Crowdsec creates new/stale remediation when the machine or container does not have static IP

[mgrimace]

What happened?

When using docker, and and the bouncer's container restarts (e.g., NPM, swag) or updates, Crowdsec spawns a new bouncer for it resulting in inactive bouncers that slowly accumulate. This occurs when the bouncer and Crowdsec are on the same docker network (e.g., 'homelab').

In my use, this happens with both NPM and Swag as bouncers in my two homelab environments, for example:

As far as I understand, Crowdsec is seeing that the bouncer has a new docker IP, and erroneously 'assumes' it is a new bouncer with a shared key, and automatically creates a new bouncer. Unfortunately, this leaves behind inactive bouncers. Also, deleting the inactive bouncer deletes all bouncers.

What did you expect to happen?

• Crowdsec can recognize that a bouncer on a shared docker network is not a 'new' bouncer if the container restarts, updates, etc.
• inactive bouncers can be removed/cleaned up without deleting the most-recent bouncer. Otherwise the user has to generate a new bouncer API key, etc., and redo the setup process.

How can we reproduce it (as minimally and precisely as possible)?

• Use docker compose, and create a stack with Crowdsec and Swag (or NPM, etc.)
• Put both services on the same docker network
• Run both according to standard guidelines (e.g., https://www.linuxserver.io/blog/blocking-malicious-connections-with-crowdsec-and-swag)
• Restart the bouncer container, pull a fresh update, etc., anything that generates a new docker IP.
• Monitor app.crowdsec.net for a new bouncer with bouncername@dockerIP, and an inactive bouncer with bouncername

Anything else we need to know?

No response

Crowdsec version

$ cscli version
# paste output here

version: v1.6.4-523164f6
Codename: alphaga
BuildDate: 2024-11-26_13:16:01
GoVersion: 1.23.3
Platform: docker
libre2: C++
User-Agent: crowdsec/v1.6.4-523164f6-docker
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_wineventlog

OS version

# On Linux:
$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
$ uname -a
# paste output here
Linux docker 6.8.12-7-pve #1 SMP PREEMPT_DYNAMIC PMX 6.8.12-7 (2025-01-17T08:18Z) x86_64 GNU/Linux

# On Windows:
C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here

Enabled collections and parsers

$ cscli hub list -o raw
# paste output here
name,status,version,description,type
crowdsecurity/cri-logs,enabled,0.1,CRI logging format parser,parsers
crowdsecurity/dateparse-enrich,enabled,0.2,,parsers
crowdsecurity/docker-logs,enabled,0.1,docker json logs parser,parsers
crowdsecurity/geoip-enrich,enabled,0.5,"Populate event with geoloc info : as, country, coords, source range.",parsers
crowdsecurity/http-logs,enabled,1.3,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers
crowdsecurity/nginx-proxy-manager-logs,enabled,0.3,Parse Nginx Proxy Manager access and error logs,parsers
crowdsecurity/sshd-logs,enabled,2.8,Parse openSSH logs,parsers
crowdsecurity/syslog-logs,enabled,0.8,,parsers
crowdsecurity/whitelists,"enabled,tainted",?,Whitelist events from private ipv4 addresses,parsers
crowdsecurity/cdn-whitelist,enabled,0.4,Whitelist CDN providers,postoverflows
crowdsecurity/rdns,enabled,0.3,Lookup the DNS associated to the source IP only for overflows,postoverflows
crowdsecurity/seo-bots-whitelist,enabled,0.5,Whitelist good search engine crawlers,postoverflows
crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.6,Detect cve-2021-44228 exploitation attemps,scenarios
crowdsecurity/CVE-2017-9841,enabled,0.2,Detect CVE-2017-9841 exploits,scenarios
crowdsecurity/CVE-2019-18935,enabled,0.2,Detect Telerik CVE-2019-18935 exploitation attempts,scenarios
crowdsecurity/CVE-2022-26134,enabled,0.2,Detect CVE-2022-26134 exploits,scenarios
crowdsecurity/CVE-2022-35914,enabled,0.2,Detect CVE-2022-35914 exploits,scenarios
crowdsecurity/CVE-2022-37042,enabled,0.2,Detect CVE-2022-37042 exploits,scenarios
crowdsecurity/CVE-2022-40684,enabled,0.3,Detect cve-2022-40684 exploitation attempts,scenarios
crowdsecurity/CVE-2022-41082,enabled,0.4,Detect CVE-2022-41082 exploits,scenarios
crowdsecurity/CVE-2022-41697,enabled,0.2,Detect CVE-2022-41697 enumeration,scenarios
crowdsecurity/CVE-2022-42889,enabled,0.3,Detect CVE-2022-42889 exploits (Text4Shell),scenarios
crowdsecurity/CVE-2022-44877,enabled,0.3,Detect CVE-2022-44877 exploits,scenarios
crowdsecurity/CVE-2022-46169,enabled,0.2,Detect CVE-2022-46169 brute forcing,scenarios
crowdsecurity/CVE-2023-22515,enabled,0.1,Detect CVE-2023-22515 exploitation,scenarios
crowdsecurity/CVE-2023-22518,enabled,0.2,Detect CVE-2023-22518 exploits,scenarios
crowdsecurity/CVE-2023-49103,enabled,0.3,Detect owncloud CVE-2023-49103 exploitation attempts,scenarios
crowdsecurity/CVE-2024-0012,enabled,0.1,Detect CVE-2024-0012 exploitation attempts,scenarios
crowdsecurity/CVE-2024-38475,enabled,0.1,Detect CVE-2024-38475 exploitation attempts,scenarios
crowdsecurity/CVE-2024-9474,enabled,0.1,Detect CVE-2024-9474 exploitation attempts,scenarios
crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.2,Detect cve-2020-5902 exploitation attemps,scenarios
crowdsecurity/fortinet-cve-2018-13379,enabled,0.3,Detect cve-2018-13379 exploitation attemps,scenarios
crowdsecurity/grafana-cve-2021-43798,enabled,0.2,Detect cve-2021-43798 exploitation attemps,scenarios
crowdsecurity/http-admin-interface-probing,enabled,0.4,Detect generic HTTP admin interface probing,scenarios
crowdsecurity/http-backdoors-attempts,enabled,0.6,Detect attempt to common backdoors,scenarios
crowdsecurity/http-bad-user-agent,enabled,1.2,Detect usage of bad User Agent,scenarios
crowdsecurity/http-crawl-non_statics,enabled,0.7,Detect aggressive crawl on non static resources,scenarios
crowdsecurity/http-cve-2021-41773,enabled,0.3,Apache - Path Traversal (CVE-2021-41773),scenarios
crowdsecurity/http-cve-2021-42013,enabled,0.3,Apache - Path Traversal (CVE-2021-42013),scenarios
crowdsecurity/http-cve-probing,enabled,0.2,Detect generic HTTP cve probing,scenarios
crowdsecurity/http-generic-bf,enabled,0.8,Detect generic http brute force,scenarios
crowdsecurity/http-open-proxy,enabled,0.5,Detect scan for open proxy,scenarios
crowdsecurity/http-path-traversal-probing,enabled,0.4,Detect path traversal attempt,scenarios
crowdsecurity/http-probing,enabled,0.4,Detect site scanning/probing from a single ip,scenarios
crowdsecurity/http-sensitive-files,enabled,0.4,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios
crowdsecurity/http-sqli-probing,enabled,0.4,A scenario that detects SQL injection probing with minimal false positives,scenarios
crowdsecurity/http-wordpress-scan,enabled,0.2,Detect WordPress scan: vuln hunting,scenarios
crowdsecurity/http-xss-probing,enabled,0.4,A scenario that detects XSS probing with minimal false positives,scenarios
crowdsecurity/jira_cve-2021-26086,enabled,0.3,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios
crowdsecurity/netgear_rce,enabled,0.4,Detect Netgear RCE DGN1000/DGN220 exploitation attempts,scenarios
crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.3,Detect cve-2019-11510 exploitation attemps,scenarios
crowdsecurity/spring4shell_cve-2022-22965,enabled,0.3,Detect cve-2022-22965 probing,scenarios
crowdsecurity/ssh-bf,enabled,0.3,Detect ssh bruteforce,scenarios
crowdsecurity/ssh-cve-2024-6387,enabled,0.2,Detect exploitation attempt of CVE-2024-6387,scenarios
crowdsecurity/ssh-slow-bf,enabled,0.4,Detect slow ssh bruteforce,scenarios
crowdsecurity/thinkphp-cve-2018-20062,enabled,0.6,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios
crowdsecurity/vmware-cve-2022-22954,enabled,0.3,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios
crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.2,Detect VMSA-2021-0027 exploitation attemps,scenarios
ltsich/http-w00tw00t,enabled,0.2,detect w00tw00t,scenarios
crowdsecurity/bf_base,enabled,0.1,,contexts
crowdsecurity/http_base,enabled,0.2,,contexts
crowdsecurity/base-http-scenarios,enabled,1.0,http common : scanners detection,collections
crowdsecurity/http-cve,enabled,2.9,Detect CVE exploitation in http logs,collections
crowdsecurity/linux,enabled,0.2,core linux support : syslog+geoip+ssh,collections
crowdsecurity/nginx-proxy-manager,enabled,0.1,Nginx Proxy Manager support : parser and generic http scenarios,collections
crowdsecurity/sshd,enabled,0.5,sshd support : parser and brute-force detection,collections
crowdsecurity/whitelist-good-actors,enabled,0.1,Good actors whitelists,collections

Acquisition config

```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* # paste output here

filenames:

• /var/log/npm/*.log
  labels:
  type: nginx-proxy-manager

On Windows:

C:> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml

paste output here

Config show

$ cscli config show
# paste output here
Global:
   - Configuration Folder   : /etc/crowdsec
   - Data Folder            : /var/lib/crowdsec/data
   - Hub Folder             : /etc/crowdsec/hub
   - Simulation File        : /etc/crowdsec/simulation.yaml
   - Log Folder             : /var/log
   - Log level              : info
   - Log Media              : stdout
Crowdsec:
  - Acquisition File        : /etc/crowdsec/acquis.yaml
  - Parsers routines        : 1
  - Acquisition Folder      : /etc/crowdsec/acquis.d
cscli:
  - Output                  : human
  - Hub Branch              : 
API Client:
  - URL                     : http://0.0.0.0:8888/
  - Login                   : localhost
  - Credentials File        : /etc/crowdsec/local_api_credentials.yaml
Local API Server:
  - Listen URL              : 0.0.0.0:8888
  - Listen Socket           : 
  - Profile File            : /etc/crowdsec/profiles.yaml

  - Trusted IPs:
      - 127.0.0.1
      - ::1
  - Database:
      - Type                : sqlite
      - Path                : /var/lib/crowdsec/data/crowdsec.db
      - Flush age           : 7d
      - Flush size          : 5000

Prometheus metrics

$ cscli metrics
# paste output here
Acquisition Metrics:
╭────────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────╮
│ Source                                     │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├────────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/var/log/npm/fallback_access.log      │ 510        │ 458          │ 52             │ 854                    │ 9                 │
│ file:/var/log/npm/fallback_error.log       │ 420        │ 197          │ 223            │ 193                    │ -                 │
│ file:/var/log/npm/proxy-host-15_access.log │ 4          │ 4            │ -              │ 2                      │ -                 │
│ file:/var/log/npm/proxy-host-1_access.log  │ 7.17k      │ 7.17k        │ -              │ 5.28k                  │ -                 │
│ file:/var/log/npm/proxy-host-24_access.log │ 3.46k      │ 3.46k        │ -              │ 3.42k                  │ -                 │
│ file:/var/log/npm/proxy-host-24_error.log  │ 5          │ 1            │ 4              │ 1                      │ -                 │
│ file:/var/log/npm/proxy-host-2_access.log  │ 7          │ 7            │ -              │ 7                      │ -                 │
│ file:/var/log/npm/proxy-host-4_access.log  │ 1.70k      │ 1.70k        │ -              │ 1.70k                  │ -                 │
│ file:/var/log/npm/proxy-host-50_access.log │ 114        │ 114          │ -              │ 73                     │ -                 │
│ file:/var/log/npm/proxy-host-50_error.log  │ 3          │ 3            │ -              │ -                      │ -                 │
│ file:/var/log/npm/proxy-host-56_access.log │ 10         │ 10           │ -              │ 5                      │ -                 │
╰────────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯

Local API Alerts:
╭────────────────────────────────────────────┬───────╮
│ Reason                                     │ Count │
├────────────────────────────────────────────┼───────┤
│ crowdsecurity/thinkphp-cve-2018-20062      │ 3     │
│ LePresidente/http-generic-403-bf           │ 11    │
│ crowdsecurity/CVE-2017-9841                │ 3     │
│ crowdsecurity/http-admin-interface-probing │ 1     │
│ crowdsecurity/http-crawl-non_statics       │ 2     │
│ crowdsecurity/http-probing                 │ 10    │
│ crowdsecurity/http-sensitive-files         │ 7     │
╰────────────────────────────────────────────┴───────╯

Local API Decisions:
╭────────────────────────────────────────────┬────────┬────────┬───────╮
│ Reason                                     │ Origin │ Action │ Count │
├────────────────────────────────────────────┼────────┼────────┼───────┤
│ crowdsecurity/CVE-2022-26134               │ CAPI   │ ban    │ 14    │
│ crowdsecurity/netgear_rce                  │ CAPI   │ ban    │ 276   │
│ crowdsecurity/CVE-2017-9841                │ CAPI   │ ban    │ 738   │
│ crowdsecurity/ssh-slow-bf                  │ CAPI   │ ban    │ 8437  │
│ crowdsecurity/ssh-bf                       │ CAPI   │ ban    │ 9354  │
│ crowdsecurity/CVE-2023-22515               │ CAPI   │ ban    │ 4     │
│ crowdsecurity/CVE-2023-22518               │ CAPI   │ ban    │ 2     │
│ crowdsecurity/CVE-2023-49103               │ CAPI   │ ban    │ 181   │
│ crowdsecurity/CVE-2024-0012                │ CAPI   │ ban    │ 2     │
│ crowdsecurity/http-crawl-non_statics       │ CAPI   │ ban    │ 622   │
│ crowdsecurity/http-open-proxy              │ CAPI   │ ban    │ 2842  │
│ crowdsecurity/http-path-traversal-probing  │ CAPI   │ ban    │ 334   │
│ crowdsecurity/CVE-2019-18935               │ CAPI   │ ban    │ 61    │
│ ltsich/http-w00tw00t                       │ CAPI   │ ban    │ 2     │
│ crowdsecurity/thinkphp-cve-2018-20062      │ CAPI   │ ban    │ 136   │
│ crowdsecurity/fortinet-cve-2018-13379      │ CAPI   │ ban    │ 24    │
│ crowdsecurity/grafana-cve-2021-43798       │ CAPI   │ ban    │ 3     │
│ crowdsecurity/http-cve-2021-41773          │ CAPI   │ ban    │ 657   │
│ crowdsecurity/http-generic-bf              │ CAPI   │ ban    │ 41    │
│ firehol_cruzit_web_attacks                 │ lists  │ ban    │ 13252 │
│ firehol_cybercrime                         │ lists  │ ban    │ 683   │
│ crowdsecurity/apache_log4j2_cve-2021-44228 │ CAPI   │ ban    │ 37    │
│ crowdsecurity/CVE-2022-37042               │ CAPI   │ ban    │ 2     │
│ crowdsecurity/CVE-2022-44877               │ CAPI   │ ban    │ 1     │
│ crowdsecurity/http-admin-interface-probing │ CAPI   │ ban    │ 355   │
│ crowdsecurity/http-bad-user-agent          │ CAPI   │ ban    │ 11548 │
│ crowdsecurity/http-cve-2021-42013          │ CAPI   │ ban    │ 5     │
│ crowdsecurity/jira_cve-2021-26086          │ CAPI   │ ban    │ 15    │
│ firehol_greensnow                          │ lists  │ ban    │ 5984  │
│ crowdsecurity/CVE-2022-35914               │ CAPI   │ ban    │ 10    │
│ crowdsecurity/http-backdoors-attempts      │ CAPI   │ ban    │ 404   │
│ crowdsecurity/http-cve-probing             │ CAPI   │ ban    │ 30    │
│ crowdsecurity/http-probing                 │ CAPI   │ ban    │ 9776  │
│ crowdsecurity/http-sensitive-files         │ CAPI   │ ban    │ 568   │
│ crowdsecurity/http-wordpress-scan          │ CAPI   │ ban    │ 3398  │
│ crowdsecurity/ssh-cve-2024-6387            │ CAPI   │ ban    │ 49    │
│ crowdsecurity/CVE-2024-9474                │ CAPI   │ ban    │ 2     │
╰────────────────────────────────────────────┴────────┴────────┴───────╯

Local API Metrics:
╭────────────────────┬────────┬──────╮
│ Route              │ Method │ Hits │
├────────────────────┼────────┼──────┤
│ /v1/alerts         │ POST   │ 9    │
│ /v1/decisions      │ GET    │ 9369 │
│ /v1/heartbeat      │ GET    │ 1697 │
│ /v1/usage-metrics  │ POST   │ 57   │
│ /v1/watchers/login │ POST   │ 29   │
╰────────────────────┴────────┴──────╯

Local API Bouncers Metrics:
╭─────────────────────────┬───────────────┬────────┬──────╮
│ Bouncer                 │ Route         │ Method │ Hits │
├─────────────────────────┼───────────────┼────────┼──────┤
│ [email protected] │ /v1/decisions │ GET    │ 9369 │
╰─────────────────────────┴───────────────┴────────┴──────╯

Local API Bouncers Decisions:
╭─────────────────────────┬───────────────┬───────────────────╮
│ Bouncer                 │ Empty answers │ Non-empty answers │
├─────────────────────────┼───────────────┼───────────────────┤
│ [email protected] │ 9281          │ 88                │
╰─────────────────────────┴───────────────┴───────────────────╯

Local API Machines Metrics:
╭───────────┬───────────────┬────────┬──────╮
│ Machine   │ Route         │ Method │ Hits │
├───────────┼───────────────┼────────┼──────┤
│ localhost │ /v1/alerts    │ POST   │ 9    │
│ localhost │ /v1/heartbeat │ GET    │ 1697 │
╰───────────┴───────────────┴────────┴──────╯

Parser Metrics:
╭──────────────────────────────────────────────┬────────┬────────┬──────────╮
│ Parsers                                      │ Hits   │ Parsed │ Unparsed │
├──────────────────────────────────────────────┼────────┼────────┼──────────┤
│ child-crowdsecurity/http-logs                │ 39.36k │ 34.52k │ 4.84k    │
│ child-crowdsecurity/nginx-proxy-manager-logs │ 14.64k │ 13.12k │ 1.52k    │
│ crowdsecurity/cdn-whitelist                  │ 10     │ 10     │ -        │
│ crowdsecurity/dateparse-enrich               │ 13.12k │ 13.12k │ -        │
│ crowdsecurity/geoip-enrich                   │ 13.11k │ 13.11k │ -        │
│ crowdsecurity/http-logs                      │ 13.12k │ 13.12k │ 1        │
│ crowdsecurity/nginx-proxy-manager-logs       │ 13.40k │ 13.12k │ 279      │
│ crowdsecurity/non-syslog                     │ 13.40k │ 13.40k │ -        │
│ crowdsecurity/rdns                           │ 10     │ 10     │ -        │
│ crowdsecurity/seo-bots-whitelist             │ 10     │ 10     │ -        │
│ crowdsecurity/whitelists                     │ 13.12k │ 13.12k │ -        │
╰──────────────────────────────────────────────┴────────┴────────┴──────────╯

Scenario Metrics:
╭────────────────────────────────────────────┬───────────────┬───────────┬──────────────┬────────┬─────────╮
│ Scenario                                   │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │
├────────────────────────────────────────────┼───────────────┼───────────┼──────────────┼────────┼─────────┤
│ LePresidente/http-generic-401-bf           │ -             │ -         │ 2            │ 3      │ 2       │
│ LePresidente/http-generic-403-bf           │ -             │ 21        │ 66           │ 200    │ 45      │
│ crowdsecurity/http-admin-interface-probing │ -             │ 2         │ 4            │ 12     │ 2       │
│ crowdsecurity/http-bad-user-agent          │ -             │ -         │ 5            │ 5      │ 5       │
│ crowdsecurity/http-crawl-non_statics       │ 5             │ 2         │ 10.52k       │ 10.90k │ 10.51k  │
│ crowdsecurity/http-probing                 │ -             │ 18        │ 98           │ 333    │ 80      │
│ crowdsecurity/http-sensitive-files         │ -             │ 6         │ 32           │ 78     │ 26      │
╰────────────────────────────────────────────┴───────────────┴───────────┴──────────────┴────────┴─────────╯

Whitelist Metrics:
╭──────────────────────────────────┬────────────────────────────────────┬───────┬─────────────╮
│ Whitelist                        │ Reason                             │ Hits  │ Whitelisted │
├──────────────────────────────────┼────────────────────────────────────┼───────┼─────────────┤
│ crowdsecurity/cdn-whitelist      │ CDN provider                       │ 10    │ -           │
│ crowdsecurity/seo-bots-whitelist │ good bots (search engine crawlers) │ 10    │ -           │
│ crowdsecurity/whitelists         │ private ipv4/ipv6 ip/ranges        │ 13120 │ 9           │

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

[github-actions]

@mgrimace: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Crowdsec Documentation to see if your issue can be self resolved.
2. You can also join our Discord.
3. Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[LaurenceJJones]

Hey thank you for a detailed report, I will update the title to reflect the actual issue. The issue is when the remediation connects using an API key the original key is tied to the IP address, when using docker (without static address) or not having static DHCP within your LAN, when the remediation connects to next time we check if the IP address has changed and if so we generate a new entry with the IP since the original key is tied to the older IP address.

Also I will take the time to go in detail with the report, but the details above should give an indication of what is happening.

[LaurenceJJones]

Hey we discussed this yesterday as a team, we will mark this as intended behavior moving forward as typically remediations will have static IP addresses on bare metal (webserver / firewalls) and will revise our documentation and example use cases to assign a static subnet.

We did explore if there was a way we could have it so CrowdSec could detect if the original remediation has stopped pulling then merge the newly created back to the original, however, with metrics this will cause alot of issues so we will not proceed with this.

[mgrimace]

Thank you for putting so much thought into this.

I can appreciate that this is the intended behavior for a bare-metal setup.

Specific to docker: Do you have any advice for a docker setup where docker networking would be the preferred/intended (or at least user-friendliest) method of linking Crowdsec to a remediation component (i.e., vs setting static internal docker IPs)? Messing with docker’s internal networking adds a layer of complexity that can be avoided (ideally) with simply putting both containers on a docker network.

Alternatively, would it be valid to rephrase this issue as [Feature Request] for docker networking support for remediation components to simplify setup? I know many ‘official’ guides (e.g., Swag) that I’ve referenced don’t speak to setting static internal docker IPs for their reverse proxies/remediation components and doing so may make docker support/etc easier in the long term.

Understandable however you want to proceed, I don’t have the skill to contribute what I’m suggesting myself. If that is not possible, would the workaround be as follows?:

• remove existing remediation components
• change docker compose or docker run for the remediation components to ensure docker has set a static IP (e.g., 172. or 10. which docker reserves for internal networking)
• re-link remediation components

Thanks again for all your work,