CrowdSec

C

CrowdSec

CrowdSec: IDS/IPS/WAF Community

Join
carrotcakee
carrotcakee
View on Discord
8/8/2025

Helm chart add allowlist

Is it possible to add IPs to a allowlist from the helm values? I saw that whitelist is deprecated and i've managed to create it using the documentation and cscli but im running without persistent storage so on pod deletion the config is lost...
Dimitar
Dimitar
View on Discord
8/6/2025

Openresty bouncer disconnects from CrowdSec

Hi team, need support hence joining the channel here, need to admit this is my fist post here... Our setup: We are using the drop-in replacement of Nginx Proxy Manager (lepresidente/nginxproxymanager) runnign in Docker of course, CrowdSec is also running in Docker. ...

message.txt

Willpower
Willpower
View on Discord
8/6/2025

Docker based log parser not connecting to Opnsense running LAPI

I am working on setting up crowdsec on my second network and im running into issues getting another machine connected to the LAPI running on opnsense. My opnsense crowdsec config can be see in the attached picture as well as the firewall rule on the LAN interface that allows the docker machine (an unraidbox) to connect to port 8080 on the router. When running the sudo cscli lapi register -u http://192.168.20.1:8080 command on my crowdsec docker it says its successful and saves the creds into local_api_credentials.yaml. I then stopped the docker and edit config.yaml in the docker server and disable the server api. On the Opnsense lapi i validate the machine. now whenever trying to start the crowdsec docker it will not start successfully. It gets stuck in a loop of crashing over and over. This can be found in the logs: ...
No description
Mesaque Silva
Mesaque Silva
View on Discord
8/6/2025

About Hub collections

on https://app.crowdsec.net/hub/collections?filters=search%3Dwordpress we have two colletions : cscli collections install crowdsecurity/wordpress cscli collections install crowdsecurity/appsec-wordpress...
Streilinger
Streilinger
View on Discord
8/6/2025

cscli alerts list -i not showing all alerts

Maybe there is a misunderstanding on my side but it looks like cscli alerts list -i is not showing all alerts for the provided ip. `cscli alerts list β”‚ ID β”‚ value β”‚ reason [...] ...
Unavi
Unavi
View on Discord
8/6/2025

Ban immediately after scenario is triggered

I adapted one of the scenarios to immediately ban an IP when it requests files like .env or wp. It bans the IP after some time when the url was called but always with a delay. How can I ban immediately? I don't want the requests to reach my server. Is that even possible? because crowdsec would have to read the log and by the time the log is written, it is probably to late. Additional info: When I call domain.tld/.env the alert and the decision are created right away but I can still browse around on the website and open other pages for half a minute until I get banned and when unbanning it always takes half a minute to be unbanned, if that is relevant. ``` name: http-sensitive-files-local...
Mesaque Silva
Mesaque Silva
View on Discord
8/5/2025

LAPI whitelist

Hi, I have at least 60 servers running CrowdSec, all connected to a single LAPI. They are trying to ban an IP that I want to whitelist. ...
Streilinger
Streilinger
View on Discord
8/5/2025

No target_host in AppsecAlerts

I am running CrowdSec on a nginx reverse-proxy. So AppSec is running for a lot of vhosts. However in most (all?) of the AppSec-alerts I don't get a target_host in the context. So I can't really tell which vhost was hit by the alert. ...
jjg23
jjg23
View on Discord
8/4/2025

Viewing / deleting decisions with cscli

When I check cscli decisions list I see one decision, related to my earlier testing. If I cscli decisions delete <id> it says the decision was deleted, then when i check the list again there's a new decision in the list with a decremented ID number. Seems like there were ~19 from one run with nikto. Is it normal to not see all decisions in the list? Is there a way to view / delete them all?
jjg23
jjg23
View on Discord
8/4/2025

Remove allow list for local addresses?

It looks like by default Crowdsec has an allowlist for RFC1918 / private address ranges. I'm testing primarily within a local network on 10.0/8. Is there a way to temporarily disable this allow list? I don't see it un der 'cscli allowlist list'.
DJKatastrof
DJKatastrof
View on Discord
8/4/2025

Is my caddy setup missing anything?

Hey again, When running cscli metrics I can't see any scenario metrics while on my other machines it works just fine. is this a normal behavior? I know that caddy bouncer don't have metrics atm, is this why its emtpy?...
No description
seannob86
seannob86
View on Discord
8/2/2025

Unmarshal JSON warnings

Just noticed these unmarshalJSON warnings/errors by executing docker logs -f crowdsec ``` time="2025-08-02T19:12:53+10:00" level=warning msg="failed to run filter : unexpected end of JSON input (1:1)\n | UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, "traefik") in ["", nil]\n | ^" id=falling-water name=child-crowdsecurity/traefik-logs stage=s01-parse time="2025-08-02T19:12:53+10:00" level=error msg="UnmarshalJSON : invalid character 'u' looking for beginning of value" line="uestMethod":"POST","RequestPath":"/plugins/unassigned.devices.preclear/include/Preclear.php","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"apollo@file","ServiceAddr":"10.0.0.100:8088","ServiceName":"apollo@file","ServiceURL":"http://10.0.0.100:8088/\",\"StartLocal\":\"2025-08-02T19:12:53.673292055+10:00\",\"TLSCipher\":\"TLS_AES_128_GCM_SHA256\",\"TLSVersion\":\"1.3\",\"entryPointName\":\"https\",\"level\":\"info\",\"msg\":\"\",\"time\":\"2025-08-02T19:12:53+10:00\"}"...
python252
python252
View on Discord
8/1/2025

2FA-Authentifizierung

Hello, I have lost my 2FA authentication and cannot remember when I last logged in.
alukas
alukas
View on Discord
8/1/2025

Inconsistencies between web, cscli, and ipset

Hi there! Lately we've been getting a lot of complaints from customers that Microsoft tools can't reach their pages (bingbot). We've been hacking away at it for days now, and we've found the root of the issue (or at least we think so, nonetheless it is a problem). These are the IP ranges used by bingbot: https://www.bing.com/toolbox/bingbot.json...
Ritte
Ritte
View on Discord
8/1/2025

Console-connection gets stalled when container is restarted

I've noticed that if I restart the crowdsec-container, I get issues with the connection to the console. It doesn't update anymore and I need to re-enroll. I've mounted /var/lib/crowdsec/datato my host and I have no issues with crowdsec in generall surviging restarts of the container. It's just the console that resets and looses the connection to the conolse. It doesn't tell me that it lost the connection when I run cscli console status but when I log into the console I see it's complaining and that I have no updates in the console where the LAPI has updates. From what I've read, the path above is the only one of interest to survivie restarts, thus I'm unsure why this happens....
Robinson
Robinson
View on Discord
8/1/2025

Cloudflare bans me when using Jellyseerr

So I have a crowdsec setup and it looks to work relatively fine, except there is this one app I use which is named Jellyseerr. Whenever I use this and browse for a while I get banned from my server. The reason is this: http-crawl-non_statics. A quick search and chatgpt gave me the reason has to do with those /requests, info and such domains that I change a lot. What is there to do so I can fix this issue?
Mrx
Mrx
View on Discord
7/30/2025

Deploy my own scenario to my production system

I am successfully test my own scenario in my testing environment. How can i deploy my scenario to my production system?...
πŸ…±πŸ…±πŸ†„πŸ…³πŸ…³πŸ…·πŸ…°
πŸ…±πŸ…±πŸ†„πŸ…³πŸ…³πŸ…·πŸ…°
View on Discord
7/30/2025

How to manage two bouncers ?

Hello, I have a LAMP web server with two bouncers. The first one is crowdsec-firewall-bouncer, which blocks IP addresses at the system level, and the second one is the PHP bouncer, which handles the captcha part. Right now I have an issue: when someone gets banned, it’s handled by the firewall bouncer. However, I would like it to be handled by the PHP bouncer instead, so that the user can see the ban.html page. How can I configure it so that all HTTP requests are processed by the PHP bouncer, while everything else is still handled by the firewall bouncer?...
DJKatastrof
DJKatastrof
View on Discord
7/30/2025

ban duration not applying

Hi! I changed the default ban duration in profiles.yaml to 12h but its still banning 4h. What am i missing? πŸ˜…
...
tiny
tiny
View on Discord
7/30/2025

Tag issue in github that I didn't write for named counters in the firewall bouncer

is there a way I can tag and triage the issue for named counters on nftables even though I was not the one that submitted the issue? https://github.com/crowdsecurity/cs-firewall-bouncer/issues/404...
PreviousNext