Closed pixel1138 closed 6 months ago
Hello,
The issue is because we do not specify a specific version for our lua dependencies, and it looks like lua-resty-http got updated 2 days ago, and now requires lua-resty-string.
I've opened a PR to use the previous version while we check how to update to the latest version.
In the meantime, you should be able to fix your installation by running luarocks install lua-resty-http 0.17.1-0
and restarting nginx.
@blotus Thank you for the quick response! Yes, that worked, I appreciate it!
Do you want me to close this?
It will close automatically once I merge the PR.
Understood. Thank you again!
The same problem exists with https://github.com/linuxserver/docker-mods/tree/swag-crowdsec, the operating system of the Docker SWAG is Alpine Linux 3.20
What happened?
After install using
apt install crowdsec-nginx-bouncer
nginx will not start due to error:What did you expect to happen?
Nginx to start successfully and the bouncer to function.
How can we reproduce it (as minimally and precisely as possible)?
apt install crowdsec-nginx-bouncer
on Debian 12Anything else we need to know?
nginx/stable,now 1.22.1-9 amd64 [installed,automatic]
Crowdsec version
Details
``` 2024/03/02 19:37:30 version: v1.6.0-debian-pragmatic-amd64-4b8e6cd7 2024/03/02 19:37:30 Codename: alphaga 2024/03/02 19:37:30 BuildDate: 2024-01-24_11:01:12 2024/03/02 19:37:30 GoVersion: 1.21.3 2024/03/02 19:37:30 Platform: linux 2024/03/02 19:37:30 libre2: C++ 2024/03/02 19:37:30 Constraint_parser: >= 1.0, <= 3.0 2024/03/02 19:37:30 Constraint_scenario: >= 1.0, <= 3.0 2024/03/02 19:37:30 Constraint_api: v1 2024/03/02 19:37:30 Constraint_acquis: >= 1.0, < 2.0 ```OS version
Details
``` PRETTY_NAME="Debian GNU/Linux 12 (bookworm)" NAME="Debian GNU/Linux" VERSION_ID="12" VERSION="12 (bookworm)" VERSION_CODENAME=bookworm ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" Linux meet 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux ```Enabled collections and parsers
Details
``` name,status,version,description,type crowdsecurity/dateparse-enrich,enabled,0.2,,parsers crowdsecurity/geoip-enrich,enabled,0.2,"Populate event with geoloc info : as, country, coords, source range.",parsers crowdsecurity/http-logs,enabled,1.2,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers crowdsecurity/nginx-logs,enabled,1.5,Parse nginx access and error logs,parsers crowdsecurity/sshd-logs,enabled,2.3,Parse openSSH logs,parsers crowdsecurity/syslog-logs,enabled,0.8,,parsers crowdsecurity/whitelists,enabled,0.2,Whitelist events from private ipv4 addresses,parsers crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.5,Detect cve-2021-44228 exploitation attemps,scenarios crowdsecurity/CVE-2017-9841,enabled,0.2,Detect CVE-2017-9841 exploits,scenarios crowdsecurity/CVE-2019-18935,enabled,0.2,Detect Telerik CVE-2019-18935 exploitation attempts,scenarios crowdsecurity/CVE-2022-26134,enabled,0.2,Detect CVE-2022-26134 exploits,scenarios crowdsecurity/CVE-2022-35914,enabled,0.2,Detect CVE-2022-35914 exploits,scenarios crowdsecurity/CVE-2022-37042,enabled,0.2,Detect CVE-2022-37042 exploits,scenarios crowdsecurity/CVE-2022-40684,enabled,0.3,Detect cve-2022-40684 exploitation attempts,scenarios crowdsecurity/CVE-2022-41082,enabled,0.4,Detect CVE-2022-41082 exploits,scenarios crowdsecurity/CVE-2022-41697,enabled,0.2,Detect CVE-2022-41697 enumeration,scenarios crowdsecurity/CVE-2022-42889,enabled,0.3,Detect CVE-2022-42889 exploits (Text4Shell),scenarios crowdsecurity/CVE-2022-44877,enabled,0.3,Detect CVE-2022-44877 exploits,scenarios crowdsecurity/CVE-2022-46169,enabled,0.2,Detect CVE-2022-46169 brute forcing,scenarios crowdsecurity/CVE-2023-22515,enabled,0.1,Detect CVE-2023-22515 exploitation,scenarios crowdsecurity/CVE-2023-22518,enabled,0.2,Detect CVE-2023-22518 exploits,scenarios crowdsecurity/CVE-2023-49103,enabled,0.3,Detect owncloud CVE-2023-49103 exploitation attempts,scenarios crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.2,Detect cve-2020-5902 exploitation attemps,scenarios crowdsecurity/fortinet-cve-2018-13379,enabled,0.3,Detect cve-2018-13379 exploitation attemps,scenarios crowdsecurity/grafana-cve-2021-43798,enabled,0.2,Detect cve-2021-43798 exploitation attemps,scenarios crowdsecurity/http-admin-interface-probing,enabled,0.3,Detect generic HTTP admin interface probing,scenarios crowdsecurity/http-backdoors-attempts,enabled,0.5,Detect attempt to common backdoors,scenarios crowdsecurity/http-bad-user-agent,enabled,1.1,Detect usage of bad User Agent,scenarios crowdsecurity/http-crawl-non_statics,enabled,0.7,Detect aggressive crawl on non static resources,scenarios crowdsecurity/http-cve-2021-41773,enabled,0.2,cve-2021-41773,scenarios crowdsecurity/http-cve-2021-42013,enabled,0.2,cve-2021-42013,scenarios crowdsecurity/http-generic-bf,enabled,0.6,Detect generic http brute force,scenarios crowdsecurity/http-open-proxy,enabled,0.5,Detect scan for open proxy,scenarios crowdsecurity/http-path-traversal-probing,enabled,0.3,Detect path traversal attempt,scenarios crowdsecurity/http-probing,enabled,0.3,Detect site scanning/probing from a single ip,scenarios crowdsecurity/http-sensitive-files,enabled,0.3,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios crowdsecurity/http-sqli-probing,enabled,0.3,A scenario that detects SQL injection probing with minimal false positives,scenarios crowdsecurity/http-xss-probing,enabled,0.3,A scenario that detects XSS probing with minimal false positives,scenarios crowdsecurity/jira_cve-2021-26086,enabled,0.2,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios crowdsecurity/netgear_rce,enabled,0.3,Detect Netgear RCE DGN1000/DGN220 exploitation attempts,scenarios crowdsecurity/nginx-req-limit-exceeded,enabled,0.3,Detects IPs which violate nginx's user set request limit.,scenarios crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.3,Detect cve-2019-11510 exploitation attemps,scenarios crowdsecurity/spring4shell_cve-2022-22965,enabled,0.3,Detect cve-2022-22965 probing,scenarios crowdsecurity/ssh-bf,enabled,0.3,Detect ssh bruteforce,scenarios crowdsecurity/ssh-slow-bf,enabled,0.4,Detect slow ssh bruteforce,scenarios crowdsecurity/thinkphp-cve-2018-20062,enabled,0.4,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios crowdsecurity/vmware-cve-2022-22954,enabled,0.3,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.2,Detect VMSA-2021-0027 exploitation attemps,scenarios ltsich/http-w00tw00t,enabled,0.2,detect w00tw00t,scenarios crowdsecurity/bf_base,enabled,0.1,,contexts crowdsecurity/http_base,enabled,0.2,,contexts crowdsecurity/base-http-scenarios,enabled,0.8,http common : scanners detection,collections crowdsecurity/http-cve,enabled,2.6,Detect CVE exploitation in http logs,collections crowdsecurity/linux,enabled,0.2,core linux support : syslog+geoip+ssh,collections crowdsecurity/nginx,enabled,0.2,nginx support : parser and generic http scenarios,collections crowdsecurity/sshd,enabled,0.3,sshd support : parser and brute-force detection,collections ```Acquisition config
Details
``` #Generated acquisition file - wizard.sh (service: nginx) / files : /var/log/nginx/error.log /var/log/nginx/access.log filenames: - /var/log/nginx/error.log - /var/log/nginx/access.log labels: type: nginx --- #Generated acquisition file - wizard.sh (service: ssh) / files : /var/log/auth.log filenames: - /var/log/auth.log labels: type: syslog --- #Generated acquisition file - wizard.sh (service: linux) / files : /var/log/syslog /var/log/kern.log filenames: - /var/log/syslog - /var/log/kern.log labels: type: syslog --- ```Config show
Details
``` Global: - Configuration Folder : /etc/crowdsec - Data Folder : /var/lib/crowdsec/data - Hub Folder : /etc/crowdsec/hub - Simulation File : /etc/crowdsec/simulation.yaml - Log Folder : /var/log - Log level : info - Log Media : file Crowdsec: - Acquisition File : /etc/crowdsec/acquis.yaml - Parsers routines : 1 - Acquisition Folder : /etc/crowdsec/acquis.d cscli: - Output : human - Hub Branch : API Client: - URL : http://10.33.0.2:8080/ - Login :Prometheus metrics
Details
``` Acquisition Metrics: ╭───────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────╮ │ Source │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ ├───────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┤ │ file:/var/log/auth.log │ 236 │ 133 │ 103 │ 395 │ │ file:/var/log/kern.log │ 307 │ - │ 307 │ - │ │ file:/var/log/nginx/error.log │ 56 │ - │ 56 │ - │ │ file:/var/log/syslog │ 2.64k │ - │ 2.64k │ - │ ╰───────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────╯ Bucket Metrics: ╭─────────────────────────────────────┬───────────────┬───────────┬──────────────┬────────┬─────────╮ │ Bucket │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │ ├─────────────────────────────────────┼───────────────┼───────────┼──────────────┼────────┼─────────┤ │ crowdsecurity/ssh-bf │ - │ - │ 74 │ 132 │ 74 │ │ crowdsecurity/ssh-bf_user-enum │ - │ - │ 74 │ 74 │ 74 │ │ crowdsecurity/ssh-slow-bf │ 3 │ 1 │ 6 │ 132 │ 2 │ │ crowdsecurity/ssh-slow-bf_user-enum │ 3 │ - │ 11 │ 57 │ 8 │ ╰─────────────────────────────────────┴───────────────┴───────────┴──────────────┴────────┴─────────╯ Parser Metrics: ╭─────────────────────────────────┬───────┬────────┬──────────╮ │ Parsers │ Hits │ Parsed │ Unparsed │ ├─────────────────────────────────┼───────┼────────┼──────────┤ │ child-crowdsecurity/nginx-logs │ 336 │ - │ 336 │ │ child-crowdsecurity/sshd-logs │ 1.39k │ 133 │ 1.26k │ │ child-crowdsecurity/syslog-logs │ 3.18k │ 3.18k │ - │ │ crowdsecurity/dateparse-enrich │ 133 │ 133 │ - │ │ crowdsecurity/geoip-enrich │ 133 │ 133 │ - │ │ crowdsecurity/nginx-logs │ 112 │ - │ 112 │ │ crowdsecurity/non-syslog │ 56 │ 56 │ - │ │ crowdsecurity/sshd-logs │ 212 │ 133 │ 79 │ │ crowdsecurity/syslog-logs │ 3.18k │ 3.18k │ - │ │ crowdsecurity/whitelists │ 133 │ 133 │ - │ ╰─────────────────────────────────┴───────┴────────┴──────────╯ Local API Decisions: ╭───────────────────────────┬──────────┬────────┬───────╮ │ Reason │ Origin │ Action │ Count │ ├───────────────────────────┼──────────┼────────┼───────┤ │ crowdsecurity/ssh-slow-bf │ crowdsec │ ban │ 1 │ ╰───────────────────────────┴──────────┴────────┴───────╯ Local API Alerts: ╭───────────────────────────┬───────╮ │ Reason │ Count │ ├───────────────────────────┼───────┤ │ crowdsecurity/ssh-slow-bf │ 1 │ ╰───────────────────────────┴───────╯ ```Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.
Details
The local parsers and bouncers are communicating with a remote security engine (LAPI).