I ran into the `Missing privilege separation directory: /var/run/sshd` problem again on a vanilla Debian 11 container and it was caused by sshd crashing/stopping. Still don't know why but it was resolved with a `service sshd restart`.
It seems when the service stops/crashes the socket takes over because I was still able to log in before the restart.
It was noticed because mail-in-a-box runs a status check every night which was running a `sshd -T` which failed with the above error.
Oddly, I had to close the ssh socket connection (log out) and restart sshd from a local console, otherwise I couldn't log in even though the service said it was up.
More crowdsec info:
If you're using it in containers on a parent server and forwarding ports, make sure you enable the FORWARD rule in crowdsec-firewall-bouncer.yaml, otherwise bouncer blocks won't affect your forwarded traffic.
It's under active development so make sure you install the latest version.
Once you've learnt the cli tool it's pretty good, I prefer it over fail2ban now. If you like to use recidive to permanently block IPs, crowdsec has the advantage that you get a huge list of blacklisted community IPs out of the box.
The only issue I found was when an ssh rule breach occurred, there appeared to be an internal loop trying to process it which made 300,000 attempts. I raised it as an issue and nothing was done except a 'try the latest version' response even though the loop hadn't changed. I haven't checked back to see if the upgrade made a difference.
An update...
Just as a quick update.
I ran into the `Missing privilege separation directory: /var/run/sshd` problem again on a vanilla Debian 11 container and it was caused by sshd crashing/stopping. Still don't know why but it was resolved with a `service sshd restart`.
It seems when the service stops/crashes the socket takes over because I was still able to log in before the restart.
It was noticed because mail-in-a-box runs a status check every night which was running a `sshd -T` which failed with the above error.
Oddly, I had to close the ssh socket connection (log out) and restart sshd from a local console, otherwise I couldn't log in even though the service said it was up.
More crowdsec info:
If you're using it in containers on a parent server and forwarding ports, make sure you enable the
FORWARD ruleincrowdsec-firewall-bouncer.yaml, otherwise bouncer blocks won't affect your forwarded traffic.It's under active development so make sure you install the latest version.
Once you've learnt the cli tool it's pretty good, I prefer it over fail2ban now. If you like to use recidive to permanently block IPs, crowdsec has the advantage that you get a huge list of blacklisted community IPs out of the box.
The only issue I found was when an ssh rule breach occurred, there appeared to be an internal loop trying to process it which made 300,000 attempts. I raised it as an issue and nothing was done except a 'try the latest version' response even though the loop hadn't changed. I haven't checked back to see if the upgrade made a difference.