pfSense bouncer not pulling decisions?
Hi, I have full of
"GET /v1/decisions/stream?additional_pull=false&community_pull=false HTTP/1.1 200 77.717412ms "crowdsec-firewall-bouncer/v0.0.33-freebsd-cb8b3e3c\
in crowdsec_api.log
cscli lapi status:...
Distribution mode cross region
I set up distribution mode with a single LAPI (server) and multiple Openresty bouncer + Appsec (agents). If the agent was in the same AZ region as server there is no issue. But if the agent was in difference AZ regions e.g. US-SG there was issue as bellow:
-crowsec.log (agent) :
time="2025-12-03T08:03:34Z" level=error msg="Error checking auth for API key: Head "http://51.xxx.xxx.xxx/v1/decisions/stream\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)" name=CDN-WAF type=appsec
time="2025-12-03T08:03:34Z" level=error msg="Unauthorized request from '127.0.0.1:38654' (real IP = xx.xxx.xxx) invalid API key" name=CDN-WAF type=appsec ...
Posting multiple URLs in a forum triggers an anomaly
Hello,
I'm not sure on how to tell crowdsec that something is normal behaviour. I have a forum on which I setup crowdsec to avoid crawlers & such, and now that I have it setup, when I try to post a topic / post, I'll get a 403 whenever I put multiple URLs in the post :
```...
quick question- which is correct env variable for CTI - CROWDSEC_CTI_API_KEY or CTI_API_KEY
Error log
```
root@localhost:~# docker exec crowdsec cscli notifications test discord
level=info msg="Crowdsec CTI helper enabled"...
Accessing my VPS outside using my phone
Hello, how to avoid being blocked by Crowdsec? I was away from home and accessing my VPS, but it seems like my carrier IP was blocked. It happened twice, how to avoid it happening again. There are times when I need to access my VPS outside of my home. Thank you!
Crowdsec in docker with traefik v3 problem
Hello, I've got crowdsec in docker setup with traefik using the bouncer, but I don't think it's working, everything in the logs seems ok but to test it I added my local IP to the decsions list and tried to access my nginx-test container I have running, but it still lets me get through to nginx test page and doesn't block my local ip, I would like someone to help me it would be greatly appereciated thanks
Appsec causes an OOM on nginx
Hello,
I have installed appsec on nginx last week, since this, i have some issues with RAM usage on nginx server, it seems to bypass the proxy proxy_request_buffering.
On modsecurity we have some Request limit to prevent this....
Home assistant triggers crowdsecurity/http-crawl-non_statics
Hello,
I try to write a whitelist to prevent my home assistant to raise crowdsecurity/http-crawl-non_statics
After log analysis it is triggered by multiple calls to /api/* when you go to Media tab of home-assistant....
Whitelist Country
Hi, I'm new to Crowdsec. I would like to let my Crowdsec pod whitelist requests from
TW country, and here is my Helm chart overrides: https://pastebin.com/PaXiYk0S
However, some IPs from TW is still getting blocked
```...Correct way to upgrade Crowdesc on pFsense
Hi, all in the title.
Got multiple bouncers and log processors on my infra and I see from the app dashboard that only the pfsense one isn't up-to-date (still on v1.7.0 while 1.7.3 is available).
I can't find any doc that describe how to properly upgrade the package (IMO it should be described here https://docs.crowdsec.net/docs/getting_started/install_crowdsec_pfsense/ )
Are we supposed to uninstall-reinstall or is there an upgrade command?
Got last pfsense version....
Window Block Decision Activated but Not Working
I am currently testing CrowdSec’s capabilities and have noticed that the blocking mechanism does not seem to be functioning as expected.
Specifically, I attempted a brute-force attack on a Windows target. After running cscli.exe decisions list, the bouncer should have successfully banned the source IP. However, we are still able to initiate RDP sessions from the source to the Windows Server.
Has anyone encountered this issue before? What steps can we take to diagnose and resolve it?...
Problems trying to add multiple zones to cloudflare-worker-bouncer
Greetings all!
I am trying to set up multiple zones on the cloudflare-worker-bouncer.yaml (I am using it with docker) but if I add a 2nd zone ( I have one working at the moment), I have this showing up:
time=“2025-11-24T23:59:28Z” level=fatal msg=“unable to parse config: turnstile must be enabled for zone zone_id to support captcha action”...
custom scenario for nginx deny directive
I have configured a nginx log acquisition and I would like to add a custom scenario that ban the client ip if it was blocked by nginx deny directive. This kind of logs seems to have request identifier
*16 and error message access forbidden by rule, can someone help me building a scenario yaml? thank you so muchAPI Key
Hello,
Just wanted to ask, I setup Crowdsec in OPNsense and signed up and got a key.
Yesterday, I also setup Crowdsec on my Dell server (Debian 12). Can I use the same key or do I need to generate a new one for that machine? Also, I noticed there are several files have have a key, so which do I need to add the key? Is it the /etc/crowdsec/bouncers/crowdsec-blocklist-mirror.yaml file? And finally, I don't see any where in the dashboard to create a second key....
Fake User Agents
Hi, is there any way to detect and block (bounce) fake User Agents? By "fake" I mean impossible combinations of browser name/engine/version, OS name/version (e.g. "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/3.1)"). Thanks.
Need help installing CrowdSec
I have installed crowdsec as per the doc on an Ubuntu 24 machine:
curl -s https://install.crowdsec.net | sudo sh
```
apt list crowdsec
Listing... Done...Custom coraza/crs rules per host/ingress
Hello all!
I'm using Crowdsec with traefik in kubernetes. Very simply, is a way to apply different appsec/coraza rules per ingress?
For instance in my current setup, if I hit test.example.com it routes through traefik, which uses a traefik middleware plugin to pass the traffik to coraza. That coraza middleware contains custom rules for that specific ingress. It looks like this:...
Console not receiving updates from one enrolled machine
One of my agents has stopped updating in the CrowdSec Console for just over 36 hours. The machine was previously working and is still shown as enrolled and healthy, but the console isn’t receiving updates.
Current state:
- Agent + bouncer running fine...
Wazuh integration crowdsec
I am having some trouble to create alert rules for CrowdSec in Wazuh. The logs come correctly to wazuh-manager, please I need some help. Thanks in advance.
Need help to set up ssh protection with Crowdsec inside a docker container, on a linux Debian 13 OS
Hello,
I spent severals hours with the Crowdsec ChatGPT in order to gave Crowdsec container (docker) a ssh.log file, where my debian 13 os is journald / systemd.
ChatGPT made me do a conversion of the journald logs into a file log
/var/log/crowdsec-journald/ssh.log but the file format isn't syslog-formatted as it said.
Here the link of the full conversation :
https://chatgpt.com/share/691ba5cd-bd5c-8009-b68e-b0b4babc5ea4...