QueryExpiredDecisionsWithFilters : context canceled
Setup: k8s 1.28, 3 traefiks pods, Traefik bouncer v1.4.5, Crowdsec v1.7.0 with sqlite (current size: 146M). This setup was working great for 6days and now I get in lapi logs and the bouncer stop working:
```
time="2025-11-17T14:32:09Z" level=warning msg="QueryExpiredDecisionsWithFilters : context canceled"
time="2025-11-17T14:32:09Z" level=error msg="unable to query expired decision for 'traefikBouncer@10.42.11.59' : expired decisions: unable to query"
time="2025-11-17T14:33:19Z" level=warning msg="QueryExpiredDecisionsSinceWithFilters : context canceled"...
credential stuffing recommendations
What collections would be recommended to protect against credential stuffing?
Thanks in advance....
Haproxy SPOA bouncer logging remediation state in haproxy log
Hi, I wondering the best practice to know when a request gets bounced. In the old bouncer using lua, it calls a service which "override" the backend in the haproxy log. I used to check haproxy log to investigate if a request gets bounced.
With the new SPOA bouncer I do not have this information anymore, the backend is "NOSRV".
We can display the variable by adding => %[var(txn.crowdsec.remediation)] in the log-format.
There is an another way to get the remediation request per request ? Maybe I am a dinausore to need this information in haproxy log ? ^^...
How can i block my service from outside access?
Hello, i am currently hosting crowdsec on docker and using traefik as a reverse proxy with a bouncer. Setup is successful so far, however:
I have a service that i want available over traefik (which it is) but i would not want it to be accessible from the outside.
So how do i block access to that service from outside?...
Getting many notifications for same ip
I am getting hundreds (!) of notifications for an already blocked IP on my opnsense bouncer. As I see, the logic is a loop here, as in: the firewall blocks the ip, because it is in the crowdsec block-list, writes that to the logs, triggering the blocking of said ip again. Is there a proper way to fix this?
OPNSense "No bouncer metrics found"
I am trying to get metrics to show on the webapp (app.crowdsec.net). both my bouncers should be able to send them (supported and correct versions). I have a crowdsec container acting as LAPI, an OPNSense bouncer (and a Nginx Bouncer that is offtopic for this).
in opnsense, when i put "cscli metrics show bouncers
" it just says "no bouncer metrics found". The version is v0.0.32_7-freebsd-910a36b2 and the bouncer itself it working perfectly fine, blocking traffic and showing up in the lapi...
False positives with http-probing & http-crawl-non_statics in Jellyfin
Hello,
I have a few friends that are being banned from my Jellyfin instance because of http probing or http-crawl-non_statics.
I'm using Pangolin so Crowdsec is fed traefik logs.
Here are a few occurrences:
https://pastebin.com/Y1ZvSTA6...
What to do in this scenario..?
I run Crowdsec inside OPNsense in my homelab and it's been working great as far as I can tell, with occasional frequent bursts of bans on several IPs over the last few months.
This week I'm travelling to Dubai and am experiencing multiple bans occurring almost every minute from 79.124.49.146 which is worrying me.
How to i find out what is triggering this..? I have a few honelab services I use like Immich and Dawarich which "phone home" via cloudflare tunnels from my phone/laptop and also run Tailscale... could it be them..?...
Crowdsec helm chart w/o PVC: what is lapiSharedKey ?
Having a dynamic provisionner issue, I’m re-deploying crowdsec without PVC. I noticed that crowdsec got upgraded from 1.6 to 1.7 Now I have that error when lapi pod is starting:
Indeed that key is not present in that secret file (there’s
Error: couldn't find key lapiSharedKey in Secret crowdsec/crowdsec-lapi-secrets
Error: couldn't find key lapiSharedKey in Secret crowdsec/crowdsec-lapi-secrets
csLapiSecret and registrationToken)...too many open files error
I'm running crowdsec on docker. When I start crowdsec container, it throws me following error:
level=fatal msg="crowdsec init: while loading acquisition config: while configuring datasource of type file from /etc/crowdsec/acquis.yaml (position 0): could not create fsnotify watcher: too many open files"
find /var/log -type f | wc -l returns 88
My acquis.yaml file is like this:...How to size buckets for slow ssh invalid user attempts
I have bots trying to slowly ssh as different invalid users. I'd like to get these banned.
I have a out the box install with /etc/crowdsec/scenarios/ssh-slow-bf.yaml having a leaky bucket set to
leakspeed: 60s
capacity: 10
blackhole: 1m...
Best practice for syncing collections/parsers/scenarios in multi-server setup?
We have a central LAPI and LPs/Bouncers on multiple endpoints (Proxmox, pfSense, Traefik, Ubunutu). Is there a way we can centrally manage the configuration of custom collections/parsers/scenarios across all the LPs?
Bouncer isn't Bouncing
My Bouncer isn't blocking me even when I manually ban myself. Crowdsec is able to read the logs correctly and can see that I'm blocked, It's just not preventing me from accessing the site.
I'm using https://github.com/ZoeyVid/NPMplus...
crowdsec doesn't seem to read my npm plus logs
Hi (to whomever reads this and hopefully guides me)!
Background: I have a unraid server where i use npm plus as a reverse proxy and crowdsec to parse npm plus logs. I seem to have configured everything correctly with npm plus, i can access my service via the web. I think i have configured crowdsec correctly, it can access my npm plus logs and i have a parser and bouncer installed also.
The problem/issue: When i run "cscli metrics show acquisition" in the crowdsec container it shows nothing, which makes me think that it isn't actually parsing any info. I'm guessing i can wait and see if crowdsec is making any decisions by itself but this seems like a pretty obvious error?...
is it possible to control the scope of Allowlists so that a custom scenario can bypass Allowlist?
Background: I am using an Allowlist for some of my internal IP ranges. However, I now have a custom scenario that I would like to trigger alerts for all internal IPs. Effectively, I have one scenario where I want all Allowlists to be ignored.
I can see that when my custom scenario triggers it is logged on the endpoint and sent to the LAPI, but the LAPI drops the alert with a corresponding log messge "
alert source <ip> is allowlisted by <cidr> from my_allowlist (...), skipping".
What I want to happen is that alerts for this particular scenario are not dropped. This will then allow me trigger a notification via a custom profile. What is the best way to achieve this?...Kubernetes Bouncer Options
Which ingress controller work with Crowdsec? I see bouncers for ingress-nginx and Trafeik, but I'm hoping to run HAProxy. I see the bouncer instructions for it but not for running it with a HAProxy ingress controller. If anyone knows where instructions on how to get it set up it would be appreciated!
Cloudflare: Worker Bouncer not creating Worker Routes or Workers KV
Hello everyone,
I'm running into a persistent issue while setting up the CrowdSec Cloudflare Worker Bouncer (Remediation Component) using Docker and I'd appreciate any insights you might have!
I've configured the bouncer via a YAML file and explicitly ran the setup command. However, the necessary Worker Routes and Workers KV are not being created in my Cloudflare Zone....
How can I upload my own list of IP addresses in CIDR format to CrowdSec?
How can I upload my own list of IP addresses in CIDR format to CrowdSec?
...
221.128.128.0/17
221.227.188.0/22...
False positive for scenario
I'm seeing a lot of alerts for http-probing scenario for a specific endpoint that is behaving as expected (eg, this isn't malicious traffic). I could disable this scenario, but I wonder if there's any other way to handle this, like allowlisting based on URL or something else.
detect flooding
Hey everyone! I need help designing a scenario for a very specific use case and I'm not sure if it's even possible with CrowdSec's bucket types.
What I want to detect:
- Ban IPs that send 17+ POST requests within 1 second (burst attack)
- Allow IPs that spread their requests over longer periods...