1
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2
24.1 Production Series / Re: Crowdsec Daemon is stopping at 1am (sometimes)
« on: March 19, 2024, 02:28:09 pm »
Hello,
Thanks for sending logs and configurations, we fixed some issue for the upcoming 1.6.1 and are looking at other possible causes.
In the meantime, we have a version of the base crowdsec package that restarts the service correctly when it fails.
You can find it at https://github.com/crowdsecurity/plugins/releases/tag/crowdsec-1.6.0_3
Let us know if it helps and thanks for testing,
Marco
Thanks for sending logs and configurations, we fixed some issue for the upcoming 1.6.1 and are looking at other possible causes.
In the meantime, we have a version of the base crowdsec package that restarts the service correctly when it fails.
You can find it at https://github.com/crowdsecurity/plugins/releases/tag/crowdsec-1.6.0_3
Let us know if it helps and thanks for testing,
Marco
3
24.1 Production Series / Re: Crowdsec Daemon is stopping at 1am (sometimes)
« on: March 15, 2024, 04:10:48 pm »
Yes crowdsec would inappropriately raise an error if a watched file disappears immediately after the initial directory scan
This will be corrected for 1.6.1, but I'm not sure how often it occurs.
More generally, a process exit by crowdsec could be due to CAPI being unavailable for a long time or other issues.
On the linux package any transient exit/crash is not a problem, expect for the possible underlying bug, since the process is restarted immediately by systemd (or docker). For freebsd there is no - afaik - general consensus on how to restart crashed processes.
Monit is a good solution but it's not available on freebsd by default or in pfsense. I tried simply adding a restart option to the sbin/daemon wrapper, it's not working as expected but I'd prefer the solution should be the same for the three platforms.
If someone is using monit to restart crowdsec, can you share that part of configuration?
Thanks
This will be corrected for 1.6.1, but I'm not sure how often it occurs.
More generally, a process exit by crowdsec could be due to CAPI being unavailable for a long time or other issues.
On the linux package any transient exit/crash is not a problem, expect for the possible underlying bug, since the process is restarted immediately by systemd (or docker). For freebsd there is no - afaik - general consensus on how to restart crashed processes.
Monit is a good solution but it's not available on freebsd by default or in pfsense. I tried simply adding a restart option to the sbin/daemon wrapper, it's not working as expected but I'd prefer the solution should be the same for the three platforms.
If someone is using monit to restart crowdsec, can you share that part of configuration?
Thanks
4
24.1 Production Series / Re: Crowdsec Daemon is stopping at 1am (sometimes)
« on: March 13, 2024, 09:19:44 am »I'm also having this issue. I received an email from Maxmind yesterday stating they would be switching to R2 presigned URLs for all DBs, as of May 1st, and that it is a potential breaking change. Not sure if this is related to the issue we are facing but I figured I would mention it.
I tried running "cscli hub upgrade --force" on both of my routers and they fail on the "crowdsecurity/geoip-enrich" list.
Did you run "cscli hub update" first?
I could not replicate the issue, but it would help if you ran "cscli support dump" and send the resulting file to support@crowdsec.net
Thanks!
5
24.1 Production Series / Re: Crowdsec Daemon is stopping at 1am (sometimes)
« on: March 12, 2024, 12:14:48 pm »I've had to spend most of the weekend fixing my network for other reasons.
Those error messages seem pretty serious and seems MaxMid's database is in a different to the expected. As to what changed would be a guess. Can be either maxmind or crowdsec.
Hi, I'm the author of the opnsense plugin. A new version of the geoip database had issues with the current crowdsec and we reverted to the older version. Hub upgrade (manually or from cron) fixes it, and I don't think it could crash the service. I am looking into the issue. Thanks!
6
24.1 Production Series / Re: Crowdsec Daemon is stopping at 1am (sometimes)
« on: March 08, 2024, 12:47:14 pm »
Hi,
it's not the bouncer logs that you should read, but crowdsec.log
Is there anything that points to a service failure?
it's not the bouncer logs that you should read, but crowdsec.log
Is there anything that points to a service failure?
7
23.7 Legacy Series / Re: 23.7.4 upgrade lost device connection to internet [SOLVED]
« on: September 18, 2023, 02:54:43 pm »Hi mmetc
Firstly, OPNsense and CrowdSec seem both to be operating happily now.
The rule I had added (and now abandoned pending testing) blocked internal clients from accessing external sites in the crowdsec_blocklist. I did not have .CW in the rule myself.
I have logging of CrowdSec-initiated block events switched on, and events tagged with .CW in the log. That has been there all along and seems to cause no problem, nor would I expect it to given logs are written and forgotten.
The fix was I completely removed the CrowdSec package then reinstalled it from the repository.
Thanks for the update, that's definitely curious. I could trigger a syntax error by creating a ".CW" tag but if it gave no issue and you don't know where it came from...
I'll do some more testing, thanks again
8
23.7 Legacy Series / Re: Crowdsec plugin fails with 23.7.4 upgrade ?
« on: September 18, 2023, 10:48:38 am »
Hi, I'm the plugin maintainer.
What happens is simply that the bouncer does not wait for the lapi service to be responsive, and is not restarted automatically. Restarting only the bouncer is correct. Restarting both may work or not.
You can try a new version here - https://github.com/crowdsecurity/cs-firewall-bouncer/releases/download/v0.0.28-rc5/crowdsec-firewall-bouncer-0.0.28.r5.pkg
We are releasing it with crowdsec 1.5.3, but it will take a few day to land in the freebsd and opnsense repositories.
I'd be glad if you could confirm that the above version is working for you.
What happens is simply that the bouncer does not wait for the lapi service to be responsive, and is not restarted automatically. Restarting only the bouncer is correct. Restarting both may work or not.
You can try a new version here - https://github.com/crowdsecurity/cs-firewall-bouncer/releases/download/v0.0.28-rc5/crowdsec-firewall-bouncer-0.0.28.r5.pkg
We are releasing it with crowdsec 1.5.3, but it will take a few day to land in the freebsd and opnsense repositories.
I'd be glad if you could confirm that the above version is working for you.
9
23.7 Legacy Series / Re: Crowdsec plugin fails with 23.7.4 upgrade ?
« on: September 18, 2023, 10:32:48 am »still not working for me with a plugin or even a full reboot.
Hi, could you try "service crowdsec_firewall restart" ?
Otherwise I should have a look at the last few lines in /var/log/crowdsec/crowdsec-firewall-bouncer.log
10
23.7 Legacy Series / Re: 23.7.4 upgrade lost device connection to internet [SOLVED]
« on: September 18, 2023, 10:25:57 am »
Hi!
Did you recently add the tag ".CW" by chance? It seems like dots are not allowed in rule tags. This creates a syntax error in the rule file, and they are all loaded together by pfctl design so nothing works.
I'll validate the form field in the next version. Does it work for you if you change or remove the tag?
Did you recently add the tag ".CW" by chance? It seems like dots are not allowed in rule tags. This creates a syntax error in the rule file, and they are all loaded together by pfctl design so nothing works.
I'll validate the form field in the next version. Does it work for you if you change or remove the tag?
11
23.1 Legacy Series / Re: No alerts in latest Crowdsec
« on: June 02, 2023, 11:27:03 am »
Hi!
Unfortunately, there is a one-line change required to have crowdsec 1.5+ pick up logs in opnsense. The release was tested with regular files but not symlinks.
You may not notice if you have additional scenarios and agents that don't acquire logs from symlinks, which is why for some people it's working.
The change is in /usr/local/etc/crowdsec/acquis.d/opnsense.yaml, just after force_inotify: true:
poll_without_inotify: true
followed by "# service crowdsec reload" or restart from the GUI
The fix has been merged in version 1.0.6 of the plugin.
Unfortunately, there is a one-line change required to have crowdsec 1.5+ pick up logs in opnsense. The release was tested with regular files but not symlinks.
You may not notice if you have additional scenarios and agents that don't acquire logs from symlinks, which is why for some people it's working.
The change is in /usr/local/etc/crowdsec/acquis.d/opnsense.yaml, just after force_inotify: true:
poll_without_inotify: true
followed by "# service crowdsec reload" or restart from the GUI
The fix has been merged in version 1.0.6 of the plugin.
12
23.1 Legacy Series / Re: Update to 23.1.8 got stuck
« on: May 26, 2023, 09:59:53 am »
Hi, thanks for the report
I could not replicate the issue, downgrading to 1.0.3 - 1.4.6 - 0.0.23.rc2, they all updated and didn't require kill or reboot.
Between 0.0.23.rc2 and 0.0.27 the ip removal is a lot (100x) faster and we did a reworking of the concurrency and signal management so I strongly doubt the issue would happen again.
For 0.0.23.rc2 I could update the plugin to do the kill -9, but I thought that the "service" command would already do that.
I suspect the bouncer could be slow while removing banned ips one by one, so it would be harder to replicate on a fast machine or vm. I'll try with 200k+ decisions.
I could not replicate the issue, downgrading to 1.0.3 - 1.4.6 - 0.0.23.rc2, they all updated and didn't require kill or reboot.
Between 0.0.23.rc2 and 0.0.27 the ip removal is a lot (100x) faster and we did a reworking of the concurrency and signal management so I strongly doubt the issue would happen again.
For 0.0.23.rc2 I could update the plugin to do the kill -9, but I thought that the "service" command would already do that.
I suspect the bouncer could be slow while removing banned ips one by one, so it would be harder to replicate on a fast machine or vm. I'll try with 200k+ decisions.
13
General Discussion / Re: Crowdsec not starting at boot - even tried on a fresh OPNsense install
« on: April 13, 2023, 12:35:41 pm »
Hello!
Which version of the plugin are you using?
Can you please check from the console "cscli machines list" - and the last heartbeat. If you have only one server, you should see only one machine.
crowdsec has two parts - a client and a server, in the same executable. they talk through http. the column "name" in machines list should match the login value in /usr/local/etc/crowdsec/local_api_credentials.yaml. If they match, the password is wrong for some reason. Which I'd like to know -- for example in some nas hardware I've seen the random generator behave in a strange way.
Anyway, you don't need a running crowdsec to reset the password.
# cscli machines delete <machine-id>
# rm /usr/local/etc/crowdsec/local_api_credentials.yaml
# umask 077; cscli machines add --auto
and restart the service. If it still does not work, try providing an explicit password instead of --auto, and let me know
Which version of the plugin are you using?
Can you please check from the console "cscli machines list" - and the last heartbeat. If you have only one server, you should see only one machine.
crowdsec has two parts - a client and a server, in the same executable. they talk through http. the column "name" in machines list should match the login value in /usr/local/etc/crowdsec/local_api_credentials.yaml. If they match, the password is wrong for some reason. Which I'd like to know -- for example in some nas hardware I've seen the random generator behave in a strange way.
Anyway, you don't need a running crowdsec to reset the password.
# cscli machines delete <machine-id>
# rm /usr/local/etc/crowdsec/local_api_credentials.yaml
# umask 077; cscli machines add --auto
and restart the service. If it still does not work, try providing an explicit password instead of --auto, and let me know
14
22.7 Legacy Series / Re: CrowdSec community blocklist not receiving all updates
« on: December 28, 2022, 11:38:11 am »
Hi,
can you test with the 1.4.3 package? It has not landed in opnsense ports yet: https://www.freshports.org/security/crowdsec/
# pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/crowdsec-1.4.3.pkg
can you test with the 1.4.3 package? It has not landed in opnsense ports yet: https://www.freshports.org/security/crowdsec/
# pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/crowdsec-1.4.3.pkg
15
General Discussion / Re: How to upgrade crowdsec ?
« on: November 28, 2022, 09:27:56 am »
Hi!
While Linux and Windows versions are released automatically, the FreeBSD one must follow a separate review/approval process (it's an official distribution package), so it lags a few days to get to the freebsd ports + a few days to land in the opnsense repository.
See the related ticket at https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267808
and the package status page at https://www.freshports.org/security/crowdsec
If you need it now, I can send you a binary for testing.
While Linux and Windows versions are released automatically, the FreeBSD one must follow a separate review/approval process (it's an official distribution package), so it lags a few days to get to the freebsd ports + a few days to land in the opnsense repository.
See the related ticket at https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267808
and the package status page at https://www.freshports.org/security/crowdsec
If you need it now, I can send you a binary for testing.