowdsec6] time="2025-05-06T10:06:09Z" level=info msg="(localhost/crowdsec) crowdsecurity/dovecot-spam by ip 193.46.255.40 (RO/47890) : 20m ban on Ip 193.46.255.40"
2025-05-06T12:06:11+02:00 [1:mail1:postfix/smtpd] warning: unknown[193.46.255.40]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=nagata
2025-05-06T12:06:11+02:00 [1:mail1:postfix/smtpd] lost connection after AUTH from unknown[193.46.255.40]
2025-05-06T12:06:11+02:00 [1:mail1:postfix/smtpd] disconnect from unknown[193.46.255.40] ehlo=1 auth=0/1 rset=1 commands=2/3
2025-05-06T12:06:11+02:00 [1:mail1:rspamd] (rspamd_proxy) <4be176>; milter; rspamd_milter_process_command: got connection from 193.46.255.40:58450

pnemenz · May 6, 2025, 10:55am

Looks like @stephdl was right and the servis hung for some reasons. After a reboot it seems to work now.
btw I dont see any crowdsec folder in /home and could therefore the service nort restart with

systemctl --user restart crowdsec1
systemctl --user restart crowdsec1-firewall-bouncer

Is this the way it should be?