New to crowdsec: next steps
Hi! i'm new to crowdsec and i dont known to do after the instalation to start blocking ips, lol
can someone help me?...
A few questions about metrics
Hi there!
A while ago we set up metrics collection using Prometheus and visualization using Grafana.
We set the prometheus level to "full", and we've only just noticed - using a network monitoring tool - that some of our machines (the ones running ispconfig, and configured to read each and every log of all the websites) are basically constantly sending 5-10Mbps of traffic to our Prometheus server. Because we run well over a hundred machines, this means that the gigabit connection on our monitoring server gets overwhelmed.
For example, on a machine that's been running for a while, the metrics are ~300MB....
postoverflows and 1.6.10
Have been trying to figure out why my custom postoverflow doesn't work on 1.6.10. It shows in the log as being loaded (as it does in 1.6.9) but doesn't have any effect or debug output.
I've noticed that the 1.6.10 container by default includes CDN and SEO whitelist nodes but don't see how those could interfere....
problem enroll
hello i can't enroll with this comamnd :"sudo cscli console enroll -e context cljr4jq2f0000la0877idaaaa
", for example the yaml configuration files changed ,and cscli comand too . I have this feedback :"alexandre@ubuntu:~$ sudo cscli console enroll -e context cljr4jq2f0000la0877idaaaa
FATA[0000] unknown shorthand flag: 'e' in -e
alexandre@ubuntu:~$ sudo cscli console enroll FATA[19-07-2025 18:53:23] accepts 1 arg(s), received 0 ...
alexandre@ubuntu:~$ sudo cscli console enroll FATA[19-07-2025 18:53:23] accepts 1 arg(s), received 0 ...
Transfering enterprise plan from personal to organization
Hi, I did subscribe an enterprise plan (personal use / one person) , then, I did create an organization (personal use / one person)
So now I'd like to transfert my enterprise plan to the organization plan as this is the same "one person" behind
I did found how to transfert the security engine but not plan...
Logs Not Being Parsed
Hi - I'm running CrowdSec on my CloudPanel VPS (Ubuntu 24.04 LTS) and noticed that none of my logs are being parsed, even though lines are being read. Screenshots are attached for reference.
The CrowdSec engine and firewall bouncer are running fine.
Following is the sample log format in /var/log/auth.log file:
2025-07-18T21:57:39.443985+05:00 MY-SERVER sudo: pam_unix(sudo:session): session opened for user root(uid=0) by USERNAME(uid=XXXX)...
Bouncers mixed up?
Hi all,
I have 1 crowdsec LAPI, and 2 nginx (openresty) instances. However it seems like the names of the instances are getting mixed up...
In the alerts, the last 700+ alerts were from
nginx-2, when I look at the remidiation components; it says nginx-2 has been inactive for 3 days (thus the alerts from today should be from nginx-1, no?...NPMplus and Crowdsec as per the instructions posted by Zoey on the Crowdsec site
Hi, I am very much a newbie on this so if the question seems rather stupid, please do have patience with me. I have installed NPMplus and Crowdsec as per the instructions posted by Zoey on the Crowdsec site and it has all worked well, is up and running. Only thing I don't see is how I connect with the Crowdsec Console as both NPMplus and Crowdsec are in docker containers and I don't know where to issue the cscli command. Could anybody be of assistance on this. Thanks in advance. Paul
Discord Notification Not Send
anyone fact this issue before? please help.
time="2025-07-18T00:38:23+08:00" level=info msg="cti call for 178.128.33.253" type=crowdsec-cti
time="2025-07-18T00:38:24+08:00" level=debug msg="request for 178.128.33.253 took 777.407736ms" type=crowdsec-cti
time="2025-07-18T00:38:24+08:00" level=info msg="received signal for discord config" @module=http-plugin...
Crowdsec makes my server crash
I've set up Crowdsec and it works well until it randomly starts making my server crash.
When it does, I need to reboot it, then simply not launch Crowdsec and it works. The moment I start the crowdsec container it crashes again.
I've checked the logs of the container and couldn't find anything in them, maybe a bad config on my end ?...
Gpg key error on debaun 12 404 no key found. Trying to update
Gpg key error on debaun 12 404 no key found. Trying to update
How to temporarily disable for a while?
I want to disable CrowdSec for a while to verify if other firewall setup is working correctly. Is it just simple as execute this command?
systemctl stop crowdsec...is there a way to disable emails for incremental bans.
Hi! I’m using OPNsense and Proxmox with CrowdSec (Proxmox being the one hosting the LAPI) and have the
firewallservices/pf-scan-multi_ports scenario active. The issue is that a persistent IP keeps scanning, and each incremental ban triggers an email.
Is there a way to suppress emails for incremental bans, so I only get notified the first time or if it got unbanned and then banned again?
Any help would be greatly appreciated!...Pfsense Blocked IPs Disappear from Alias/Table After a While
I'm currently using pfSense version 2.7.2 and have installed CrowdSec version 1.6.9. The integration is mostly working , I’ve successfully customized a scenario and can see IPs being banned using cscli decisions list. These IPs are reflected in the corresponding tables. (
pfctl -t crowdsec6_blacklists -T show pfctl -t crowdsec_blacklists -T show)
However, after some time, the IPs disappear from the pfSense tables, even though I didn’t manually unblock them. There are no relevant error logs, and CrowdSec appears to continue running without issues.
By running cscli decisions list I can see the banned ips, so I do not know why the tables are empty. Maybe a relevant log could be...Traefik bouncer not connecting to LAPI
Hello everyone,
I'm facing a very persistent issue with the Traefik bouncer in a Docker Compose setup and I'm running out of ideas after extensive debugging.
For context, this whole setup is running on a mini-PC with Debian.
...
cscli allows decisions on CIDR ranges, but nftables sets do not have the `interval` flag
TLDR: nftables sets created/managed by cs-firewall-bouncer are missing the
interval flag, causing incorrect elements to be added for subnets.
Today I manually added a decision to ban an IPv6 subnet, which cscli reported as successful, but then I noticed that traffic from IPs in the subnet was still getting past the crowdsec6 table's chains. I dug deeper and realized that it's because the banned subnet wasn't added correctly to the crowdsec6-blacklists-cscli set; it appears to have been added as a single IP.
```...decisions list strange result
I recently noticed my firewall bouncer stopped adding ip flagged for ssh attack to the iptable.
I had set it up that way :
```
log_mode: stdout # file or stdout
log_level: info...
crowdsec-nginx-bouncer memory leak?
On a debian bookworm system with nginx (version 1.22.1-9+deb12u2) I try to install and run crowdsec-nginx-bouncer. As soon as the crowdsec-nginx-bouncer is configured, nginx gets regularly killed by oom.
The crowdsec lapi is running on a different machine.
As an example a "nginx -t" only takes 2 seconds to complete without crowdsec-nginx-bouncer and with installed/configured/enabled crowdsec-nginx-bouncer the command "nginx -t" takes at least 1 minute....
How to test than setup will block attack
Hi all,
I had some alerts and decisions, not much but few a day. I had old mikrotik router so I had only default blocklist and one CVE with few IPs, yet that was too much for router to process (almost all time it was 100% CPU). I bought new Mikrotik router. Now it takes few sec (CPU 25%) in peaks but works really wel. Now I have not any decision or alert for more then day.
Is it possible to test that my setup working correctly?
I know that mikrotik working ok, because there are blocked connections which are comming from address list wich is made by mikrotik bouncer.
What I do not understad is why I have no alert and no decision for more then day 😦 Am I lucky that bad ppl do not try my IP?...
Enable context using helm
In the documentation is says to check and enable using
And check status with...
cscli console enable context
cscli console enable context