How to test than setup will block attack
Hi all,
I had some alerts and decisions, not much but few a day. I had old mikrotik router so I had only default blocklist and one CVE with few IPs, yet that was too much for router to process (almost all time it was 100% CPU). I bought new Mikrotik router. Now it takes few sec (CPU 25%) in peaks but works really wel. Now I have not any decision or alert for more then day.
Is it possible to test that my setup working correctly?
I know that mikrotik working ok, because there are blocked connections which are comming from address list wich is made by mikrotik bouncer.
What I do not understad is why I have no alert and no decision for more then day š¦ Am I lucky that bad ppl do not try my IP?...
Enable context using helm
In the documentation is says to check and enable using
And check status with...
cscli console enable context
cscli console enable context
Should Prometheus Work in Multi-Server Setup?
Really quick question that I couldn't find the answer to anywhere. I have a multi-server setup pushing all logs to my main machine/security engine. 3-4 machines are pushing into the Sec Engine.
On the main sec engine, prometheus is working without issue in the default
config.yml. On a secondary, but important machine, I have prometheus set up the same as default but it isn't working. I get a scrape config timeout from Prometheus and and error in docker logs that it couldn't mind to the address. I've exposed the 6060 port in my docker compose file.
My hunch is that prometheus metrics are dependent on the LAPI being up and running. Can anyone confirm or deny if this is the case? Should metrics be available on any machine regardless of the rest of the configuration? ...Console Signup KO
Hi,
First post here so please excuse myself if it's not the right place to ask this.
I'm trying to signup to the web console (https://app.crowdsec.net/signup) but I keep getting a 500 error.
Is there a planned maintenance on this page ?
Thanks in advance for your help....
Does whitelisting still lead to ban requests?
I have whitelisted the tailscale IP network range (in
/config/parsers/s02-enrich/tailscale.yaml):
```
whitelist:
cidr:
- "100.64.0.0/10"...Blocklists and decisions streaming
Question if the blocklists or decisions added are somewhat merged into a bigger CIDR ranges? Use case is to lower amount of addresses added to the the device, with over 20k addresses seems like that could be beneficial. I was thinking about using something like https://github.com/seancfoley/ipaddress-go but maybe you know something better?
( Also I think there should be separate #dev channel for such questions I guess?)...
High CPU load since restart haproxy bouncers
Hi, I have high CPU load since I restarted host with haproxy bouncers. I use a SQLITE database. The pprof result says slow request sqlite.
I tried to migrate to a mariadb database, and it doesn't solve the CPU load.
I have sometimes failed request with http code 500
```
time="2025-07-07T12:04:58+02:00" level=info msg="10.0.3.240 - [Mon, 07 Jul 2025 12:04:58 CEST] "GET /v1/decisions/stream?startup=true HTTP/1.1 500 2m0.001530468s "crowdsec-haproxy-bouncer/v1.0.0" ""...
Last fetched signals (on web console)
Hi all, how frequently Security Engine fetches security signals from CAPI? I see on web portal, that my engine fetched security signals 2025-07-06 21:03:57. Is there any configuration where to setup frequency? Or there were not new signals from that time?
Minecraft Server Collections?
Hey all! I'm starting my multi-server setup. Do any of you have any a collection or log parser for Minecraft servers? I wasn't able to find any on the Hub website. Thanks!
Blocklist unsubscribe
Hi all,
I unsubscribed blocklist 15 hours ago, but my bouncer is still downloading that blocklist. Is there any way to force stop using that blocklist?...
New issue: $LAPI_HOST resolves to the wrong service name
```
acheong@fishy ~/P/k/ingress (master) [1]> kubectl exec -it -n crowdsec pods/crowdsec-agent-k5nxj --container wait-for-lapi-and-register -- sh
/ # ps aux
PID USER TIME COMMAND
1 root 0:00 sh -c until nc "$LAPI_HOST" "$LAPI_PORT" -z; do echo waiting for lapi to start; sleep 5; done; ln -s /staging/etc/crowdsec /etc/...
CrowdSec Windows Exchange
Hi folks. I would like to secure my Exchange Server with Crowdsec. Crowdsec is already installed and configured.
I have a Sophos Firewall in front of my Exchange Server which acts as a WAF.
When I tested CrowdSec with a few failed logins, it blocked the IP from my Sophos (my internal IP from the gateway - 10.102.225.1) instead of the public IP from the āattackerā (94.237.100.231)....
how to handle redeployment?
I get the following message, upon redeploying my docker swarm (with a single node).
level=warning msg="Instance already enrolled. You can use '--overwrite' to force enroll"
Is it recommended to overwrite?...Crowdsec-haproxy-bouncer
Hello, the haproxy bouncer package is not available in the repos, I installed it manually but I can't connect to my remote LAPI, and there is no systemd to start it, is that normal?
JSON logging
Hi, does the agents / local API support JSON log output?
I could not find a parameter in the linux default configuration related to log format.
Thanks!...
Parser failure
Hello !
I am currently trying to use crowdsec on my Apache Guacamole server.
I used the corvese/apache-guacamole-logs collection, and edited the pattern of the parser.
Sadly, i always get a parser failure, but my pattern is supposed to work according to https://grokdebugger.com/
...
Postoverflow Whitelist Ignored
Hi there!
We have a custom postoverflow whitelist solution, but lately a customer has been complaining that their API bot is being banned despite being on our whitelist.
I've been debugging the issue for hours, but can't find why this happens.
We have the same whitelist system running on multiple servers, and it works flawlessly on our SMTP servers for example.
...
nginx: [error] [lua] crowdsec.lua:130: init(): APPSEC is enabled on 'crowdsec:7422'
Is this an error saying it can't connect to my appsec instance? Logs shows that it is running and listening on that port. I am using the nginx bouncer mod for SWAG.
Mikrotik, 2x Caddy (internal only/ internal + public)
Hi all. I have small homelab where I have Proxmox and few services, NetBird, Keycloak, RustDesk, Pihole, 2x Caddy (one as internal proxy for services that I do not want be on public internet and second for publicly available services), ... As main router I have mikrotik cloud switch CRS125.
What is optimal CrowdSec setup in this env? Only router or router + Caddy (external) or router + 2Caddy or only proxy servers? Where to parse logs and where to block ?...
CrowdSec Runtime Error: High CPU Load and Memory Errors Causing Restarts
Hi team,
Iām encountering severe performance and stability issues when running CrowdSec with the AppSec component under high traffic conditions. Here are the details:
āø»...