Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Dec 17 2021 07:41
    @buixor banned @cronlabspl
Thibault "bui" Koechlin
@buixor
<3 great
Ricardo
@rmdes
oh and I have tested the AUR crowdsec packages and I can confirm it works fine on Arch
it was a bit tricky to get it to work (compared to ubuntu) but it all went fine
Thibault "bui" Koechlin
@buixor
can you let us know what was tricky or unexpected ? afaik we're not the ones maintaining this, but we'll upstream changes if we can or distribute our own packages if it makes sense :)
Ricardo
@rmdes
my main problem was that, NOT using sudo with cscli was leading me crazy
I would for example use cscli machines list
only to get "local API disabled"
then running the same command with sudo and seeing my firewall bouncer properly installed, valid & connected
took me way too much time to find out I had to use sudo cscli on arch (even if my used is part of wheel/root)
blotus
@blotus
yeah it's because only root can read the file that contains the credentials used to interact with crowdsec API
Sanjay Patel
@San_j_ay_twitter
is this similar to the honeypot project?
CrowdSec
@Crowd_Security_twitter
actually you can use it to make a HP but this is not the goal.
Consider it rather like a collaborative IPS (Intrusion Prevention System) where all users are not only protected against bad behavior seen in their logs but also by the global IP reputation mechanism that everyone is sharing.
When you install the product, it's getting list of bad IP that are attacking similar technological footprint as yours.
Sanjay Patel
@San_j_ay_twitter
how do you collect from IPS? Manual or auto?
CrowdSec
@Crowd_Security_twitter
it's fully automated. If you want to look at what your installed scenario blocked, you can use the command line "cscli"
david reid
@zathras777
just had to nuke my dashboard and reinstall it due to a password mismatch. likely my fault but still a little frustrating. any chance that some method could be added to find the password from the cscli app? also the "setup -f" hint i was given last time doesn't work as you still need to remove and then reinstall when it happens...
blotus
@blotus
hello @zathras777
the password is stored in /etc/crowdsec/metabase/metabase.yaml
4 replies
XlllllllX
@XlllllllX
HI!
just a little word to say "upgraded w/o problem, one more time" :) Many thanks
blotus
@blotus
good to hear !
david reid
@zathras777
dashboard showing no machines or bouncers, cscli showed there to be one of each
so i tried registering the machine via cscli lpai and now have invalid credentials and can't start crowdsec or do anything via cscli. suggestions?
david reid
@zathras777
also, this probably isn't what I would have expected....
$ sudo /usr/bin/crowdsec -c /etc/crowdsec/config.yaml -no-api
WARN[0000] no credentials or URL found in api client configuration '/etc/crowdsec/local_api_credentials.yaml'
FATA[0000] missing local API credentials for crowdsec agent, abort
FATA[0000] missing local API credentials for crowdsec agent, abort
kinda assumed the -no-api flag would have allowed it to start? or maybe the help for that flag isn't as clear as it could be?
Thibault "bui" Koechlin
@buixor
@zathras777 ah it might be misleading , -no-api means that this agent is not going to run its own local api. But yes seeing the help message, it could benefit some clarification :D
david reid
@zathras777
ah. is it also worth having a flag for no local api client?
2 replies
any suggestions how i recreate valid credentials so I can run crowdsec again?
Thibault "bui" Koechlin
@buixor
cscli machines add -a
david reid
@zathras777
thanks. recreated and running again...
of course now I've gone from 0 machines in the dashboard to showing 2! :-)
david reid
@zathras777
still no bouncers on main dashboard, but it shows on the data under bouncers OK? anything I can do to prod the dashboard into life?
XlllllllX
@XlllllllX
Hello!
in the web console, I can see ± 250 alerts about one of my IP (response tests). I used cscli alerts delete --ip xxx.xxx.xx.x that deleted only ± 40 alerts. How can I clean my IP from alerts please?
blotus
@blotus
Hello
Currently, this is not possible because crowdsec does not send us anything about deletion, but the next release of crowdsec will allow you to share with us informations about custom/tainted scenarios, and deletion as well (this will be opt-in)
XlllllllX
@XlllllllX
Well… this IP is reported and blocked by CS (?)
We are talking just about the web console?
blotus
@blotus
yes
if this was only for testing, don't worry your IP has no chance of being redistributed to other users
you can send me the IP in private if you want, I can check the status if you want to be sure :)
XlllllllX
@XlllllllX
thanks for this, because it was for testing, but in "real"…
Lamera
@Lamera
I discovered a strange behavior in our custom-bouncer logfile. every 10s it tries to add the same ips over and over again.
we write the remediation ips to a text file. the ips are already blocked through this file. but the custom bouncer triggers an add over and over again for these ips.
Martin Schaible
@martin.schaible_gitlab

Today all my servers are displaying no agents, no scenarios and no bouncers in the Console. It looks liek, that i'm not alone with this.

Any idea to fix this?

Thibault "bui" Koechlin
@buixor
Hello @martin.schaible_gitlab ! Thanks, we are looking into it !
Martin Schaible
@martin.schaible_gitlab
Would you liek to have a screenshot?
Thibault "bui" Koechlin
@buixor
@martin.schaible_gitlab if you can share me privately the email used and the machines ID impacted, it would be nice :)
Martin Schaible
@martin.schaible_gitlab
@buixor Hold on for a min :-)
Thibault "bui" Koechlin
@buixor
I PM'ed you ;)
Klaus Agnoletti
@klausagnoletti_twitter
The link I pasted earlier for our new Discord has expired. If you want to join, please use this instead: https://discord.gg/wGN7ShmEE8
CrowdSec
@Crowd_Security_twitter
You asked this in Discord also, right?
1 reply