CrowdSec

C

CrowdSec

CrowdSec: IDS/IPS/WAF Community

Join
whichlocke
whichlocke
View on Discord
5/23/2025

CrowdSec blocking googlebot SEO crawler

Hello, I made a topic on crowdsec forum, for faster answer I post here too. I apologize. I noticed that Crowdsec is repeatedly blocking legitimate traffic from Googlebot (from IP address 66.249.64.165), which is negatively affecting our SEO. This IP is confirmed to be part of Google’s crawler range. ...
Clashplayer
Clashplayer
View on Discord
5/21/2025

Multi-SERVER - Problem with an agent with 2 IPs

Hello, I currently have a main server that receives alerts from the other servers, but I have a server that has 2 IPv4 addresses, but sometimes it types with its last IP address, so I get an error: bad user agent from: X.X.X.X Is there a solution to this problem?...
MTRYLA
MTRYLA
View on Discord
5/20/2025

Handle PersistentVolume for multiple LAPI replicas in Kubernetes environment

Hello, I deployed Crowdsec on our Kubernetes cluster and I want it to be High Available if one lapi pods comes to fall. So in the helm values I set lapi.replicas=3, and lapi.strategy.type=RollingUpdate. But when 3 lapi pods are being created, one succeeds and the two other fail because they can't be attached to the same volume....
EP
EP
View on Discord
5/18/2025

how to ban those

hi, sorry im newbie from crowdsec may i ask how to ban those inject?
No description
Arsenick
Arsenick
View on Discord
5/16/2025

Opnsense reporting only "Unknown Behavior" in console Remediation Metrics

I'm trying to understand why my cs-firewall bouncer on my opnsense is not reporting correctly to the console. When I look at the detail of "Unknown Behavior" I can see "Attacker's intent cannot be detected with your remediation component (bouncer) configuration." but I've found pretty much nothing in the docs regarding this kind of problem, I see a lot of prevented attacks but it looks like the classification or category data of why it's been blocked doesn't work. Does someone have any idea where I should look ? My bouncer config looks good as far as I can tell.. Thanks!...
RNab
RNab
View on Discord
5/8/2025

Pocket-Id Scenario

Hey, I’d like to create a scenarios for Pocket Id that would ban a user trying to access a ressource that is forbidden. Problem is I see the logs are multi-line. ...
Sich
Sich
View on Discord
5/7/2025

NGinx bouncer / appsec / no remediation

Hi, If I have a website behind Cloudflare and I'm using the crowdsec-cloudflare-worker bouncer, do I still need to use the NGINX bouncer? ...
EazyDoesIt
EazyDoesIt
View on Discord
5/5/2025

Rate limits on firewall integrations?

Hey @CrowdSec ! We recently subscribed to an Enterprise plan and had some questions about API rate limits against the central dashboard. We have a scenario where we will be hosting 1 integration for Fortigate firewalls that all of our firewalls in the field (300+) will use as active Threat Feeds. I also had to break up the feeds into 6 separate files to limit the number of entries in each list using the URL filtering your docs provided. ALSO we have 2 WAN connections at every site so it's possible that the amount of calls will be DOUBLED Is there any problem with this?...
Yannick
Yannick
View on Discord
5/2/2025

how do I use the BOUNCER_KEY_<name>=<key> ?

As outlined in the docu:
With TLS authentication: Bouncers are automatically registered and don't need an API key. The bouncers' names are derived from the IP address from which they connect.
So my question, do I still need to define it in docker-compose somewhere?...
Robinson
Robinson
View on Discord
5/2/2025

Does my Crowdsec block correctly?

Hello so I am really sorry but I am quite new to this and did read a lot through the documentation, but just based on the provided documentation I am not quite sure yet if I did set everything up correctly now and if Crowdsec is correctly banning untrusted IPs. I previously used Zoraxy, but because of Crowdsec I just switched to plain nginx now (I know NGINX Proxy Manager exists, but I wanted to use NGINX) ...
Willpower
Willpower
View on Discord
4/29/2025

Migrating LAPI from Docker to Opnsense

I am wanting to migrate my LAPI from Unraid running as a docker to my Opnsense box. Currently I have the LAPI running on docker and it is connected to the NPMPlus nginx container with its bouncer and also linked to my opnsense firewall as a bouncer. I also registered the opnsense crowdsec instance as a machine on the docker lapi. The issue is, whenever the unraid server is down I cannot manage my blocklists/decisions for obvious reasons. I have not attempted the migration yet as I want to make sure I have the right idea before blowing everything up. ...
j0nny54l1v3
j0nny54l1v3
View on Discord
4/29/2025

the list/decisions for ssh:bruteforce are not available on a standard query

using a Grafana Dashboard I noticed this significant rise in the list size for ssh:bruteforce to 15665, but, i cannot find the matching count of IPs from the API ``` 2 'scenario': 'crowdsecurity/CVE-2017-9841', 2 'scenario': 'crowdsecurity/http-admin-interface-probing', 20 'scenario': 'crowdsecurity/http-bad-user-agent',...
No description
alukas
alukas
View on Discord
4/28/2025

Whitelisting specific IPs based on a file

Hi! We're having some trouble with a custom whitelist setup. Basically this is what we have: ```name: <company-name>/custom-whitelist...
BoinQ
BoinQ
View on Discord
4/25/2025

Service machine won't connect to LAPI

Hi all Here the setup: Standalone Crowdsec server: This server is the LAPI which should take in logs from services, and take decisions from the logs. NGINX Reverse Proxy: Has bouncer which is connected successfully to the LAPI, but when i run the crowdsec service on this machine and point it to the LAPI, i get this error when it tries to boot the crowdsec service. The NGINX reverse proxy and the crowdsec services run in docker. It's the NPMPlus package, that has crowdsec built in. ...
se7entynine
se7entynine
View on Discord
4/25/2025

Notification - traefik router name

Hello, does anyone know how I can extract the value of the alerts key "traefik_router_name" and put it in the notification message? My current settings are like this:...
bbuddha
bbuddha
View on Discord
4/25/2025

CrowdSec not reacting to .git scans

Hello, I have an IP address that's hitting my .git, but the problem is that CrowdSec isn't detecting it, even though I believe I have the correct parsers and scenario apache2-logs/http-sensitive-files. Do you have any idea why? log : 
213.209.143.144 - - [21/Apr/2025:09:00:47 +0200] "GET /.git/objects/*/* HTTP/1.1" 404 48685 "-" "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"
213.209.143.144 - - [21/Apr/2025:09:00:47 +0200] "GET /.git/objects/*/* HTTP/1.1" 404 48685 "-" "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"
...
No description
Fish alt#3000
Fish alt#3000
View on Discord
4/24/2025

No decisions are made when testing with nikto on Kubernetes

I know it should be because at one point it worked but I had other issues with it not getting the correct X-Forward-IP. That works now but decisions are no longer being made. Working with Kubernetes: ```yml apiVersion: traefik.io/v1alpha1...
No description
m3tc0n
m3tc0n
View on Discord
4/21/2025

Services with internal subdomain get blocked with Traefik bouncer

Hi, I need some guidance. I have setup Traefik in Docker with services reachable with an internal subdomain, for example heimdall.domain.com. Heimdall is running in a Proxmox LXC with IP address 192.168.30.30. I have setup the fbonalair/traefik-crowdsec-bouncer in Docker....
Antwan
Antwan
View on Discord
4/12/2025

cloudflare bouncer

i've installed the cloudflare bouncer, however the container immediately dies. i am not sure what you need? i don't know where to find logs
MTRYLA
MTRYLA
View on Discord
4/11/2025

csLapiSecret and registrationToken injection from k8s secret impossible

Hello, I deployed Crowdsec using helm chart in 0.18.1 version, and I want to make my agents register to my LAPI with the csLapiSecret and the registrationToken. Both fields are present in the helm values. In order not to hardcode them in values, I wanted to inject the content of a k8s secret in the LAPI container environment variables but it doesn't work....
PreviousNext