CrowdSec•3mo ago

Manual decision disappear before expiration

Sometimes, in addition to custom scenarios, I add manual decisions by cscli, always for 96h, with the same reason (let’s say "Massive Leech" ). For some minutes, I can still see the bans with cscli decision list -s "Massive Leech" but passing some minutes, the decisions disappears, far before the expiration. How is it possible?

7 Replies

CrowdSec•3mo ago

Important Information

Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.

Log Files

If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.

Guide Followed (CrowdSec Official)

If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.

Screenshots

Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.

_KaszpiR_•3mo ago

maybe the address matches some updates from the crowdsec public lists, and if the ip is there and gets removed then your manually added address is also removed

ookOP•3mo ago

Interesting, is there a way to dump the cs public list update?

_KaszpiR_•3mo ago

install this https://doc.crowdsec.net/u/bouncers/blocklist-mirror/ and it allows to check the currently banned ips in the plaintext form

Blocklist mirror | CrowdSec

📚 Documentation

_KaszpiR_•3mo ago

another idea is that the crowdsec LAPI has too small flush size, for example in /etc/crowdsec/config.yaml:

db_config:
  log_level: info
  type: sqlite
  db_path: /var/lib/crowdsec/data/crowdsec.db
  flush:
    max_items: 5000
    max_age: 7d

db_config:
  log_level: info
  type: sqlite
  db_path: /var/lib/crowdsec/data/crowdsec.db
  flush:
    max_items: 5000
    max_age: 7d

this will keep up to 5000 items in the db and with amx age of 7d

iiamloz•3mo ago

@KaszpiR is on the right tracks, because CAPI can issue long decisions lengths LAPI is designed to only keep the longest duration of the one issues. Just note that the flush options are for Alerts not decisions, the alert is only flushed once the decision has expired.

ookOP•3mo ago

So, does that mean the sqlite drop decisions after a given number of decisions added, like a LRU cleaning?

Gaming

Programming

Manual decision disappear before expiration

Did you find this page helpful?