CrowdSec

CrowdSec: IDS/IPS/WAF Community

CrowdSec

CrowdSec: IDS/IPS/WAF Community

9/17/2025

Opnsense Crowdsec email notifications

Hi, Im using crowdsec latest with opnsense latest, all is working well, and i have notifications to email, also working well, only that when i receive a notificatrion for ban ip due to portscan for example, i dont get which wan interface did that ban get on, i have 4 WAN interfaces and i want to know on which interface / WAN IP was that detceted on / banned on. Thanks...

FoxxMD

9/17/2025

Bouncer decision source across unreliable network

I am running crowdsec with a topology very similar to the multi-server setup described in the docs. It works great! I have recently added a new machine to my ecosystem that is a VPS VM, outside my local network. It has a log processor reporting back to my LAPI inside my local network and a firewall bouncer getting decisions from that LAPI. It is connected via Wireguard and works fine across this overlay, currently. However, I've run into an issue with this topology. My local network lost power and all my machines had to shut down, including the LAPI and, of course, the Wireguard peer routing to the VPS. My bouncer was left without an LAPI to query....

Erwane

9/16/2025

Custom scenario and local RegexpInFile data

Hi, based on http-bad-user-agent, i've created a local/http-bad-user-agent ``` type: trigger format: 2.0...

FrankfodderJung

9/15/2025

Hub cache or other solution for "no outgoing internet access" server

I am planning on using Crowdsec on some servers that are not able to fetch data from the internet. What are my options if I still want to keep the collections, parsers, scenarios, ... up2date? AFAIK there is no hub caching or similar in Crowdsec, so I was thinking about one-way syncing the hub dir from a server that is able to connect to the internet and regularly pulls the updates. I'm not a huge fan of these hacky solutions, so if anyone has a better idea, please help me out.

capitangiaco

9/15/2025

Remediation Component for Nginx Controller

Hi all, I installed Crowdsec on Kubernetes, now I am trying to install the component for nginx controller (https://doc.crowdsec.net/u/bouncers/ingress-nginx) but it seems that there is nothing as image: crowdsecurity/controller Failed to pull image "registry.k8s.io/crowdsecurity/controller:v1.13.2...

Tobias

9/15/2025

"crowdsec init: while initializing LAPIClient: authenticate watcher (docker1old): API error: missing

Hi I am getting following error when i try to start Crodsec and have it connect to my LAPI. "crowdsec init: while initializing LAPIClient: authenticate watcher (docker1old): API error: missing: invalid character '\x1f' looking for beginning of value"...

bbuddha

9/15/2025

How to prevent DDoS attacks

Hello, this morning we had an incident on one of our servers, a large DDoS attack. Their common point was that the user-agents corresponded to old UAs like Macintosh, Windows 95, etc. Also, there were suspicious dates like this one: Mozilla/5.0 (X11; Linux x86_64; rv:1.9.7.20) Gecko/6496-09-22 17:26:38.382965 Firefox/3.6.7. I quickly created a scenario to block all old UAs; the scenario worked and there were alerts/decisions everywhere, it was impressive. But the problem is that I felt CrowdSe...

llp

9/15/2025

duration_expr not working in profiles.yaml

Hello, I just installed crowdsec with apt and I want to enable increasing durations for ban decisions. In /etc/crowdsec/profiles.yaml, I tried uncommenting the included duration_expr string but it causes crowdsec to fail to start with this error ...

alukas

9/15/2025

cscli decisions list -a and -i flag not working at the same time

Hi! Just a minor inconvenience, but we've found that when searching for IPs with the --ip flag, we cannot use -a at the same time. The IP search just gets ignored, and all decisions are listed. Is this by design? Of course we can get around it using grep, but it'd much faster to filter in the cscli. As far as I've tested, it works flawlessly with cscli alerts list though....

Yannick

9/13/2025

log acquisition

With the recent addition of https://docs.crowdsec.net/docs/log_processor/data_sources/docker/#swarm I wondered what would be the recommended way to acquite logs from traefik and bouncer: https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin . Questions: - Should I use a bind mounts or use the new api to read logs directly from the Docker Data Source. - What are tradeoffs? (pros/cons)...

bbuddha

9/12/2025

probing or probbing ?

Hello, I’m French and not very good at English, but isn’t there a mistake in this scenario?

light

9/12/2025

nginx lua bouncer crashes if it cannot reach out to LAPI even momentarily

This is not desirable especially when a remote LAPI reachable over https://crowdsec.local.example.com is involved that might go down momentarily while tinkering with proxy settings etc. I submitted a pull request - https://github.com/crowdsecurity/cs-nginx-bouncer/pull/94 that I've been testing in my setup that should mitigate this issue

killmasta93

9/11/2025

question on issue reading logs from bunkerweb

Hi Currently we configured bunkerweb with crowdsec, and it seems to be working when we manually add the IP address in the crowdsec lapi but it seems to be an issue reading the logs not sure what would be the issue in the parsing

image: tag: "v1.6.11"...

NeroNine

9/11/2025

Gotify shows me the ban, but crowdsec dashboard not

Hey community, I got a notification from gotify, crowdsec sucessfully bans 2 IPs, but I don't see it on my dashboard. at /decisions I don't see the banned IP's Why?...

privinc

9/10/2025

Get alerts linked to a fqdn

Hi everyone, I use Crowdsec on a NginX reverse proxy hosting around 2000 vhosts, and it works like a charm, thank you! The question I often get from customers is "my website blahblah.com is not online", with no IP address. To track false positives, I'm looking for a way to get Crowdsec's decisions related to this blahblah.com website. If there is only one IP I'm sure this is the customer's IP, otherwise I'm often able to tell which IP is the right one with the AS number. ...

IgnacioSeijo

9/10/2025

Crowdsec FW bouncer with nftables configured but I think It’s not working

Hello everyone I have a caddy + Coraza + Crowdsec with docker compose working fine and reporting to the console. My OS is raspian which is based on Debian 12 (bookworm)...

2br-2b

9/9/2025

Newcomer's guide feedback

Hello! I'm looking at this thru my eyes a few months back, when I vaguely knew what Traefik is and before I had Crowdsec set up to help give feedback. First off, thank you for making this guide! Things like this are always super helpful to help newbies (like myself) learn what the heck is going on! For context: I've got some websites listed on local k3s, exposed by cloudflare tunnels. Now, they're accessed via traefik with a crowdsec bouncer....

vedtoto

9/9/2025

Use of nginx variables with AppSec

Hello, do you have any practical examples on how to utilize these? https://docs.crowdsec.net/u/bouncers/openresty#nginx-variables I tried setting for example within a specific location in my openresty config. But it does not disable appsec (still getting banned) - Maybe i have gotten this wrong? set $disable_appsec 1...

Streilinger

9/9/2025

Why is there no decision to this appsec alert

Shouldn't there be a decisions / remidiation for this alert? ``` cscli alert inspect 6844 ################################################################################################...

se7entynine

9/8/2025

Appsec whitelist #2

I have a similar issue like @PerryCox007 from the latest post "AppSec whitelist? Ignoire vpatch-git-config when matching?" https://discord.com/channels/921520481163673640/1413237394647552121 I try to allow .env and .git files on my nextcloud instance. My ../crowdsec/acquis.d/appsec.yaml:...

Previous Next

Gaming

Programming

CrowdSec

CrowdSec: IDS/IPS/WAF Community

CrowdSec

CrowdSec: IDS/IPS/WAF Community