CrowdSec

C

CrowdSec

CrowdSec: IDS/IPS/WAF Community

Join
j0nny54l1v3
j0nny54l1v3
View on Discord
4/29/2025

the list/decisions for ssh:bruteforce are not available on a standard query

using a Grafana Dashboard I noticed this significant rise in the list size for ssh:bruteforce to 15665, but, i cannot find the matching count of IPs from the API ``` 2 'scenario': 'crowdsecurity/CVE-2017-9841', 2 'scenario': 'crowdsecurity/http-admin-interface-probing', 20 'scenario': 'crowdsecurity/http-bad-user-agent',...
No description
alukas
alukas
View on Discord
4/28/2025

Whitelisting specific IPs based on a file

Hi! We're having some trouble with a custom whitelist setup. Basically this is what we have: ```name: <company-name>/custom-whitelist...
BoinQ
BoinQ
View on Discord
4/25/2025

Service machine won't connect to LAPI

Hi all Here the setup: Standalone Crowdsec server: This server is the LAPI which should take in logs from services, and take decisions from the logs. NGINX Reverse Proxy: Has bouncer which is connected successfully to the LAPI, but when i run the crowdsec service on this machine and point it to the LAPI, i get this error when it tries to boot the crowdsec service. The NGINX reverse proxy and the crowdsec services run in docker. It's the NPMPlus package, that has crowdsec built in. ...
se7entynine
se7entynine
View on Discord
4/25/2025

Notification - traefik router name

Hello, does anyone know how I can extract the value of the alerts key "traefik_router_name" and put it in the notification message? My current settings are like this:...
bbuddha
bbuddha
View on Discord
4/25/2025

CrowdSec not reacting to .git scans

Hello, I have an IP address that's hitting my .git, but the problem is that CrowdSec isn't detecting it, even though I believe I have the correct parsers and scenario apache2-logs/http-sensitive-files. Do you have any idea why? log : 
213.209.143.144 - - [21/Apr/2025:09:00:47 +0200] "GET /.git/objects/*/* HTTP/1.1" 404 48685 "-" "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"
213.209.143.144 - - [21/Apr/2025:09:00:47 +0200] "GET /.git/objects/*/* HTTP/1.1" 404 48685 "-" "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"
...
No description
Fish alt#3000
Fish alt#3000
View on Discord
4/24/2025

No decisions are made when testing with nikto on Kubernetes

I know it should be because at one point it worked but I had other issues with it not getting the correct X-Forward-IP. That works now but decisions are no longer being made. Working with Kubernetes: ```yml apiVersion: traefik.io/v1alpha1...
No description
m3tc0n
m3tc0n
View on Discord
4/21/2025

Services with internal subdomain get blocked with Traefik bouncer

Hi, I need some guidance. I have setup Traefik in Docker with services reachable with an internal subdomain, for example heimdall.domain.com. Heimdall is running in a Proxmox LXC with IP address 192.168.30.30. I have setup the fbonalair/traefik-crowdsec-bouncer in Docker....
Antwan
Antwan
View on Discord
4/12/2025

cloudflare bouncer

i've installed the cloudflare bouncer, however the container immediately dies. i am not sure what you need? i don't know where to find logs
MTRYLA
MTRYLA
View on Discord
4/11/2025

csLapiSecret and registrationToken injection from k8s secret impossible

Hello, I deployed Crowdsec using helm chart in 0.18.1 version, and I want to make my agents register to my LAPI with the csLapiSecret and the registrationToken. Both fields are present in the helm values. In order not to hardcode them in values, I wanted to inject the content of a k8s secret in the LAPI container environment variables but it doesn't work....
GNU Plus Windows User
GNU Plus Windows User
View on Discord
4/11/2025

Old decisions with long duration are eventually lost

My active decisions hovers at around 100 and old decisions with long duration are removed before they're expired. OS: Ubuntu 24.04 LAPI Version: 1.6.8 Number of Agents: 9...
j0nny54l1v3
j0nny54l1v3
View on Discord
4/10/2025

looking into appsec setup, looks like some cvs are disabled, should i enable / update and how

Ran this command and found there are few diabled, and if I manually update it, it seems to stay disabled ``` docker exec crowdsec cscli appsec-rules list -a | grep disabled crowdsecurity/vpatch-CVE-2021-43798 šŸš« disabled 0.3
crowdsecurity/vpatch-CVE-2023-0600 šŸš« disabled 0.1 ...
vedtoto
vedtoto
View on Discord
4/9/2025

crowdsec appsec - access User-Agent header within hooks

Hello! We use hooks to evaluate requests and add exceptions, currently the documentation is rather slim on this area. Is the any way to access "User-Agent" header for evaluation? Example how we use it to check a request uri (appsec config)...
bbuddha
bbuddha
View on Discord
4/9/2025

detect ddos attack

Hello, is there a way to detect DDoS attacks with CrowdSec? I was attacked, but there was no detection on the CrowdSec side.
Gunnar
Gunnar
View on Discord
4/7/2025

Delete decision doesn't work on the site

Hi, Not sure if this works for anyone else but for me it doesn't work to delete decisions on the site. It just keeps spinning and the decision is not removed. The desicions can be removed with 'cscli decisions'. This works fine....
No description
PintjesBier
PintjesBier
View on Discord
4/7/2025

Safely update openresty?

Can we safely do sudo apt upgrade to update openresty without breaking the bouncer? I am getting this error and don't want to break anything... ``` You might want to run 'apt --fix-broken install' to correct these....
martin.schaible
martin.schaible
View on Discord
4/6/2025

Attack via URL

We experience sometimes very CPU consuming attacks on the URL from websites. I counted around 20 attacks per second. I don't think, that Crowdsec is able to combat these. Is this right? If i have to create a scenario i would trigger "%2F%2A%2A%2F" in the URL one time and then say goodbye to the attacking IP-Address. Is this a good way? Thanks!...
Antwan
Antwan
View on Discord
4/6/2025

Docker

Iā€™m looking at adding crowdsec to my home setup. I have traefik and Authentik using cloudflare tunnels. Can anyone point me / help me properly setup my crowdsec container?
b_d0n
b_d0n
View on Discord
4/3/2025

trying too figure out why all notifications point to my WAN

as the title says 99% of my blocks show my target_fqdn as my public WAN. i did a cscli expain to the most recent log and here is the results
No description
MTRYLA
MTRYLA
View on Discord
4/3/2025

Zero Prometheus metrics parser ok but parser is considered as ok

Hello, I created a custom parser (named compte-xx-fr)that succeeds in reading lines (I see it by running cscli metrics command). But on my grafana dashboard, there is 0 peak for this custom parser, even though it is in the "parser ok" grafana panel (as attached). ...
No description
ook
ook
View on Discord
4/2/2025

k8s traefik bouncer + cscli manual decision: disappear after some minutes

Hi, on my k8s Crowdsec setup with traefik bouncer: scenarios decisions are correctly automaticly created. But when I ban manually by hand, I see them for some minutes in cscli decisions list then it disappears. For the record, I use that line to ban: cscli decisions add --ip 2a00:23c8:be88:ff00:c4a9:5800:90c3:10dd --type ban --duration 48h --reason Site/CommentsSpoof...
PreviousNext