crowdsecurity / crowdsec

CrowdSec - the open-source and participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI.
https://crowdsec.net
MIT License
9.04k stars 467 forks source link

crowdsec-firewall-bouncer wont start after changing port from 8080 -> 9090 #3096

Closed Orgoth closed 4 months ago

Orgoth commented 4 months ago

What happened?

I needed to change the port of crowdsec from 8080 to 9090 since a other process needs this port. After changing the configs to 9090, the crowdsec-firewall-bouncer wont start anymore without a helpful error message.

/usr/bin/crowdsec-firewall-bouncer -c /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml time="26-06-2024 11:01:33" level=fatal msg="process terminated with error: bouncer stream halted"

What did you expect to happen?

It should start. :)

How can we reproduce it (as minimally and precisely as possible)?

new server instance of ubuntu run a nodejs server on port 8080 Install the current version of crowdsec and firewall-bouncer-iptables. change port from 8080 to 9090 /etc/crowdsec/config.yaml /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

restart crowdsec restart crowdsec-firewall-bouncer-iptables

crowdsec it self starts without errors firewall-bouncer wont

test: /usr/bin/crowdsec-firewall-bouncer -c /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml time="26-06-2024 11:01:33" level=fatal msg="process terminated with error: bouncer stream halted"

Anything else we need to know?

No response

Crowdsec version

```console $ cscli version version: v1.6.2-debian-pragmatic-amd64-16bfab86 Codename: alphaga BuildDate: 2024-05-31_09:18:01 GoVersion: 1.22.2 Platform: linux libre2: C++ User-Agent: crowdsec/v1.6.2-debian-pragmatic-amd64-16bfab86-linux Constraint_parser: >= 1.0, <= 3.0 Constraint_scenario: >= 1.0, <= 3.0 Constraint_api: v1 Constraint_acquis: >= 1.0, < 2.0 ```

OS version

```console # On Linux: $ cat /etc/os-release NAME="Ubuntu" VERSION="18.04.6 LTS (Bionic Beaver)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 18.04.6 LTS" VERSION_ID="18.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=bionic UBUNTU_CODENAME=bionic $ uname -a 4.15.0-213-generic #224-Ubuntu SMP Mon Jun 19 13:30:12 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux ```

Enabled collections and parsers

```console $ cscli hub list -o raw name,status,version,description,type crowdsecurity/apache2-logs,enabled,1.4,Parse Apache2 access and error logs,parsers crowdsecurity/dateparse-enrich,enabled,0.2,,parsers crowdsecurity/geoip-enrich,enabled,0.4,"Populate event with geoloc info : as, country, coords, source range.",parsers crowdsecurity/http-logs,enabled,1.2,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers crowdsecurity/mariadb-logs,enabled,0.4,Parse MariaDB logs,parsers crowdsecurity/mysql-logs,enabled,0.4,Parse MySQL logs,parsers crowdsecurity/sshd-logs,enabled,2.3,Parse openSSH logs,parsers crowdsecurity/syslog-logs,enabled,0.8,,parsers crowdsecurity/whitelists,"enabled,local",,,parsers crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.6,Detect cve-2021-44228 exploitation attemps,scenarios crowdsecurity/CVE-2017-9841,enabled,0.2,Detect CVE-2017-9841 exploits,scenarios crowdsecurity/CVE-2019-18935,enabled,0.2,Detect Telerik CVE-2019-18935 exploitation attempts,scenarios crowdsecurity/CVE-2022-26134,enabled,0.2,Detect CVE-2022-26134 exploits,scenarios crowdsecurity/CVE-2022-35914,enabled,0.2,Detect CVE-2022-35914 exploits,scenarios crowdsecurity/CVE-2022-37042,enabled,0.2,Detect CVE-2022-37042 exploits,scenarios crowdsecurity/CVE-2022-40684,enabled,0.3,Detect cve-2022-40684 exploitation attempts,scenarios crowdsecurity/CVE-2022-41082,enabled,0.4,Detect CVE-2022-41082 exploits,scenarios crowdsecurity/CVE-2022-41697,enabled,0.2,Detect CVE-2022-41697 enumeration,scenarios crowdsecurity/CVE-2022-42889,enabled,0.3,Detect CVE-2022-42889 exploits (Text4Shell),scenarios crowdsecurity/CVE-2022-44877,enabled,0.3,Detect CVE-2022-44877 exploits,scenarios crowdsecurity/CVE-2022-46169,enabled,0.2,Detect CVE-2022-46169 brute forcing,scenarios crowdsecurity/CVE-2023-22515,enabled,0.1,Detect CVE-2023-22515 exploitation,scenarios crowdsecurity/CVE-2023-22518,enabled,0.2,Detect CVE-2023-22518 exploits,scenarios crowdsecurity/CVE-2023-49103,enabled,0.3,Detect owncloud CVE-2023-49103 exploitation attempts,scenarios crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.2,Detect cve-2020-5902 exploitation attemps,scenarios crowdsecurity/fortinet-cve-2018-13379,enabled,0.3,Detect cve-2018-13379 exploitation attemps,scenarios crowdsecurity/grafana-cve-2021-43798,enabled,0.2,Detect cve-2021-43798 exploitation attemps,scenarios crowdsecurity/http-admin-interface-probing,enabled,0.4,Detect generic HTTP admin interface probing,scenarios crowdsecurity/http-backdoors-attempts,enabled,0.6,Detect attempt to common backdoors,scenarios crowdsecurity/http-bf-wordpress_bf,enabled,0.7,Detect WordPress bruteforce on admin interface,scenarios crowdsecurity/http-crawl-non_statics,enabled,0.7,Detect aggressive crawl on non static resources,scenarios crowdsecurity/http-cve-2021-41773,enabled,0.2,cve-2021-41773,scenarios crowdsecurity/http-cve-2021-42013,enabled,0.2,cve-2021-42013,scenarios crowdsecurity/http-cve-probing,enabled,0.2,Detect generic HTTP cve probing,scenarios crowdsecurity/http-generic-bf,enabled,0.6,Detect generic http brute force,scenarios crowdsecurity/http-open-proxy,enabled,0.5,Detect scan for open proxy,scenarios crowdsecurity/http-path-traversal-probing,enabled,0.4,Detect path traversal attempt,scenarios crowdsecurity/http-probing,enabled,0.4,Detect site scanning/probing from a single ip,scenarios crowdsecurity/http-sensitive-files,enabled,0.4,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios crowdsecurity/http-sqli-probing,enabled,0.4,A scenario that detects SQL injection probing with minimal false positives,scenarios crowdsecurity/http-wordpress-scan,enabled,0.2,Detect WordPress scan: vuln hunting,scenarios crowdsecurity/http-wordpress_user-enum,enabled,0.3,Detect WordPress probing: authors enumeration,scenarios crowdsecurity/http-wordpress_wpconfig,enabled,0.3,Detect WordPress probing: variations around wp-config.php by wpscan,scenarios crowdsecurity/http-xss-probing,enabled,0.4,A scenario that detects XSS probing with minimal false positives,scenarios crowdsecurity/jira_cve-2021-26086,enabled,0.3,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios crowdsecurity/mariadb-bf,enabled,0.2,Detect mariadb bruteforce,scenarios crowdsecurity/mysql-bf,enabled,0.2,Detect mysql bruteforce,scenarios crowdsecurity/netgear_rce,enabled,0.3,Detect Netgear RCE DGN1000/DGN220 exploitation attempts,scenarios crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.3,Detect cve-2019-11510 exploitation attemps,scenarios crowdsecurity/spring4shell_cve-2022-22965,enabled,0.3,Detect cve-2022-22965 probing,scenarios crowdsecurity/ssh-bf,enabled,0.3,Detect ssh bruteforce,scenarios crowdsecurity/ssh-slow-bf,enabled,0.4,Detect slow ssh bruteforce,scenarios crowdsecurity/thinkphp-cve-2018-20062,enabled,0.6,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios crowdsecurity/vmware-cve-2022-22954,enabled,0.3,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.2,Detect VMSA-2021-0027 exploitation attemps,scenarios ltsich/http-w00tw00t,enabled,0.2,detect w00tw00t,scenarios crowdsecurity/bf_base,enabled,0.1,,contexts crowdsecurity/http_base,enabled,0.2,,contexts crowdsecurity/apache2,"enabled,tainted",0.1,apache2 support : parser and generic http scenarios ,collections crowdsecurity/base-http-scenarios,"enabled,tainted",1.0,http common : scanners detection,collections crowdsecurity/http-cve,enabled,2.6,Detect CVE exploitation in http logs,collections crowdsecurity/linux,enabled,0.2,core linux support : syslog+geoip+ssh,collections crowdsecurity/mariadb,enabled,0.1,mariadb support : logs and brute-force scenarios,collections crowdsecurity/mysql,enabled,0.1,mysql support : logs and brute-force scenarios,collections crowdsecurity/sshd,enabled,0.3,sshd support : parser and brute-force detection,collections crowdsecurity/wordpress,enabled,0.5,wordpress: Bruteforce protection and config probing,collections ```

Acquisition config

```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* #Generated acquisition file - wizard.sh (service: apache2) / files : /var/log/apache2/access_bastelecke_ssl.log /var/log/apache2/access_wohngebaeudeversicherung_ssl.log /var/log/apache2/access_hoymiles_shop.log /var/log/apache2/access_fibu_api.log /var/log/apache2/access_ocr_proxy.log /var/log/apache2/error_fibu_api.log /var/log/apache2/error.log /var/log/apache2/error_fibu_live.log /var/log/apache2/error_fibu_tools.log /var/log/apache2/access_fibu_app.log /var/log/apache2/error_online-fibu24.log /var/log/apache2/access_calc_buchhalter-netzwerk.log /var/log/apache2/access_wechselrichter_versand_ssl.log /var/log/apache2/access_fibu_live.log /var/log/apache2/other_vhosts_access.log /var/log/apache2/access_ocr_distributor.log /var/log/apache2/access_online-fibu24.log /var/log/apache2/access_archive.log /var/log/apache2/access_hoymiles_shop_ssl.log /var/log/apache2/error_archive.log /var/log/apache2/access_wohngebaeudeversicherung.log /var/log/apache2/access_wg_next_ssl.log /var/log/apache2/access_fibu_tools.log filenames: - /var/log/apache2/access_bastelecke_ssl.log - /var/log/apache2/access_wohngebaeudeversicherung_ssl.log - /var/log/apache2/access_hoymiles_shop.log - /var/log/apache2/access_fibu_api.log - /var/log/apache2/access_ocr_proxy.log - /var/log/apache2/error_fibu_api.log - /var/log/apache2/error.log - /var/log/apache2/error_fibu_live.log - /var/log/apache2/error_fibu_tools.log - /var/log/apache2/access_fibu_app.log - /var/log/apache2/error_online-fibu24.log - /var/log/apache2/access_calc_buchhalter-netzwerk.log - /var/log/apache2/access_wechselrichter_versand_ssl.log - /var/log/apache2/access_fibu_live.log - /var/log/apache2/other_vhosts_access.log - /var/log/apache2/access_ocr_distributor.log - /var/log/apache2/access_online-fibu24.log - /var/log/apache2/access_archive.log - /var/log/apache2/access_hoymiles_shop_ssl.log - /var/log/apache2/error_archive.log - /var/log/apache2/access_wohngebaeudeversicherung.log - /var/log/apache2/access_wg_next_ssl.log - /var/log/apache2/access_fibu_tools.log labels: type: apache2 --- #Generated acquisition file - wizard.sh (service: ssh) / files : /var/log/auth.log filenames: - /var/log/auth.log labels: type: syslog --- #Generated acquisition file - wizard.sh (service: mysql) / files : journalctl_filter: - _SYSTEMD_UNIT=mysql.service labels: type: mysql --- #Generated acquisition file - wizard.sh (service: linux) / files : /var/log/syslog /var/log/kern.log filenames: - /var/log/syslog - /var/log/kern.log labels: type: syslog --- cat: '/etc/crowdsec/acquis.d/*': No such file or directory

Config show

```console $ cscli config show Global: - Configuration Folder : /etc/crowdsec - Data Folder : /var/lib/crowdsec/data - Hub Folder : /etc/crowdsec/hub - Simulation File : /etc/crowdsec/simulation.yaml - Log Folder : /var/log - Log level : info - Log Media : file Crowdsec: - Acquisition File : /etc/crowdsec/acquis.yaml - Parsers routines : 1 - Acquisition Folder : /etc/crowdsec/acquis.d cscli: - Output : human - Hub Branch : API Client: - URL : http://127.0.0.1:9090/ - Login : 0b88819939fe4782923010c89964af24dRYhuLeRUGb79pXt - Credentials File : /etc/crowdsec/local_api_credentials.yaml Local API Server: - Listen URL : 127.0.0.1:9090 - Listen Socket : - Profile File : /etc/crowdsec/profiles.yaml - Trusted IPs: - 127.0.0.1 - ::1 - Database: - Type : sqlite - Path : /var/lib/crowdsec/data/crowdsec.db - Flush age : 7d - Flush size : 5000 ```

Prometheus metrics

```console $ cscli metrics Acquisition Metrics: ╭───────────────────────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────╮ │ Source │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │ ├───────────────────────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤ │ file:/var/log/apache2/access_archive.log │ 3 │ 3 │ - │ 7 │ - │ │ file:/var/log/apache2/access_bastelecke_ssl.log │ 4 │ 4 │ - │ 4 │ - │ │ file:/var/log/apache2/access_calc_buchhalter-netzwerk.log │ 127 │ 127 │ - │ 8 │ - │ │ file:/var/log/apache2/access_fibu_api.log │ 2 │ 2 │ - │ 2 │ - │ │ file:/var/log/apache2/access_fibu_live.log │ 1.95k │ 1.95k │ - │ 151 │ - │ │ file:/var/log/apache2/access_fibu_tools.log │ 34 │ 34 │ - │ 10 │ - │ │ file:/var/log/apache2/access_hoymiles_shop.log │ 27 │ 27 │ - │ 7 │ - │ │ file:/var/log/apache2/access_hoymiles_shop_ssl.log │ 83 │ 83 │ - │ 25 │ - │ │ file:/var/log/apache2/access_ocr_distributor.log │ 4.45k │ 4.45k │ - │ 210 │ - │ │ file:/var/log/apache2/access_ocr_proxy.log │ 4.82k │ 4.82k │ - │ - │ 3.94k │ │ file:/var/log/apache2/access_online-fibu24.log │ 16 │ 16 │ - │ 10 │ - │ │ file:/var/log/apache2/access_wohngebaeudeversicherung.log │ 2 │ 2 │ - │ 1 │ - │ │ file:/var/log/apache2/error.log │ 12 │ - │ 12 │ - │ - │ │ file:/var/log/apache2/error_archive.log │ 2 │ 2 │ - │ - │ - │ │ file:/var/log/apache2/error_fibu_api.log │ 1 │ 1 │ - │ - │ - │ │ file:/var/log/apache2/other_vhosts_access.log │ 37 │ 37 │ - │ 42 │ - │ │ file:/var/log/auth.log │ 1.02k │ - │ 1.02k │ - │ - │ │ file:/var/log/syslog │ 2.11k │ - │ 2.11k │ - │ - │ │ journalctl:journalctl-_SYSTEMD_UNIT=mysql.service │ 1 │ - │ 1 │ - │ - │ ╰───────────────────────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯ Local API Decisions: ╭────────────────────────────────────────────┬────────┬────────┬───────╮ │ Reason │ Origin │ Action │ Count │ ├────────────────────────────────────────────┼────────┼────────┼───────┤ │ crowdsecurity/CVE-2022-37042 │ CAPI │ ban │ 1 │ │ crowdsecurity/CVE-2023-22515 │ CAPI │ ban │ 1 │ │ crowdsecurity/http-probing │ CAPI │ ban │ 2542 │ │ crowdsecurity/http-sensitive-files │ CAPI │ ban │ 171 │ │ crowdsecurity/CVE-2019-18935 │ CAPI │ ban │ 3 │ │ crowdsecurity/http-cve-probing │ CAPI │ ban │ 5 │ │ crowdsecurity/http-open-proxy │ CAPI │ ban │ 1003 │ │ crowdsecurity/ssh-bf │ CAPI │ ban │ 2897 │ │ crowdsecurity/http-backdoors-attempts │ CAPI │ ban │ 155 │ │ crowdsecurity/netgear_rce │ CAPI │ ban │ 10 │ │ crowdsecurity/thinkphp-cve-2018-20062 │ CAPI │ ban │ 75 │ │ ltsich/http-w00tw00t │ CAPI │ ban │ 3 │ │ crowdsecurity/CVE-2017-9841 │ CAPI │ ban │ 84 │ │ crowdsecurity/apache_log4j2_cve-2021-44228 │ CAPI │ ban │ 32 │ │ crowdsecurity/fortinet-cve-2018-13379 │ CAPI │ ban │ 5 │ │ crowdsecurity/http-crawl-non_statics │ CAPI │ ban │ 248 │ │ crowdsecurity/http-path-traversal-probing │ CAPI │ ban │ 155 │ │ crowdsecurity/http-wordpress_user-enum │ CAPI │ ban │ 523 │ │ crowdsecurity/ssh-slow-bf │ CAPI │ ban │ 5800 │ │ crowdsecurity/http-cve-2021-42013 │ CAPI │ ban │ 1 │ │ crowdsecurity/http-generic-bf │ CAPI │ ban │ 12 │ │ crowdsecurity/http-wordpress-scan │ CAPI │ ban │ 197 │ │ crowdsecurity/http-wordpress_wpconfig │ CAPI │ ban │ 39 │ │ crowdsecurity/mysql-bf │ CAPI │ ban │ 24 │ │ crowdsecurity/CVE-2022-26134 │ CAPI │ ban │ 4 │ │ crowdsecurity/http-admin-interface-probing │ CAPI │ ban │ 105 │ │ crowdsecurity/mariadb-bf │ CAPI │ ban │ 4 │ │ crowdsecurity/CVE-2023-49103 │ CAPI │ ban │ 79 │ │ crowdsecurity/f5-big-ip-cve-2020-5902 │ CAPI │ ban │ 1 │ │ crowdsecurity/http-bf-wordpress_bf │ CAPI │ ban │ 636 │ │ crowdsecurity/jira_cve-2021-26086 │ CAPI │ ban │ 26 │ │ crowdsecurity/http-cve-2021-41773 │ CAPI │ ban │ 159 │ ╰────────────────────────────────────────────┴────────┴────────┴───────╯ Local API Metrics: ╭──────────────────────┬────────┬──────╮ │ Route │ Method │ Hits │ ├──────────────────────┼────────┼──────┤ │ /v1/alerts │ GET │ 1 │ │ /v1/decisions/stream │ GET │ 1 │ │ /v1/heartbeat │ GET │ 56 │ │ /v1/watchers/login │ POST │ 2 │ ╰──────────────────────┴────────┴──────╯ Local API Machines Metrics: ╭──────────────────────────────────────────────────┬───────────────┬────────┬──────╮ │ Machine │ Route │ Method │ Hits │ ├──────────────────────────────────────────────────┼───────────────┼────────┼──────┤ │ 0b88819939fe4782923010c89964af24dRYhuLeRUGb79pXt │ /v1/alerts │ GET │ 1 │ │ 0b88819939fe4782923010c89964af24dRYhuLeRUGb79pXt │ /v1/heartbeat │ GET │ 56 │ ╰──────────────────────────────────────────────────┴───────────────┴────────┴──────╯ Parser Metrics: ╭──────────────────────────────────┬────────┬────────┬──────────╮ │ Parsers │ Hits │ Parsed │ Unparsed │ ├──────────────────────────────────┼────────┼────────┼──────────┤ │ child-crowdsecurity/apache2-logs │ 11.59k │ 11.56k │ 27 │ │ child-crowdsecurity/http-logs │ 34.68k │ 26.82k │ 7.86k │ │ child-crowdsecurity/mysql-logs │ 2 │ - │ 2 │ │ child-crowdsecurity/sshd-logs │ 55 │ - │ 55 │ │ child-crowdsecurity/syslog-logs │ 3.12k │ 3.12k │ - │ │ crowdsecurity/apache2-logs │ 11.57k │ 11.56k │ 12 │ │ crowdsecurity/dateparse-enrich │ 11.56k │ 11.56k │ - │ │ crowdsecurity/geoip-enrich │ 11.45k │ 11.45k │ - │ │ crowdsecurity/http-logs │ 11.56k │ 11.45k │ 115 │ │ crowdsecurity/mysql-logs │ 1 │ - │ 1 │ │ crowdsecurity/non-syslog │ 11.57k │ 11.57k │ - │ │ crowdsecurity/sshd-logs │ 5 │ - │ 5 │ │ crowdsecurity/syslog-logs │ 3.12k │ 3.12k │ - │ │ crowdsecurity/whitelists │ 11.56k │ 11.56k │ - │ ╰──────────────────────────────────┴────────┴────────┴──────────╯ Scenario Metrics: ╭────────────────────────────────────────────┬───────────────┬───────────┬──────────────┬────────┬─────────╮ │ Scenario │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │ ├────────────────────────────────────────────┼───────────────┼───────────┼──────────────┼────────┼─────────┤ │ crowdsecurity/http-admin-interface-probing │ - │ - │ 1 │ 1 │ 1 │ │ crowdsecurity/http-crawl-non_statics │ - │ - │ 191 │ 453 │ 191 │ │ crowdsecurity/http-probing │ - │ - │ 15 │ 22 │ 15 │ │ crowdsecurity/http-sensitive-files │ - │ - │ 1 │ 1 │ 1 │ ╰────────────────────────────────────────────┴───────────────┴───────────┴──────────────┴────────┴─────────╯ Whitelist Metrics: ╭──────────────────────────┬──────────────┬───────┬─────────────╮ │ Whitelist │ Reason │ Hits │ Whitelisted │ ├──────────────────────────┼──────────────┼───────┼─────────────┤ │ crowdsecurity/whitelists │ my ip ranges │ 11560 │ 3938 │ ╰──────────────────────────┴──────────────┴───────┴─────────────╯ ```

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

github-actions[bot] commented 4 months ago

@Orgoth: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details I am a bot created to help the [crowdsecurity](https://github.com/crowdsecurity) developers manage community feedback and contributions. You can check out my [manifest file](https://github.com/crowdsecurity/crowdsec/blob/master/.github/governance.yml) to understand my behavior and what I can do. If you want to use this for your project, you can check out the [BirthdayResearch/oss-governance-bot](https://github.com/BirthdayResearch/oss-governance-bot) repository.
LaurenceJJones commented 4 months ago

What happened?

I needed to change the port of crowdsec from 8080 to 9090 since a other process needs this port. After changing the configs to 9090, the crowdsec-firewall-bouncer wont start anymore without a helpful error message.

/usr/bin/crowdsec-firewall-bouncer -c /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml time="26-06-2024 11:01:33" level=fatal msg="process terminated with error: bouncer stream halted"

What did you expect to happen?

It should start. :)

How can we reproduce it (as minimally and precisely as possible)?

new server instance of ubuntu run a nodejs server on port 8080 Install the current version of crowdsec and firewall-bouncer-iptables. change port from 8080 to 9090 /etc/crowdsec/config.yaml /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

restart crowdsec restart crowdsec-firewall-bouncer-iptables

crowdsec it self starts without errors firewall-bouncer wont

test: /usr/bin/crowdsec-firewall-bouncer -c /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml time="26-06-2024 11:01:33" level=fatal msg="process terminated with error: bouncer stream halted"

Anything else we need to know?

No response

Crowdsec version

OS version

Enabled collections and parsers

Acquisition config


### Config show
### Prometheus metrics
### Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

Did you also change the /etc/crowdsec/local_api_credentials.yaml to point towards the same port? The fatal is happening because it didnt get a response on port 9090 since most likely CrowdSec failed to start

Most likely CrowdSec is not failing because you have a http server on port 8080 so it sending them to your nodejs app

Orgoth commented 4 months ago

Yes, I did change the file, forgot to mention.

url: http://127.0.0.1:9090
login: 0b88819939fe4782923010c8996.....
password: hWdvnIfkD2S7qACWFEvigN9CB.....
LaurenceJJones commented 4 months ago

Yes, I did change the file, forgot to mention.

url: http://127.0.0.1:9090
login: 0b88819939fe4782923010c8996.....
password: hWdvnIfkD2S7qACWFEvigN9CB.....

And if you run sudo ss -lntp you see CrowdSec currently using that port?

Orgoth commented 4 months ago

yes

LISTEN                         0                               128                                                           127.0.0.1:9090                                                           0.0.0.0:*                              users:(("crowdsec",pid=16630,fd=27))

netstat:

tcp        0      0 127.0.0.1:9090          0.0.0.0:*               LISTEN      16630/crowdsec
LaurenceJJones commented 4 months ago

Interesting, if you look at the CrowdSec logs is there anything interesting? /var/log/crowdsec.log ? maybe bouncer not found or something?

Orgoth commented 4 months ago

Only this message contained bouncer:

time="2024-06-26T10:33:39+02:00" level=error msg="while fetching bouncer info: ent: bouncer not found" ip=127.0.0.1
LaurenceJJones commented 4 months ago

Only this message contained bouncer:

time="2024-06-26T10:33:39+02:00" level=error msg="while fetching bouncer info: ent: bouncer not found" ip=127.0.0.1

Its complaining that the API key in the bouncer configuration does not exist within the database. You can generate a new one via cscli bouncers add <name>

Orgoth commented 4 months ago

Thank you this has fixed the issue. But strange, I have to do this, when changing only the port. :) I will include this note in my documentation on setting up servers.

Have a nice day.

LaurenceJJones commented 4 months ago

Thank you this has fixed the issue. But strange, I have to do this, when changing only the port. :) I will include this note in my documentation on setting up servers.

Have a nice day.

Did you change database at all? as normally upon installation it will generate the key, there is only two ways this can be affected:

Orgoth commented 4 months ago

I had installed an old version 1.4.x with the old instructions. https://docs.crowdsec.net/docs/v1.4.0/getting_started/install_crowdsec

Today I realized, the installation routine has changed. I then uninstalled crowdsec and the bouncer.

apt --purge remove crowdsec crowdsec-firewall-bouncer-iptables

Then followed the installation instructions for 1.6. https://docs.crowdsec.net/docs/getting_started/install_crowdsec

Then tried to change the port to 9090 and faced the issue.