#Crowdsec Authentik bans not working?

so where is the service located on the system is it an systemd service or run inside docker?

Sorry I meant the webserver that is connected to it

as that how typically you would be connecting is via an auth layer

Okay, on crowdsec-firewall-bouncer did you enable the DOCKER_USER chain?

where the bouncer located then?

I thought LXC were container like? (dont use proxmox here 😄 )

ahhh, so yeah you need to enable DOCKER_USER via the config in /etc/crowdsec/bouncers/

then you might hit an issue about ipv6

If you using iptables yes

You can see which mode its in at the top of yaml there a mode key

Did you restart the service?

so if you run ipset list | grep <ip>

and if you run iptables -L | grep -i crowdsec

Okay I see it says one reference, so it hasnt placed it on docker chain, can you restart the firewall service

systemctl restart crowdsec-firewall-bouncer

Okay, and just to ask your not using an upstream proxy like cloudflare?

Yeah that means the firewall is bypassed as its layer 4 it cant see the real IP

it can only see cloudflares IP

Yeah it doesnt matter though, as it iptables that cant see it

Use a remediation that on a higher layer such a 7, and the only issue is NPM doesnt support crowdsec unless you use a fork

example: https://github.com/ZoeyVid/NPMplus

Course 👍

Yes as the firewall needs to be installed on there, however, this does not negate the fact that using cloudflare still impact the firewall rules.

check the logs but it should only take up to 10 seconds to regain access

Yeah that an issue with the appsec, did you enable it within crowdsec itself?

so if you run sudo ss -lntp

I can see npm seems to be using docker-proxies? so what did you set LAPI and appsec url to be?

cause NPMPlus recommends to use network mode host

https://tenor.com/view/dancing-cat-dance-cat-cat-meme-chinese-cat-gif-12629347036627000898

well mostly there an issue which I cant replicate when you auth with authentik or authelia the appsec stops introspecting some requests, but I cant replicate the issue so may or may not happen but the ban stuff will always work

So you have 2 installs?

but I mean 2 crowdsecs

you can do this https://www.crowdsec.net/blog/multi-server-setup

basically one crowdsec acts as the "main source" of truth, whilst the other pushes alerts to it

then the remediations have to both be configured to speak to the "main source" of truth meaning all decisions are centrally listed

so if you remove / add from either machine, it will be propogated to both remediations

up to you it can be either

or some people like to have dedicated LAPI server

either way is fine, just up to you and how time/resource you want to spend 😅

Yeah just remove the BAN_TEMPLATE from the bouncer config

this will return the 403 forbidden page by nginx, however, you can "drop" the connection but it may not play well with cloudflare as they think your service is not doing okay (I use quotes because it not officially a drop but nginx offers a special status code)

since you change it to the an internal IP you have to update local_api_credentials.yaml with the same IP

as now it no longer available on 127.0.0.1

did you update the npmplus configuration to point to the same lapi? (remember the api keys need to be regenerated on the lapi)

when adding new machines/bouncer you must use the cscli on the lapi node

yeah that is just the crowdsec install, you also need to configure npmplus

obviously -u should be updated with the IP address of the actual server

Ahhh I see

add this env var

LOCAL_API_URL    http://0.0.0.0:8080    The LAPI URL, you need to change this when DISABLE_LOCAL_API is true: -e LOCAL_API_URL="http://lapi-address:8080"

but if you only use it as an agent node

you have to add also DISABLE_LOCAL_API

ye

I dont think its a ban decision

i think the npmplus config is not correct

chekc the npmplus logs

all good let me know 👍

Like I said earlier you need to regenerate the api key via cscli bouncers add on the lapi node

And then you need to point the npmplus to speak to the other machine

Yeah however the guide doesn't go over remediation.

For remediation you have to point them towards the remote LAPI

Okay so what's the configured LAPI?

Yeah so on the host that I'd 192.168.1.19 did you create a new api key for npm-plus?

No, bouncer and machines are two different things

NPMplus needs a api key, you generate it via cscli bouncers add on the main lapi node

Yeah it can be what you want to name it

I just saw you posted your bouncer config on discussion the api URL is still 127.0.0.1?

I thought the IP above was the LAPI? If so you change this value to be that IP address

Your only change the api url not appsec right?

Yes but remember to include the port so if 8080 make sure it there

Yes but as api key

Is that the authelia host or the NPM plus host, ATM just forgot about the crowdsec on npm-plus host

So I'm confused

Is 192.168.1.19 authelia or npm?

Okay so your updated NPM to point towards .19?

With an api key that was generated on said host

Okay, so cause you have appsec npm-plus will block the request if it fails, so did you add the to environment variables above the container?

NPM-plus is rebooting or you mean crowdsec on npm-plus ?

It good to be specific

She telling you how to do it with a local api not a remote api, you didn't really explain that

The only issue left is your crowdsec is boot looping so your appsec can't communicate once you resolve the boot loops this is the only piece left

So when you added the container environment did you stop, delete and recreate the crowdsec container

Hmm for the crowdsec environment key for disable local api try all lowercase

that npm plus no?

you dont need to setup remediation on the LAPI if it not actually exposed / hosting stuff

Yeah like I said before the cscli bouncers add must be ran on the LAPI machine

Yeah but you already have firewall and npmplus?

no

so which remediation other than npmplus and firewall do you also need to install?

you can skip 3b if you already have it installed, it just a setup from 0 guide, if you already have stuff installed you can skip that part

The LAPI doesn't need a remediation

You just need to generate a bouncer api key on the lapi then add it to the npm-plus config and change the lapi URL to the lapi node

Yes

Plus you need to change enabled to true

Cool no errors in any logs?

Yeah metrics are per node so the lapi will show alerts/decisions

But npm will show appsec and parsers metrics

Yeah cause wasn't you using cloudflare?

What? You have a LAPI server so all installs should point towards that server

You don't have too

Only if the server is exposed and handles remote connections

Yeah but it doesn't need a lapi

Cause you have a seperate lapi server

Yeah but that is why you have the register command and you point NPM to the lapi IP

No the local crowdsec reads the logs of NPM and then reports to the external LAPI

But I read it wrong but yeah that's the idea

NPM crowdsec - > LAPI < - NPMPlus

So the LAPI is the central location

Yeah

Well technically speaking npmplus reaches out to LAPI to check

Maybe it not clear but npmplus prepackages a bouncer

It already there

That's the crowdsec.conf

Is the bouncer config

That's why I was so confused

Hmmmm

I would only say that if you use docker and don't enable docker ipv6.

But all your services go through NPM?

Then it's a non issue

As npm will remediate everything for you now

Check the npm logs

Plus the crowdsec logs as well

On the lapi node

Isn't that cloudflare net?

Is it bare metal or container?

cat /var/log/crowdsec*.log

Hmm does authelia and npm both running in docker?

Okay so that localhost suggests it having issue logging in

If you check the npm crowdsec logs

On that machine can you find the local api credentials file

Should be within /opt/crowdsec/conf/

Just a thing to note I think the credentials is messed up hence the ent machine not found so think after a couple of hours it may start producing errors.

So once you found the file it be best to run on the LAPI node

cscli machines add --username localhost --password <password in local api file> -f- > /dev/null

Let me know if the username in that file is not localhost

Did you add it as

cscli decisions add --range 192.168.1.0/24

either as the proxy should send it across to the lapi

yeah but remember if you go to the website via cloudflare it will get your WAN

Yeah cause if the website is proxied by cloudflare then it all goes through cloudflare

if you check the api logs on the LAPI do you see npm reaching out?

there should be a /var/log/crowdsec_api.log as well

can you check that one

yeah but there should also be a request to /v1/decisions

so you dont see npmplus?

i see caddy but no npmplus

No but since all decisions are centralised it doesnt matter where it originated, all bouncers get the same list

as long as your using unqiue keys per bouncer

Decisions dont come from caddy, can you within caddy config turn on disable_streaming option so we can see which IP caddy is checking

@long crypt has reached level 7. GG!

well you should point your caddy to the central LAPI, so the logs on the lapi server

yeah but is caddy pointing towards it?

as in the configure LAPI settings

here:

  crowdsec {
    api_url http://localhost:8080 ## this should be 192.168.1.19:8080
    api_key <api_key>
    ticker_interval 15s
    appsec_url http://localhost:7422
    #disable_streaming
    #enable_hard_fails
  }

and api key is not the same as npmplus?

great and restarting caddy do you see any requests to the api logs on the lapi?

Okay, then did you configure any routes to use the crowdsec module?

localhost:8443 {
  route {
    crowdsec ## this enables blocking for this route
    respond "Allowed by Bouncer!"
  }
}

an example

Okay but on the proxied address is the the crowdsec module added to it, cause by default you have to apply it to ones you want

I dont use caddy so limited knowledge here

yeah but he only shows the firewall blocking, he doesnt show caddy itself

I found this is helpful

your-hostname.com {
    route {
        crowdsec
    }
    reverse_proxy http://192.168.1.23:3000
}

or move the reverse proxy into the route object

hmmm that would suggest that you havent build the custom caddy using xcaddy but let me know

But did you place the binary in the right location?

hmm this would suggest that the content type header does not match the actual content so it doesnt know how to display it.

Yeah typically it should return a content type that matches the body, but caddy (remeidation) doesnt support ban templates at the moment so it should return "text/plain" as the option, but I dont really know what caddy returns if there is no explicit type set by a middleware

cause if it not set explicitly then its up to the client to make a judgement which leads to unexpected outcomes depending on the device

https://github.com/hslatman/caddy-crowdsec-bouncer/issues/68

Yeah caddy is just really well put together, I still use nginx but for most people who want a quick get up and running I always suggest caddy or traefik nowadays

i like nginx cause I used it for 10 years now so im pretty use to the configuration

The status code afaik is not configurable unless I missed an option

but 403 is fine

403 means unauthorised and typically the client or app or whatever should use this code to not send another request